32.0.0 Black Diamond
IR
403532
CloudBasic
07:14:23
04/05/2021
741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
cdda16bd52c7c602b534593be9149a42
5789cb8b8b1493de3733c66cd52d8b0180be6cd4
741b26251fa1fba9c4d5eb7aaca544f07859f82c296b8c01d2339a4ea2d06c58
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
false
71369277D09DA0830C8C59F9E22BB23A
37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.log
true
ED4EBBF50955129F980394522E6F689E
4DFA7FEDB46CD096E5869EFFC8FB74FE333B295A
B8ED8F33F5E6A5DA8ACE56720245C651D63ED0C7415B640B33445425284490EE
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log
false
50DEC1858E13F033E6DCA3CBFAD5E8DE
79AE1E9131B0FAF215B499D2F7B4C595AA120925
14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
false
50DEC1858E13F033E6DCA3CBFAD5E8DE
79AE1E9131B0FAF215B499D2F7B4C595AA120925
14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
8D5E194411E038C060288366D6766D3D
DC1A8229ED0B909042065EA69253E86E86D71C88
44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
99031A08329636158D3AEF935E655921
E3B6128B5A081B87303D9A16BBC4BE9B2C63363C
CA726B47B1B806EDC010F4DB35D8BDB1C1D75548634A8B53E1C698819E6321A7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eywfmlgy.1th.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gof3hya4.2ip.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y2xejyx0.1ov.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y5ptkebd.tnb.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp30C2.tmp
true
32319A48FC91674BB574177853C94741
63293D27D77CD683D60199A2D61FF76EDAC36584
03350CAC52945A5551E07DA2647F400D39DF30B849A00FFBE60B466CC704B77D
C:\Users\user\AppData\Local\Temp\tmpB146.tmp
false
40B11EF601FB28F9B2E69D36857BF2EC
B6454020AD2CEED193F4792B77001D0BD741B370
C51E12D18CC664425F6711D8AE2507068884C7057092CFA11884100E1E9D49E1
C:\Users\user\AppData\Local\Temp\tmpB52F.tmp
false
5C2F41CFC6F988C859DA7D727AC2B62A
68999C85FC7E37BAB9216E0099836D40D4545C1C
98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
411EF39A6DB99EE949EEA4ACEA7229D3
C9B3F9D84DE0D440557D2B095AF10BE38CC2346E
16FC08F263A59F50DB07FBA479137CDE9D872C3CB0E1A08095D2464DBB39F58E
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
false
D685103573539B7E9FDBF5F1D7DD96CE
4B2FE6B5C0B37954B314FCAEE1F12237A9B02D07
D78BC23B0CA3EDDF52D56AB85CDC30A71B3756569CB32AA2F6C28DBC23C76E8E
C:\Users\user\AppData\Roaming\gKpxRZsP.exe
true
CDDA16BD52C7C602B534593BE9149A42
5789CB8B8B1493DE3733C66CD52D8B0180BE6CD4
741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8C01D2339A4EA2D06C58
C:\Users\user\AppData\Roaming\gKpxRZsP.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20210504\PowerShell_transcript.813435.K7iDO9IF.20210504071538.txt
false
6331AE1D412EBC7310F52FEB97831F58
8690725843D19FAD0528F7B9F4CA596C3D6C6D9A
EE9DBA77E8DB16DB13D081C3222B75F76FCD90701F03F57860CFE8849D02EE31
C:\Users\user\Documents\20210504\PowerShell_transcript.813435.WJkwONF7.20210504071534.txt
false
D88A09D4A60F78F280D1CAEDB6511E46
32E5507909FFA40EB273EC0009FD441DE1062DAB
F86EDDD54173F82E09383DCB45FECB80ACEFDB5F0A46C066F65CA189B862C795
\Device\ConDrv
false
46EBEB88876A00A52CC37B1F8E0D0438
5E5DB352F964E5F398301662FF558BD905798A65
D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
79.134.225.40
79.134.225.82
strongodss.ddns.net
true
79.134.225.82
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Nanocore RAT