32.0.0 Black Diamond
IR
433430
CloudBasic
19:57:35
11/06/2021
invoice#56432_Pdf.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
1872fbdcb3e1ecd6d2c7c4c0e3f0542c
d3ac7e7add55ae2d25aa6ad3a015e22cd7a3447d
70a1c87cde771cea10a195826a8ddd79003cac8ba3ec50e10cc2be34499fd846
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
false
1DC1A2DCC9EFAA84EABF4F6D6066565B
B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice#56432_Pdf.exe.log
true
1DC1A2DCC9EFAA84EABF4F6D6066565B
B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Temp\tmpC457.tmp
true
CA5FD71D72E96C51783FBDC2E8874F38
73F22039BDEAB58BB3B5F8174F2829FDA1E428AA
70E632A493D03D671EC7CA334CCF581BE66F29C38307B34C05A1892F388F7ED3
C:\Users\user\AppData\Local\Temp\tmpCDAE.tmp
false
C09FD0EC930D435414B0145E84D605AC
D8047586E7185494DE4A1E2EB4182BED0144A0DF
F10E0F64CE7A14AFB122E12670D236B47E6DCEE0969AFAEDCD19C3BDD290209E
C:\Users\user\AppData\Roaming\UzYBKefg.exe
true
1872FBDCB3E1ECD6D2C7C4C0E3F0542C
D3AC7E7ADD55AE2D25AA6AD3A015E22CD7A3447D
70A1C87CDE771CEA10A195826A8DDD79003CAC8BA3EC50E10CC2BE34499FD846
C:\Users\user\AppData\Roaming\UzYBKefg.exe:Zone.Identifier
false
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\suSwVklf.exe
false
2867A3817C9245F7CF518524DFD18F28
D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
35.203.102.63
166.62.10.181
87.236.16.60
dotacionesmedicasmarmol.com
false
35.203.102.63
www.potoloks-spb.online
true
87.236.16.60
martinbrosenterprise.com
true
166.62.10.181
www.dotacionesmedicasmarmol.com
true
unknown
www.martinbrosenterprise.com
true
unknown
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook