31.0.0 Emerald
IR
383183
CloudBasic
12:06:12
07/04/2021
n4CeZTejKM.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
b8362f2f6e0353819fa0dd8a35ef6a58
f1cb392fa0fd6acbb6eb1d858064a74fd5272ff3
0ef41dabaa6af07317dd45595f15625cb7517650bb13b365de0717d3cad26197
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
true
B8362F2F6E0353819FA0DD8A35EF6A58
F1CB392FA0FD6ACBB6EB1D858064A74FD5272FF3
0EF41DABAA6AF07317DD45595F15625CB7517650BB13B365DE0717D3CAD26197
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
false
B1DB55991C3DA14E35249AEA1BC357CA
0DD2D91198FDEF296441B12F1A906669B279700C
34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\n4CeZTejKM.exe.log
true
B1DB55991C3DA14E35249AEA1BC357CA
0DD2D91198FDEF296441B12F1A906669B279700C
34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
4E751BEC18CCAEBDF0AF573AE7A32B77
43858D8314FE18D541C90EEF073BFBFF06C28786
08B67A67D18C85BDBAC791C00B5096A960B73350CDD4F4CF6436F9CC4841C40B
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
360726589E368B010C01F35D52906539
507D57012C48F6EC0BE394AE89F0E06EA8DF0DAB
82A976F5287DA86EE2E2F12358EBE120B107DD06DB9B0FACE79F2A7CC7E2B8F4
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_axdeg3n0.hma.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0hg4dvh.1qt.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e23daa5d.if2.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jjwcjsjc.umd.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pej2zjrs.mml.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdz4vktr.xfo.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_utn1oj0r.spb.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x13ksxuu.yky.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp3DD8.tmp
false
83DA5FF120BDC6A05C9E1148152A48F0
2789E2760A0684E67EF046E7E7F7538C3C198C85
CAEEEDE72A392E388155D3C74F199A6046A89C6ED8340C78D7BD6C37F4D4E1D0
C:\Users\user\AppData\Local\Temp\tmpF565.tmp
true
83DA5FF120BDC6A05C9E1148152A48F0
2789E2760A0684E67EF046E7E7F7538C3C198C85
CAEEEDE72A392E388155D3C74F199A6046A89C6ED8340C78D7BD6C37F4D4E1D0
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
BC7C2FFCF05B15DEA4FC6AAC3CC0887B
F777DA80862B3E57234142EF7D9067A2401D70D6
562CA0CF92DC9FC836A8E276CF402B2F0C9E31ABB50DB73A756D7BC4F61117AA
C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe
true
B8362F2F6E0353819FA0DD8A35EF6A58
F1CB392FA0FD6ACBB6EB1D858064A74FD5272FF3
0EF41DABAA6AF07317DD45595F15625CB7517650BB13B365DE0717D3CAD26197
C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20210407\PowerShell_transcript.980108.ECse6Ohy.20210407120705.txt
false
104D8EFE3FDA0E9A1361627665B03AAC
0B066E4FB41F2B247A31C7E02CE385F464040030
F802B1A41CC8DE988E18323C4EBB5B911EBABA42ECE30A16A5A56F3F55E11878
C:\Users\user\Documents\20210407\PowerShell_transcript.980108.IThRkPer.20210407120726.txt
false
DCABB212A7382C7ABF3BBBD87F523CC6
39FF77F92C4454456495A9F5BAB1F345DA391A04
F307A40AF8FBF1F340D8476A64FB787F8C95D3C75BBB28AA781D968E99E4B47C
C:\Users\user\Documents\20210407\PowerShell_transcript.980108.eyquLQAd.20210407120723.txt
false
17C31712FC3B977759DED677E8074C9A
E65F7EC1AAA3650759C944E7E60F9F0F4FC108F2
C04D538E3F7D279FC1ACF3CECA9E7A1607DA178EA81C6AB16C3BBC9AE4A37937
C:\Users\user\Documents\20210407\PowerShell_transcript.980108.uu_KBH0g.20210407120702.txt
false
98BFEE5676F9CA48BB57F9827860F0DF
56F430264A3E11F97734DF549C8A003302CFFD06
F9EE3D7728672764DF455041A6CCC9690179DC9FFA6FE56BD0C1D6132E589E47
127.0.0.1
194.5.98.9
lastme11.ddns.net
true
194.5.98.9
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Nanocore RAT