31.0.0 Red Diamond
IR
339446
CloudBasic
03:59:37
14/01/2021
sample1.bin
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
7dbd8ecfada1d39a81a58c9468b91039
0d21e2742204d1f98f6fcabe0544570fd6857dd3
dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95
Microsoft Word document (32009/1) 54.23%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc
false
7E9AB23E4F7C98AF0A03B64E3C14D7F6
BAD0DC91FB2929FDBF66E569257BABA97E1EC233
532A6B3137804F51266923EBB06FA6DE43022C2B14F14F6785DDFDA8CA4238EE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.doc
false
DA122309698B26E96848A6A829EEF5C1
DFA1B8C96C19827A595EEB15B2EC5386F9746CEF
26585F7107FBECBA9F5282D4C1F1783441C60187057133121BD40D5C31C6149A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0003.doc
false
1D35754EDB0B7AA76891735215FC048A
E0B1C34B3C39C1F097B7A3749174D098DC51E265
C31DBCD8F7F979CB09159FE60B70A0C8F7A58C5E67EA8522E031F0BC5DF8A348
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0005.doc
false
7E9AB23E4F7C98AF0A03B64E3C14D7F6
BAD0DC91FB2929FDBF66E569257BABA97E1EC233
532A6B3137804F51266923EBB06FA6DE43022C2B14F14F6785DDFDA8CA4238EE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0666.doc
false
DA122309698B26E96848A6A829EEF5C1
DFA1B8C96C19827A595EEB15B2EC5386F9746CEF
26585F7107FBECBA9F5282D4C1F1783441C60187057133121BD40D5C31C6149A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0798.doc
false
1D35754EDB0B7AA76891735215FC048A
E0B1C34B3C39C1F097B7A3749174D098DC51E265
C31DBCD8F7F979CB09159FE60B70A0C8F7A58C5E67EA8522E031F0BC5DF8A348
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{35EB0BAB-3BC6-4A41-A07F-15EEA53DBB38}.tmp
false
EAA701BCC2359F9297273D117620CA80
D9E2AC26703E2668720A5B3E796DF52F3F52674A
497E3B43D545A03EE2E00324DEAC332FD13FF811F41B42F881BCAD29AE14250D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5C9B88B-61BE-41BF-89DB-AF92964D1C77}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Ksh1.LNK
false
5C048363FB804C47823972D53B75D3A5
FF2FD7DCCF53FA0A6F7E4DED1080C26A6A8F97AE
FE5D58BEC071D21ECEAD746CFCF14EEC223B18E18282DECB92D49CB8607885AA
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Public.LNK
false
13715C1A57AC925C6D3529F23D8A0489
7475EF6A91727FD8449840C0B783B3FD34D5D7F1
29832B00F50E3D4E063F7C97E2430C5A0F833CB5D3A2E66C1DFE2AE990C94832
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
9DDA3519F04FDEEB47B198EDD010E507
AC6C4075745C0F0064ADED9504934DDA44CB30E9
A677F9380C0B0EB229D861D18FDDFFD4642FFCAF1ABF9007A77EC37F05F0BDBC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sample1.LNK
false
2EAF88677CD16A68B2CD4263BA9E7CE0
AA9B6C640105E9474BABBF76571C364926445178
919A3D28BFBE2D4CE57DCF0A8B1400DB858BAD490FEB436C3F4EFE343EB262BB
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\Desktop\~$ample1.doc
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\Public\Ksh1.pdf
true
706EA7F029E6BC4DBF845DB3366F9A0E
942443DFB8784066523DB761886115E08C99575F
FB07F875DC45E6045735513E75A83C50C78154851BD23A645D43EA853E6800AC
C:\Users\Public\~$Ksh1.doc
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\Public\~$Ksh1.xls
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\Public\~WRD0000.tmp
false
D631AB4CEFF199B52FF4E4B7AAD0199D
F30002C31BF32184507182100942A2012F0B8703
9DE083F693C144A38D697089F6560A2EFE81B1AD1C5385EC07D6B41BB54B8FFE
C:\Users\Public\~WRD0004.tmp
false
D631AB4CEFF199B52FF4E4B7AAD0199D
F30002C31BF32184507182100942A2012F0B8703
9DE083F693C144A38D697089F6560A2EFE81B1AD1C5385EC07D6B41BB54B8FFE
177.130.51.198
Creates and opens a fake document (probably a fake document to hide exploiting)
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Drops PE files to the user root directory
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet