31.0.0 Emerald
IR
356522
CloudBasic
09:27:42
23/02/2021
Payment_pdf.cmd
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
aa4f187df7370b07d17cbe08abd778a0
e2cf0a14a87a8b87c15634f062c9b54f687c5d83
fe378f1e009b2b77c3e08de81d767a79fee3bce433810158b3be3d470baac6b7
Win32 Executable (generic) Net Framework (10011505/4) 50.01%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Network\Downloader\edb.log
false
8FF2339B4A6AC6C17A791A147650C166
92AACF7AFE85193848FE978674780F97BAA77653
0986543B786802AEF5031340350FF4BDCF2EAAA114E3575C3D83EFBABF558D4C
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
false
EB7EAC5B046CBC7FFB7C6AACFA24B09F
04E10F3D971D6923222BEB2228896C409DFD72A8
66FA661FD763ABBC6C2CA8CF76BC41DF961EA6834BDA619ABBEF0BA0AEA0D5F4
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
false
6875BE31B23D894EFB7D0ABB8E481F2A
6D08FC2553C1231FAEE49A38913CF3CFCFABCB14
0C6EA65B3BAC70AD7C56B5D66DAA53B63C01126556CB11E7B6F70BADFEBABDE5
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Payment_pdf.exe_139ed38f07af8218e2747a96a80316b1691ab93_152ff5f2_1848fc06\Report.wer
true
F6E7195D789F54680CC3F5BD6DB6DF5B
C918D42078CFAD77E1663AE00F69B806AFEBB50C
93572537FA26CD65124ED1F3E886B6FD92296FE6985455EB242CB0D44C3955F2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7794.tmp.dmp
false
F7B5DD4EBB8C4772283E477531AE05AA
4A8C92F3C60E84D0DFF08F4AB3E5B269B4FE87ED
2161B949DA64D0B379535E048F510E24E4871A7E212AE766E14A1257EA8951ED
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B1A.tmp.WERInternalMetadata.xml
false
48F6AD50BD6597C004C20D8276805213
676230B102CC377DC8706DCFAB8D28F0E6EAB4D0
2FD6E3CD338007BFB4CAA80F20E412705384AB2C23A398706D7B27DBA2EFDF68
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA28E.tmp.xml
false
188FE76C15565BE5C92F3F57BAA66E0F
BB521AA888B0A0BC1BFA58EA49965E708774DD0E
F26FAE2D64E65B5751338463035457FA8C3F32FEDA9B5F181293F75CA08F4CA2
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2BA.tmp.csv
false
49E96D7115C4E7BFC606BEFD449DC993
95E8D11D4F716B5F63923504AA4CC9FFB98308AF
BD7301103AA28A00B323A4C8BE833D79F164B7BADC66C97145AB7AB5C497C59E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD1C.tmp.txt
false
6F9B231D05FDB698AB1C98A6476BEAE2
5D575437EF8EC1CAD5CC8F374386EB68454D7D07
15F4BE9F8AB9B118CABE32C7F951498A4B82D653AB49BB12202B701C29692CF8
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
8D5E194411E038C060288366D6766D3D
DC1A8229ED0B909042065EA69253E86E86D71C88
44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
B28A2DAFB79708F456B60E9C31BE631F
01363614294FF52103C241153940972F7284456B
ED6BD84739FA64C45873CF904F8233BD389B91367CBB4CEF068445BF8E81CE0C
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oebs23ox.3ze.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wraqb44f.o35.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\CZVkY\CZVkY.exe
true
AA4F187DF7370B07D17CBE08ABD778A0
E2CF0A14A87A8B87C15634F062C9B54F687C5D83
FE378F1E009B2B77C3E08DE81D767A79FEE3BCE433810158B3BE3D470BAAC6B7
C:\Users\user\AppData\Roaming\CZVkY\CZVkY.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20210223\PowerShell_transcript.936905.KHdwfTvI.20210223092902.txt
false
C01B4B02B241A283B12D9A1AF1747700
43EF03AB8BE81503B83F69A3FE7A016C06CBAFED
948A9EFBC43CF33F1CF0EE2033F43EC2DD0ED1F3160F92E333C65219D945D0FA
C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe
true
AA4F187DF7370B07D17CBE08ABD778A0
E2CF0A14A87A8B87C15634F062C9B54F687C5D83
FE378F1E009B2B77C3E08DE81D767A79FEE3BCE433810158B3BE3D470BAAC6B7
C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
false
DCA83F08D448911A14C22EBCACC5AD57
91270525521B7FE0D986DB19747F47D34B6318AD
2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
192.168.2.1
172.67.172.17
127.0.0.1
coroloboxorozor.com
true
172.67.172.17
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla