32.0.0 Black Diamond
IR
403691
CloudBasic
10:29:25
04/05/2021
Shipping Documents Original BL, Invoice & Pa.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
b89d3e7dd6ee20a09506365497f6cc3a
d5a40ae65560da802d5c5135d024d5fa8e840ff4
c2af0dcf4558a32fde15405648d8dd6410c51d319812755fcb8e4f742723bad7
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
false
D621FD77BD585874F9686D3A76462EF1
ABCAE05EE61EE6292003AABD8C80583FA49EDDA2
2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
false
486580834B084C92AE1F3866166C9C34
C8EB7E1CEF55A6C9EB931487E9AA4A2098AACEDF
65C5B1213E371D449E2A239557A5F250FEA1D3473A1B5C4C5FF7492085F663FB
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Documents Original BL, Invoice & Pa.exe.log
true
1DC1A2DCC9EFAA84EABF4F6D6066565B
B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
false
C7F28B87C2CAD111D929CB9A0FF822F8
C2CF9E7A3F6EFD9000FE76EBE54E4E9AE5754267
D1B02C20EACF464229AB063FA947A525E2ED7772259A8F70C7205DC13599EAE6
C:\Users\user\AppData\Local\Temp\tmpF57E.tmp
true
3E2B26ED8B75AE83A269595180E84EF6
D30A0335FCCE406BCA8BA5764288235E6192F608
108BE30AEB8EB31C185A39A6726F26DACBC4E4124951C61A29ADE4B7038C71EA
C:\Users\user\AppData\Local\Temp\tmpF909.tmp
false
5C2F41CFC6F988C859DA7D727AC2B62A
68999C85FC7E37BAB9216E0099836D40D4545C1C
98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
B75C7318FEA570C38EC018F2E906702F
05B91D7DFF32A62966BA7C58BD42C60E70C8C54B
828C3ECDFC1F82F6D579A4FA1D140D1AFF98A986D5B10A5B94BD0EC19C8D3BB6
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
DE7A67A3040AC701DA32B2080CBB7529
8F9F4EC574D3C30BBD666DF38D513CA1E9B234FC
0B977E561E1A854A31E242E5E68D143D677A9EB875A5D5FB49C30C547DF2D6FD
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
false
AE0F5E6CE7122AF264EC533C6B15A27B
1265A495C42EED76CC043D50C60C23297E76CCE1
73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
false
787AEB1604A638B138739ED060141E9D
A2D0680883E8C6FF3DDE0A177263B03E7644D4AA
DCCB67209560E2E27A4F284CD7E412926303ABD4E77927F9A1BAF8B0B8994B45
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
false
6ECAFC0490DAB08E4A288E0042B6B613
4A4529907588505FC65CC9933980CFE6E576B3D6
DC5F76FBF44B3E6CDDC14EA9E5BB9B6BD3A955197FE13F33F7DDA7ECC08E79E0
\Device\ConDrv
false
6A9888952541A41F033EB114C24DC902
41903D7C8F31013C44572E09D97B9AAFBBCE77E6
41A61D0084CD7884BEA1DF02ED9213CB8C83F4034F5C8156FC5B06D6A3E133CE
172.93.166.26
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
DLL reload attack detected
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT