31.0.0 Emerald
IR
381644
CloudBasic
02:35:32
04/04/2021
wDIaJji4Vv.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
6a0c22a8a8d9524ba012910571b57d38
b75a74ca657f4940b251c5116bcf2d3a78773671
cc9690dcde0dfa23d657f84bc221296c45590b595d5cca9131087638c35c8a8b
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
false
71369277D09DA0830C8C59F9E22BB23A
37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
false
50DEC1858E13F033E6DCA3CBFAD5E8DE
79AE1E9131B0FAF215B499D2F7B4C595AA120925
14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\wDIaJji4Vv.exe.log
true
B1DB55991C3DA14E35249AEA1BC357CA
0DD2D91198FDEF296441B12F1A906669B279700C
34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
8D5E194411E038C060288366D6766D3D
DC1A8229ED0B909042065EA69253E86E86D71C88
44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
69E02A7CA4B49DD401027C43EA3ACC33
F12DA082F50DEA4D52E2A0E795DC9757A66795AE
ED48047BF46291E5BE1F04F40F4949D320D3AC9E05E28041D75D5094AD7550E5
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bn2wvdhj.h2i.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbmpopxb.30w.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wlk4xu4b.yrc.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5wqclte.tm2.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmpE049.tmp
true
81475B9DC7593991EC02E6E7BE2610AF
46FA27E643B1B7D0358398E47EEBE108FC111872
9B514DA0E0BA2C415F45017C7EBC71FFF68D2E558AB0752F5C4A696B77D48320
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
0FBED11864C03FDED0E70014DCF84578
453723D938A03252F705B0A104986FE4C5CA7056
70F5E49EE3091777827ED661B63842061220C899A708860986E9AA1BD87C5004
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
34A1E800A67FCD879983F01E669778C6
95BE704EB2AB8143FFDF4CFA5C395FA3798D264B
8EC741E0A64410932F16F47683C066DB038F3864F3D9A4FE670F9A57257A88E4
C:\Users\user\AppData\Roaming\LGKyjAEnmfdSo.exe
true
6A0C22A8A8D9524BA012910571B57D38
B75A74CA657F4940B251C5116BCF2D3A78773671
CC9690DCDE0DFA23D657F84BC221296C45590B595D5CCA9131087638C35C8A8B
C:\Users\user\AppData\Roaming\LGKyjAEnmfdSo.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20210404\PowerShell_transcript.216554.9U9ReEn0.20210404023626.txt
false
53ECFAD9EEFAF0D056B9B22C5CDB6B0F
D4F2C61C73CEB67ADB247EA921CD5BF218B28685
878AAD413BCF6A9FD72338EBEF774FC4EAF0F6D9C553730AFB1F9CC797B4EBB0
C:\Users\user\Documents\20210404\PowerShell_transcript.216554.qbfO9BC_.20210404023623.txt
false
5F74AC5911D8C2C21BC9A023B35EACEB
010002DB241B01DAA448E55198C7176FF54B3132
BDF042E980D34D15FB14DA3FFD6D1BB0A63A7A2A60DE77C72F16D112F396925F
\Device\ConDrv
false
46EBEB88876A00A52CC37B1F8E0D0438
5E5DB352F964E5F398301662FF558BD905798A65
D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
192.168.2.1
79.134.225.7
james12.ddns.net
true
79.134.225.7
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT