31.0.0 Red Diamond
IR
339167
CloudBasic
16:30:48
13/01/2021
info_2020_NJY_31940448.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
e99693721af4330b2f4f0e4ca39f74df
8d5141493dc9e88dd82f55ebbc9c538764127887
c081588672d7e47686d25c4e55de905404749c4ab80a8ba47eb66ceb77c4bc3e
Microsoft Word document (32009/1) 79.99%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A07B73A5-D643-47FF-B622-0CF30ED55516}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
3F41D10BF9F9AF03A04023D8E8049989
3986F88F1BC337C32825E1E03453ABBE36B8FCD4
FAC7D2875B651552EBC9DFBAF39084E0741D33DE13470AFAFA67779EA7F8ABAC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\info_2020_NJY_31940448.LNK
false
B40F3772B12E7A1C991296DE6EAA34D5
6DE879D4890CB03D3FAD473FF7BACA7089FD1D52
568D6E386FB7F4D117EB76D677B91F07D9A5F555046FA95ED92F2002EB91A0A5
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
6AF5EAEBE6C935D9A5422D99EEE6BEF0
6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DJ17GIRPUSXWYYEETPX6.temp
false
6E003B978C8532648584BE98AC76BBCC
A9382D50E314C182CD968195BD87C74825F75CFC
E0B2EAEC1DFAF37935F05D59B56FC6213799EA9AFE2C3546A5CF6028434E2A4F
C:\Users\user\Desktop\~$fo_2020_NJY_31940448.doc
false
6AF5EAEBE6C935D9A5422D99EEE6BEF0
6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
C:\Users\user\Ygyhlqt\Bx5jfmo\R43H.dll
true
759F11DE546F75EC1B576ED031C7A1DC
A727EBFC32B3C8C7B1FE073F009C53D49FAE6F72
BBB9C1B98EC307A5E84095CF491F7475964A698C90B48A9D43490A05B6BA0A79
152.170.79.100
35.208.69.64
allcannabismeds.com
true
35.208.69.64
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Suspicious powershell command line found
Very long command line found
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet