31.0.0 Red Diamond
IR
339441
CloudBasic
03:30:32
14/01/2021
sample1.bin
defaultwindowsofficecookbook.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
7dbd8ecfada1d39a81a58c9468b91039
0d21e2742204d1f98f6fcabe0544570fd6857dd3
dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95
Microsoft Word document (32009/1) 54.23%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Network\Downloader\edb.log
false
E3708C8D87BB674A73482801402474E3
1A8D2302B3B042C763528D0CBB69D8B32E5768E7
78C9AA6D0570C9B49AE1CFC3B608B30FFC8809896D74C59F45016618EE04402A
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
false
F53ACAEFC5B0D6FA3CAD9BF844F56527
235FDA870F3985D2B06591F1A801429DFC8B7D95
36D0D2B2DE84A519775E95168C7917292840B9E2F85E159479E627E49DDAAD93
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
false
D0E53B0EC516725F17F6813C5587E2CF
E68A9E8F8825657423F377CCAFE9B9D5A4A2BDB4
00B2DBA055649AAB282B7266498110A79F6DDA6450384FD2DBC87E11A608233A
C:\Users\Public\Ksh1.pdf
true
706EA7F029E6BC4DBF845DB3366F9A0E
942443DFB8784066523DB761886115E08C99575F
FB07F875DC45E6045735513E75A83C50C78154851BD23A645D43EA853E6800AC
C:\Users\Public\~$Ksh1.doc
false
61CCB0AE1C8D3B3D7D8D942BBA014043
2BC241C791ACAA6CCC41E6F9D0BD1C03E49633F6
D45E84624442FE9ED3005AE828C8E49FEA3C8D4677AC12F5D58B63FD198D39DB
C:\Users\Public\~$Ksh1.xls
false
61CCB0AE1C8D3B3D7D8D942BBA014043
2BC241C791ACAA6CCC41E6F9D0BD1C03E49633F6
D45E84624442FE9ED3005AE828C8E49FEA3C8D4677AC12F5D58B63FD198D39DB
C:\Users\Public\~WRD0000.tmp
false
D631AB4CEFF199B52FF4E4B7AAD0199D
F30002C31BF32184507182100942A2012F0B8703
9DE083F693C144A38D697089F6560A2EFE81B1AD1C5385EC07D6B41BB54B8FFE
C:\Users\Public\~WRD0004.tmp
false
D631AB4CEFF199B52FF4E4B7AAD0199D
F30002C31BF32184507182100942A2012F0B8703
9DE083F693C144A38D697089F6560A2EFE81B1AD1C5385EC07D6B41BB54B8FFE
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C8E730CE-6109-4C50-987F-9ABD6FDBDF02
false
661BE377FBBB4BE41867FF9F66664830
1F08FBA111DB2373EEA90D0BE534FF96998DF109
82E370595448D5EFFECDC840506EA2B0621479083972B182F6DBB0CA918CB3AB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0001.doc
false
7E9AB23E4F7C98AF0A03B64E3C14D7F6
BAD0DC91FB2929FDBF66E569257BABA97E1EC233
532A6B3137804F51266923EBB06FA6DE43022C2B14F14F6785DDFDA8CA4238EE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0002.doc
false
DA122309698B26E96848A6A829EEF5C1
DFA1B8C96C19827A595EEB15B2EC5386F9746CEF
26585F7107FBECBA9F5282D4C1F1783441C60187057133121BD40D5C31C6149A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0003.doc
false
1D35754EDB0B7AA76891735215FC048A
E0B1C34B3C39C1F097B7A3749174D098DC51E265
C31DBCD8F7F979CB09159FE60B70A0C8F7A58C5E67EA8522E031F0BC5DF8A348
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0005.doc
false
7E9AB23E4F7C98AF0A03B64E3C14D7F6
BAD0DC91FB2929FDBF66E569257BABA97E1EC233
532A6B3137804F51266923EBB06FA6DE43022C2B14F14F6785DDFDA8CA4238EE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0364.doc
false
DA122309698B26E96848A6A829EEF5C1
DFA1B8C96C19827A595EEB15B2EC5386F9746CEF
26585F7107FBECBA9F5282D4C1F1783441C60187057133121BD40D5C31C6149A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0497.doc
false
1D35754EDB0B7AA76891735215FC048A
E0B1C34B3C39C1F097B7A3749174D098DC51E265
C31DBCD8F7F979CB09159FE60B70A0C8F7A58C5E67EA8522E031F0BC5DF8A348
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{78283799-0F83-48EF-8031-734426429AE8}.tmp
false
0F250E413D15A1C2DB1B79541FF9D33F
40F86097D1D76126B0DD3DBAF35FADFFA5E622C9
805EFC1FB704122039602B882A459C75D26E1788E38232921050C46624974EBD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{CCDBE93F-C124-4002-A8A4-82387CB4CA40}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
false
E2A926928C5A07B9CE5C3AF850EAB104
346277EA0EC329E2DAC52F50C8E58F4F0BF6762D
9E6FF5B1CB14ACB68D56BAB25B568A506FE3DAE13B9601306687C8FEC31FB50F
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
false
B2C26F4E7D63823BACCFBED8A4F234C0
CF64A7A23F44D0FA20673456F7C8AAB96ED6F045
27E0AF7C33CA7069BDDF351C871A38E5AA37C232C9879E44ED0EF825BD03DB0D
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
false
C0B0B8426F83EF2F8A60DBF14BE87297
71C06754571BC5D8086EC6A1510E07613FC3CC21
038D6DC1A0C8E20DC41857093EEBFDFD635CFB4B4272520CAE67817110475267
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Ksh1.doc.LNK
false
9D3C1C4DB5B591B8D47852847E19FF04
5DA05072C70C918D4C5F8463E64A5E60993F0277
1BAA0597E24756A8FBBF5563AFF17F2BB0D328158ED40221D4D50CEC9271D335
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Ksh1.xls.LNK
false
623DBB8DBBCA4AAA84C9D0B51D2294AA
ED9CF95C49771F3F4BA706367FDF131F3536EDF8
869594510F0C7C4AA0B36EC430A5565D02D1228D6FC8357079F83AAA87E79727
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Public.LNK
false
D20EC39F272E325460490D56EB95738F
5B40AEB7E5FBB6C34A62808981C94D7B95E92A68
B91AEE090146F1DAED24BB4148EF9B471834012BBB1E89223522F82A5CC3E33E
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
FD72007F8A3EB8088D84D55642E4BD50
E4EA33BEAB25EFE67858F1935F8D5F0BACA65E4B
51DF55852A44D725F534237277FCF0FC82A78A17E0ABB73ADDBB4F870B075948
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sample1.doc.LNK
true
BD2560F66385CC85CDA44422341BE635
F4066416295028DA67836117A585CEBF2161F96C
4DB40943AADE005210F9B32BB7C34F9C2986801F3FFAE0A0CC71A70E13D8B3D1
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
61CCB0AE1C8D3B3D7D8D942BBA014043
2BC241C791ACAA6CCC41E6F9D0BD1C03E49633F6
D45E84624442FE9ED3005AE828C8E49FEA3C8D4677AC12F5D58B63FD198D39DB
C:\Users\user\Desktop\~$ample1.doc
false
61CCB0AE1C8D3B3D7D8D942BBA014043
2BC241C791ACAA6CCC41E6F9D0BD1C03E49633F6
D45E84624442FE9ED3005AE828C8E49FEA3C8D4677AC12F5D58B63FD198D39DB
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
false
DCA83F08D448911A14C22EBCACC5AD57
91270525521B7FE0D986DB19747F47D34B6318AD
2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
192.168.2.1
127.0.0.1
ip166475689.ahcdn.com
false
188.209.213.202
mov.pornthash.mobi
false
104.21.4.61
pornthash.mobi
false
104.21.4.61
Changes security center settings (notifications, updates, antivirus, firewall)
Creates and opens a fake document (probably a fake document to hide exploiting)
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)