32.0.0 Black Diamond
IR
403743
CloudBasic
11:26:10
04/05/2021
Shipping Documents Original BL, Invoice & Pa.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
597332734fde92068c7b354d33920040
01454e8c59644ab0dd54d2326a93965a1f52b91c
d9510122ef15d475c69ca539c949d4b8c8002b8f617411854098091106c37119
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
false
D621FD77BD585874F9686D3A76462EF1
ABCAE05EE61EE6292003AABD8C80583FA49EDDA2
2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
false
486580834B084C92AE1F3866166C9C34
C8EB7E1CEF55A6C9EB931487E9AA4A2098AACEDF
65C5B1213E371D449E2A239557A5F250FEA1D3473A1B5C4C5FF7492085F663FB
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Documents Original BL, Invoice & Pa.exe.log
true
1DC1A2DCC9EFAA84EABF4F6D6066565B
B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
false
C7F28B87C2CAD111D929CB9A0FF822F8
C2CF9E7A3F6EFD9000FE76EBE54E4E9AE5754267
D1B02C20EACF464229AB063FA947A525E2ED7772259A8F70C7205DC13599EAE6
C:\Users\user\AppData\Local\Temp\tmp7B35.tmp
true
3E2B26ED8B75AE83A269595180E84EF6
D30A0335FCCE406BCA8BA5764288235E6192F608
108BE30AEB8EB31C185A39A6726F26DACBC4E4124951C61A29ADE4B7038C71EA
C:\Users\user\AppData\Local\Temp\tmp823B.tmp
false
5C2F41CFC6F988C859DA7D727AC2B62A
68999C85FC7E37BAB9216E0099836D40D4545C1C
98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
B6EC404880A5BE35BDE0742DF27D7DDF
29A9CAA4B4CD1526C23D6956A8BDCC6A205E64BE
EF47DD79D655D7AF9FBC895D9D9775DAC5F7BA0589D26DABA2D3537F7C9172DC
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
6825F9D9255E881EBFC7B1909FDD8F1B
7C5E76AA7C364B8C374C26B27163B9C3BDD25B8C
3E8E091E90E39D9989917E641EC43DD84AF743CCE823C0AC4F2C73D259638436
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
false
AE0F5E6CE7122AF264EC533C6B15A27B
1265A495C42EED76CC043D50C60C23297E76CCE1
73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
false
787AEB1604A638B138739ED060141E9D
A2D0680883E8C6FF3DDE0A177263B03E7644D4AA
DCCB67209560E2E27A4F284CD7E412926303ABD4E77927F9A1BAF8B0B8994B45
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
false
6ECAFC0490DAB08E4A288E0042B6B613
4A4529907588505FC65CC9933980CFE6E576B3D6
DC5F76FBF44B3E6CDDC14EA9E5BB9B6BD3A955197FE13F33F7DDA7ECC08E79E0
\Device\ConDrv
false
6A9888952541A41F033EB114C24DC902
41903D7C8F31013C44572E09D97B9AAFBBCE77E6
41A61D0084CD7884BEA1DF02ED9213CB8C83F4034F5C8156FC5B06D6A3E133CE
172.93.166.26
api.globalsign.cloud
false
104.18.25.243
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
DLL reload attack detected
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT