31.0.0 Emerald
IR
345226
CloudBasic
20:57:45
27/01/2021
68254_2001.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
72a3bbd36a5aa4c5249d1ec4766369b8
68e23b96d389bd088e3c377555e5e88e239b536d
8c425fd958630a27d8ad158e21c4fc627c6b594931da974faf655707d6e06ea2
Microsoft Word document (32009/1) 79.99%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
false
E92176B0889CC1BB97114BEB2F3C1728
AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
false
D4AE187B4574036C2D76B6DF8A8C1A30
B06F409FA14BAB33CBAF4A37811B8740B624D9E5
A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
false
50D0D81646007D121BB10197A04F2568
6D1101CEBF9CA66509B5F05BD7D0B928B2A8046C
AA66FF4DFE143367ACF3074BB3E62FA91E93A3DB120CAEF271BFE45C0B906298
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
false
4A553B4673A975575C21E908012C50B6
DD2AE109A9692418370BA0272F4980C6B2035F72
59EFA5C2F092B938FC399A8F76B1E87D9D5B725D031D0C934117D1536507C30F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A5D0E98E-EB6B-4CC4-8C38-663EBE143117}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E76C12E2-1DC6-41B5-9D5C-624688043260}.tmp
false
D93BF21037A8573F01375E845807551D
8388167AE066E652A440706479AECAB0C3AA9D5F
F605CB4F76D1C81882F32E6AE66CB8C247FADEF9308E54BF834E115B636040FB
C:\Users\user\AppData\Local\Temp\Cab6327.tmp
false
E92176B0889CC1BB97114BEB2F3C1728
AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
C:\Users\user\AppData\Local\Temp\Tar6328.tmp
false
64FEDADE4387A8B92C120B21EC61E394
15A2673209A41CCA2BC3ADE90537FE676010A962
BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\68254_2001.LNK
false
DA843DAE0792463DF058369BF2772C48
8822C09BB52188CC4185FBE60139B6D5E78D2702
BF2B56432AD82F3F665B4363F536962D656AEDF452AC72157FE46CAF4C4F256E
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
7A448E8832775114A878D9C8A27BBB10
585D93A45B3316DFD3ACE93F0310EC71BF9D9248
C90D2B8FF5ED7BE037F2289BDFF34D2933BEB9597B08988BF987491869FAB8D5
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
4A5DFFE330E8BBBF59615CB0C71B87BE
7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VX1BP06RV53T455RIFFL.temp
false
729BF55BD7299345134D6ACCD2AEB731
254FE3FD6E660E0461A1BE666BB348BD5A429601
92CBC9B2419E8D9427FE58A6D0E7622CAC367B8EB6EB6DC2C240F49756F51089
C:\Users\user\Desktop\~$254_2001.doc
false
4A5DFFE330E8BBBF59615CB0C71B87BE
7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
C:\Users\user\Ocmd_ke\Qqw8nbh\A30F.dll
true
039810A34BE3DD45B9D30F89E18F46F4
5F8609A2DB33D6BB70584E1741F428245474146F
A9DD98F4B6FE0B997F8B3D50F1CA405F02583A02133874FE123EAEA6C22DAB00
217.160.169.110
51.255.203.164
70.32.23.58
35.209.174.246
35.163.191.195
192.124.249.8
51.15.7.145
177.12.170.95
35.209.96.32
84.232.229.24
hbprivileged.com
true
35.209.96.32
mrveggy.com
true
177.12.170.95
theo.digital
true
35.209.174.246
ummahstars.com
true
35.163.191.195
intellisavvy.com
true
192.124.249.8
ketoresetme.com
true
70.32.23.58
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet