32.0.0 Black Diamond
IR
402845
CloudBasic
14:49:18
03/05/2021
Invoiceo.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
8f2489d7ce50e99109af9925818daf2b
5481d53e59fda1e0d849b677e15b410ba6f64fbc
0013853950647289e952326b93ce46aa3e73db654367ef3c005e29257db31fba
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoiceo.exe.log
true
E5FA1A53BA6D70E18192AF6AF7CFDBFA
1C076481F11366751B8DA795C98A54DE8D1D82D5
1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
8D5E194411E038C060288366D6766D3D
DC1A8229ED0B909042065EA69253E86E86D71C88
44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
8A5ADAC3203440E5B488084BFEB3759E
93594B1C844CDFD2A1CAFAAF3B32ABE214107218
2B961420315D242E4A681DA21085E6FC4B088DF70C5BBEA721C9172D6066E169
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpod1dif.1ty.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvegrtut.myf.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t10emffs.5zu.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vijt5kae.3jh.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_voiu13at.ago.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0wayzft.p4m.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp
true
36AA9FF53886534237FAABD58ADEE6A5
80B6C67B09BB123C60E16C52D66BECBCEC5E5284
97229E624C1D7C42A3C9996F539A74F461ADD77145F3EAEF9A4A8F81B56D4D8B
C:\Users\user\AppData\Roaming\yYxmxiApi.exe
true
8F2489D7CE50E99109AF9925818DAF2B
5481D53E59FDA1E0D849B677E15B410BA6F64FBC
0013853950647289E952326B93CE46AA3E73DB654367EF3C005E29257DB31FBA
C:\Users\user\AppData\Roaming\yYxmxiApi.exe:Zone.Identifier
false
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20210503\PowerShell_transcript.065367.35C6bBM3.20210503145014.txt
false
A20CE8CBBAC4DF52F4C662AB1555669B
26F0BD1E99AA3B9D36B9FF0B53B772602E990AC4
9A1339776210E234B2B731417E4C19F9A2F30FD2266C9E45C002CEC11818D270
C:\Users\user\Documents\20210503\PowerShell_transcript.065367.K12PJCIf.20210503145011.txt
false
DB00C29BC4025BA244104A1FB1FC5004
4B55982416EF7A0A1684F821DC34E2BA670288C0
981EFFD7C1040A8A8E89A4A7A6A3FCCBAF9B36F2D817C3B90612DC4DDFE6B5D9
C:\Users\user\Documents\20210503\PowerShell_transcript.065367.wOdK0DyO.20210503145012.txt
false
A20F7E003DC42D0C84652D507FB71EFE
19640C9485EF5EFDB93E853FF7EBE1FE638E2E93
C9D7CDBCCA64AED559A0102BA59261300D44D845250AF15DB93B19304E895F33
154.207.58.218
www.tabuk24.com
true
154.207.58.218
www.swim-maki.com
true
unknown
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook