31.0.0 Red Diamond
IR
339440
CloudBasic
03:24:36
14/01/2021
sample1.bin
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
7dbd8ecfada1d39a81a58c9468b91039
0d21e2742204d1f98f6fcabe0544570fd6857dd3
dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95
Microsoft Word document (32009/1) 54.23%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc
false
7E9AB23E4F7C98AF0A03B64E3C14D7F6
BAD0DC91FB2929FDBF66E569257BABA97E1EC233
532A6B3137804F51266923EBB06FA6DE43022C2B14F14F6785DDFDA8CA4238EE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.doc
false
DA122309698B26E96848A6A829EEF5C1
DFA1B8C96C19827A595EEB15B2EC5386F9746CEF
26585F7107FBECBA9F5282D4C1F1783441C60187057133121BD40D5C31C6149A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0003.doc
false
1D35754EDB0B7AA76891735215FC048A
E0B1C34B3C39C1F097B7A3749174D098DC51E265
C31DBCD8F7F979CB09159FE60B70A0C8F7A58C5E67EA8522E031F0BC5DF8A348
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0005.doc
false
7E9AB23E4F7C98AF0A03B64E3C14D7F6
BAD0DC91FB2929FDBF66E569257BABA97E1EC233
532A6B3137804F51266923EBB06FA6DE43022C2B14F14F6785DDFDA8CA4238EE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD3150.doc
false
DA122309698B26E96848A6A829EEF5C1
DFA1B8C96C19827A595EEB15B2EC5386F9746CEF
26585F7107FBECBA9F5282D4C1F1783441C60187057133121BD40D5C31C6149A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD3271.doc
false
1D35754EDB0B7AA76891735215FC048A
E0B1C34B3C39C1F097B7A3749174D098DC51E265
C31DBCD8F7F979CB09159FE60B70A0C8F7A58C5E67EA8522E031F0BC5DF8A348
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B65D8493-1CF8-4E74-AA78-05F4F57053A0}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E53D9D93-E64E-47DE-ADA9-74F7E4555893}.tmp
false
42C4A2E83822AC1A97D0241765EC7FDF
8BF2A629CAB9574C6BB764B8C14AF057B706C22B
A7D29AFD13A48F8AEC74071F0036ABED6084828D1CE349B970839C0DD01A057C
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Ksh1.LNK
false
D7ACD437731C16BD83076DEEB833BA10
413F199B1FD4209E4E5367269D4D7D13D8D0558C
4D347D60D4FCBBE9387FA6936EC67B7DB910CB23F5680668FF2DF31142B67F11
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Public.LNK
false
4B9860C35A90D10722034D003E0A189A
3222A3FF9689B7049C425F88DD3501D2EE37C1EE
855954FD1B3B6FE1CFECB03F55FA32A581AC5DC81A3A3BE24DA2BC71AD190815
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
9DDA3519F04FDEEB47B198EDD010E507
AC6C4075745C0F0064ADED9504934DDA44CB30E9
A677F9380C0B0EB229D861D18FDDFFD4642FFCAF1ABF9007A77EC37F05F0BDBC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sample1.LNK
false
C972E4E94C522F3560E87CC410B03644
5F1D0A58174A254CC0712463002DA1B14721F881
9AD5BC2C15F4258A2521A788FFEEDE0B8DD63B85A415CF5145FE35028F9BAF8B
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\Desktop\~$ample1.doc
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\Public\Ksh1.pdf
true
706EA7F029E6BC4DBF845DB3366F9A0E
942443DFB8784066523DB761886115E08C99575F
FB07F875DC45E6045735513E75A83C50C78154851BD23A645D43EA853E6800AC
C:\Users\Public\~$Ksh1.doc
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\Public\~$Ksh1.xls
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\Public\~WRD0000.tmp
false
D631AB4CEFF199B52FF4E4B7AAD0199D
F30002C31BF32184507182100942A2012F0B8703
9DE083F693C144A38D697089F6560A2EFE81B1AD1C5385EC07D6B41BB54B8FFE
C:\Users\Public\~WRD0004.tmp
false
D631AB4CEFF199B52FF4E4B7AAD0199D
F30002C31BF32184507182100942A2012F0B8703
9DE083F693C144A38D697089F6560A2EFE81B1AD1C5385EC07D6B41BB54B8FFE
104.131.144.215
177.130.51.198
91.121.87.90
188.226.165.170
Creates and opens a fake document (probably a fake document to hide exploiting)
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Drops PE files to the user root directory
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet