33.0.0 White Diamond
IR
483205
CloudBasic
16:46:12
14/09/2021
14 Items receipt.vbs
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
a47a00103d35b883f7edbc91398ad40b
72c41b1fb3565c5499a9ca5191e178c85ecceb90
13e48ac9a85c335c0a27a9c13b1878150764d47523907ea1e12a6218d7ff57d6
true
false
false
false
100
0
100
5
0
5
false
C:\Users\Public\Run\New.vbs
false
70A508C6E62F6D0656D37C5367B08AE1
788209E9A5533A02F368332DF64BBF8F9BAFE332
51E4082E0B589A1BFD0BF1D93C00963662BBD418F3C5BC9F19457F25B28F43F0
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
E494C8B04CCA7990028009C5A768629C
42B21DC378D323E339D49BDC8CD4F96DC5837358
AB50EF20F6B7CFF39117E3E89980CDD2FCECBCEDDDE456FECED62FC3AED475BF
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
B2E8F5B1D2CA14F416C34A1D80229547
25427AFC9715DC9C34187C211788E2409C83FA48
A0B23D2B06F072A75AE6E5182F3776207E9EB012C568F11A10E5EE55F1F7FD03
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_504w00vk.dm5.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5tw3aje.oei.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
84864902DEC5038CEF326FF21E8D5F98
2F10FEC81D95813C3B2530EC4CECED70164A08C5
5B4853A46F99AC6445B68DC1A841D511D0E86C6EDEC2A0A84F3778039A578B6B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
378BACC43DD9BCE97C231A1B5BC9A1B2
4C94CF1392A116F78C16E91905A78739E892D246
50AC6A3B0AB9FEAB8C50D20CA393C40EEC8446BF5C1833FAFEB8C259DEEDC506
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
false
4E5E92E2369688041CC82EF9650EDED2
15E44F2F3194EE232B44E9684163B6F66472C862
F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
false
2E52F446105FBF828E63CF808B721F9C
5330E54F238F46DC04C1AC62B051DB4FCD7416FB
2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
C:\Users\user\Documents\20210914\PowerShell_transcript.284992.OXzsVwK_.20210914164711.txt
false
D8F9A344C0D1E39CDDA88069F12A1648
339290E6491A1C9E494D555D43E39C616E4C394E
BEC57A4CFABE8453A46480AC9D54C1FB36C30CCBAA55D45030C72701AD114E1C
144.76.136.153
192.168.2.1
194.147.140.20
newjan.duckdns.org
true
194.147.140.20
transfer.sh
false
144.76.136.153
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Very long command line found
Sigma detected: NanoCore
VBScript performs obfuscated calls to suspicious functions
Detected Nanocore Rat
Injects a PE file into a foreign processes
Creates an undocumented autostart registry key
Sigma detected: CrackMapExec PowerShell Obfuscation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services