31.0.0 Emerald
IR
344273
CloudBasic
10:48:08
26/01/2021
Bestellung.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
268e0826d78c069d3834a8203a44af4f
5f14c1a62195af4f3018b57d097876fb41da7937
f9f3c11c9f92d92d74eb40958a14d97f0f36497b6c86109b237628815642102a
Microsoft Word document (32009/1) 79.99%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
false
E4F1E21910443409E81E5B55DC8DE774
EC0885660BD216D0CDD5E6762B2F595376995BD0
CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
false
58751C83321658B822D07F96886AC97D
9A2EAD2389445754B505B5C9EBB7B8004AB82248
B15FF38BF16C183D1D32FB26EEA232C5D3440D324BEDFB1860CAD1122011D65B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8AE8CBF3-349E-46EF-BF24-C3A751787722}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F1BBA518-FEA2-4C8F-A842-E861097210AC}.tmp
false
6EBEA8A29F9CE829445697F77DFF575C
EFB7D697B8CA2D1372505D914D97F34C398A2DB3
24130780D2254809D96AD425061180079D45A7977FD81723F5201CDF815882DD
C:\Users\user\AppData\Local\Temp\Cab7446.tmp
false
E4F1E21910443409E81E5B55DC8DE774
EC0885660BD216D0CDD5E6762B2F595376995BD0
CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\Local\Temp\Tar7447.tmp
false
D0682A3C344DFC62FB18D5A539F81F61
09D3E9B899785DA377DF2518C6175D70CCF9DA33
4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Bestellung.LNK
false
03C028B20A018596DE32CA7839217BF1
03EA0C629A9F3F19273081BF28D1C2184086CBC7
9FBB99F78F3B7F2A2DFBAF9B503CD7CD92138FAE5E1BA86242B6892CC3A05D5D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
BD856F6AAF53F6047E897B1A11F44009
2881B2C812A7A6FCAC8AB1FCE091CA16CEEEA48C
1DF6E64EF171D86A9944D6EC37DEB14ADFD43AABBC3115EA3B46731FE53944DD
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X5TV0P1DTRO3H8K2VU4A.temp
false
A1C086422CDDA67BE908D501597CF798
5A3B7DC3D7777A25F4B774112BE82542CFA9EB38
B3811F245DE30C19318BAC9AF119066B6429894C233B704D8A270D37AF3ABDA9
C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll
true
AAB0A07CC43D3668060B276D2CADA799
0DB1EFC93F344EC0172E33CC168417495B6A1698
F87BEED935FBE173F635CA3574F4B18EC1657941DA9778C448339ECACBF35698
C:\Users\user\Desktop\~$stellung.doc
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
104.21.88.166
70.32.89.105
203.157.152.9
45.138.97.75
132.248.38.158
172.217.6.174
110.172.180.180
157.245.145.87
192.0.78.20
212.227.200.73
190.55.186.229
161.49.84.2
shop.nowfal.dev
true
104.21.88.166
traumfrauen-ukraine.de
true
212.227.200.73
e-wdesign.eu
true
45.138.97.75
nightlifemumbai.club
true
172.217.6.174
jflmktg.wpcomstaging.com
true
192.0.78.20
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Very long command line found
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet