31.0.0 Emerald
IR
356502
CloudBasic
09:03:50
23/02/2021
Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
d765dcbdabed2ed1dd0fdd8800f221ed
be68fc678cca6434577d7af59abf129569ab7b47
d2693c3162e3ea906bf7fc546a07985a3bf55bbfb78f52015265cf7140eed31f
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.log
true
1DC1A2DCC9EFAA84EABF4F6D6066565B
B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Temp\tmp8B36.tmp
true
D9D1C867D06A3C4424E37DE3E7433EAE
91B9B926B8EB63ABA169829EC238D0A95F9C3127
94A1ECAAC917C26B04D29202121DEDDFCEB81DA3D6F667B81CF4F33A4E2F1017
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
838CD9DBC78EA45A5406EAE23962086D
C8273AACDEE03AC0CDCDDBAA83F51D04D6A4203C
6E11A62511C5BBC0413128305069B780C448684B54FAA3E8DD0B4FD3DB8C9867
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
94B9CF650DCB8C2D129D5E8B1D940170
5C0A796FEBE9520A98018D1F36731E35DBAFCE62
84F05EE5CD6B34BDB8092DFFC6DF97DFD0159089282BE74E80AF8CED0CE86125
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
false
4E5E92E2369688041CC82EF9650EDED2
15E44F2F3194EE232B44E9684163B6F66472C862
F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
false
7E8F4A764B981D5B82D1CC49D341E9C6
D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
C:\Users\user\AppData\Roaming\OEpDLNVZW.exe
true
D765DCBDABED2ED1DD0FDD8800F221ED
BE68FC678CCA6434577D7AF59ABF129569AB7B47
D2693C3162E3EA906BF7FC546A07985A3BF55BBFB78F52015265CF7140EED31F
C:\Users\user\AppData\Roaming\OEpDLNVZW.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
45.137.22.36
.NET source code contains potential unpacker
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Yara detected AntiVM_3
Yara detected Nanocore RAT