33.0.0 White Diamond
IR
501775
CloudBasic
08:48:09
13/10/2021
KRSEL0000056286.JPG.scr
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
d6f040b4d7d217b8525dff843feba635
8ed8beaceddf8e8e9ba4b601d1e985e5c7c2d7d9
940ad66c876976f4a05f12710687f5abb76443f693dd3986d1ff7a4c73fc866f
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
false
2867A3817C9245F7CF518524DFD18F28
D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
false
8C0458BB9EA02D50565175E38D577E35
F0B50702CD6470F3C17D637908F83212FDBDB2F2
C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
false
8C0458BB9EA02D50565175E38D577E35
F0B50702CD6470F3C17D637908F83212FDBDB2F2
C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
C:\Users\user\AppData\Local\Temp\33911166\Update.vbs
false
BED3F060611547B9D81952389AC2B088
E616E3AA0EA8E297A2602242E13A3477681287A2
B7A9F2DD4089C938788C6051D903B01E0C2AED713513E4DFB134FE5C91949255
C:\Users\user\AppData\Local\Temp\33911166\acdtfoidpw.exe
false
EFAC1E031262E2FD22D77BE15E450C43
BBF4B853791A783536E3BC4CDFB81493210A50FF
883906DBD80E79B4B55A2F49D42E19B816A8C37822918923875C57A9D2BB3F34
C:\Users\user\AppData\Local\Temp\33911166\bbslmxx.mp3
false
B9BE27AD54D7859E5865D3F2A9511ED4
3DCEB86073B93C870191B8272A158F1E45E68246
F53C1F020873EC6243B519A39A8AD0B8FB46AD23536847BB3A82F3B68BC3EF14
C:\Users\user\AppData\Local\Temp\33911166\blmcuvi.bin
false
07B5B11DD6CFDF00045139785AB35285
EAEF5689C59036D435A492A918060F4219C3DA97
81D5A96885A8D2CEC546D2E35259A79F77B3EFCC094DD69A17E7C838B50D431D
C:\Users\user\AppData\Local\Temp\33911166\efupmjbj.log
false
B7344FC88743A3363933C407A6CFB8A3
8B6A0AF17F9D47F2808D18E0BB16070F70546BA1
D9B344EFA5CC19DF933DE017C2310C1D4F4B76FBCC75CB47C00AB1F269C8CD35
C:\Users\user\AppData\Local\Temp\33911166\egccradum.rpq
false
8A7C869AD69DD7EC00AA3FBD4AFA5DA0
4760A47040FC0F93BE6CCC80261DB6BC31700E55
22B4837BB2B0E795AEFD607EFE9175CA7EA6DA100300CB9277EA84D9CD19D3D3
C:\Users\user\AppData\Local\Temp\33911166\eiad.jpg
false
E8D22557BB5F6603C532C98865CCD5A9
636DC732C27BBDB8B629F8BCBB57274F7BDB63B0
5F494B2BA3C5700F128E56495D533105A8D371F443C7CB45BCEFB90AA927C3C2
C:\Users\user\AppData\Local\Temp\33911166\fagbcbo.ico
false
55CD69436FA392FC74563FEA94C0D9CC
A393C02EA3EE453274CF25F96404236A3255EA1C
D9535DE1EA8CA1E086C374620D483E5B1253C2589B62D80480FAC4A2129BAD38
C:\Users\user\AppData\Local\Temp\33911166\ftsqid.ppt
false
EF740CD570DD4766D6AE0A4C462E4C86
6EBEA042B020CA9E4A76ED1B7D528BA426A62A27
23AB3D6E1C7366171C810C8C303836BD953705E37766DC3673C8D1ADA9C60BF0
C:\Users\user\AppData\Local\Temp\33911166\ftwkmrtqp.docx
false
51C93DF30373E2B4808CCD94060AF817
CCD9097DE3DC6CF69DF311CD7BC266DC9232A702
6BD27A359F02E248CDB45E6E150119ADD745AA028BE3009DB71578859BD7E149
C:\Users\user\AppData\Local\Temp\33911166\gbjrbcio.ppt
false
FD088B0DD1DA3EC4F335AE136030DB08
A068795B4A6315E8EC6FBEDF6506BBB2AB007541
BCA36CB79511273DFA8BBBF029D6E94DAEAEEBE46F6571881AAA1352CC8F6FA5
C:\Users\user\AppData\Local\Temp\33911166\gdljljtq.cpl
false
A7A133BCD7D03BBF6ADDC1658BF20DAC
0A3A664884BA14B7738368307AF1E498069D5348
AB5E48986B6BA499E11720D12E42BCAA8C6D712E59CCD29369F7425BD1D4A678
C:\Users\user\AppData\Local\Temp\33911166\grwmscle.bmp
false
FAEC8B3E9041BBBAE67F552C91764776
0EF8E9676EEAB9716AD08EE6BF75BB727B8A6E43
0D36C32258EDB46B3B9325B207126B530D3D4073060CB32B08E5FB9FBE924591
C:\Users\user\AppData\Local\Temp\33911166\ihkq.pdf
false
14632FC015393D244C193C33C1C3DBCA
C084DF5AF865D0548C73CFE942208EA09A541521
F73ECBCAC7B42C2A2CDEF1F102026D210708C24964401C286C876F13BA43F17B
C:\Users\user\AppData\Local\Temp\33911166\ivexkhsw.bin
false
FE7B76FE43B0D48EC09E649D3791669C
9F16FE9CC7FB6D11409083D6D84586951DB9F44F
5BBCB104598FD0CF02D426D6385613E8CCE500A253DA17C0FB06425306960C03
C:\Users\user\AppData\Local\Temp\33911166\jowmpf.dat
false
07F615871C99E860DF4A51C2608589AD
E7D9977357F4B148E0C9F9DDDC25A11C3A2A3B0C
9A6657FD3B23DBF7AAC5FCF306E0E9B18EA81496C1C8127EB31EFB6956F3B879
C:\Users\user\AppData\Local\Temp\33911166\liqucucmm.xl
false
DDDC12E603249AE7413C0F1152E415BE
20D6ED41E340B890CA845A1800E0FEA6310B5371
B4AF5EB959E3823BA63CFF92CA7A3A480FA8EFF6FEC25611F9D2448C8EB975D1
C:\Users\user\AppData\Local\Temp\33911166\lpekjev.dat
false
90F85E9DAA7BB4A1A1D029FD3D8F2CCF
A30E08BDC0506CFEC1CDAC32B9534A7F9920EA23
5E56F31FBC40A67E7AFBA14117BD6DDF69D3656360D980DE7033997A8D0265B8
C:\Users\user\AppData\Local\Temp\33911166\lsgredal.xml
false
D471202643E357DA5B108B128DC7B903
694485C499C670F4ACBAE82D2B5776EFA1C4E6B3
C38FC9C91DA774E70034CD82E83BA1A5A732019EBF20CA43B587C91EF343D131
C:\Users\user\AppData\Local\Temp\33911166\mfnquskjg.xls
false
A9983318B76F9C053B2F9EC83D35E9C7
63CC776DD26B2DDE4352B729FB1B5E8F5F851E6E
2249D2D3DC78D28FFF96998C83AA1EC9E9E8D30163984DC4924AAB8179FB4AB4
C:\Users\user\AppData\Local\Temp\33911166\mvbphn.mp3
false
8C9C4D223F47A96416446C0A49F595FF
558BE3F0C1FE5F8FD1FD2DEF9D56BEE3358A65F4
8DA7F767634CE2F72AB495047B2BAE14FBB33389EEC28E41CE9B1434D0E29DC6
C:\Users\user\AppData\Local\Temp\33911166\oexk.ini
false
35C3A3E406066C083E25DEFE8E4A921E
9C2526B9706866CE1B75924F3AA967C1C8E20500
C069BAE783EC8AD4D582B2C160D28ECDEFBDD3654488A8C2129EBCD3FC2B9B34
C:\Users\user\AppData\Local\Temp\33911166\qtthsrfrd.ppt
false
ADF668485BE537AE0D6D5C0BD66705FF
5BE524D0D0E1B7FC42280224CAC2EE68EE0B49C8
E1429751B756E17CFF90303EABD84985A6DE8264821901E78734BBCDE1D7ADB1
C:\Users\user\AppData\Local\Temp\33911166\qxhdhpfdj.log
false
A91B92473AF61DC091981BFFF41A3A88
410EF9F87CAF3801C87D69637BB469FEF3C6A369
38425C4F1F21ABEF2915051403B35003ED7274DC14B547FE84453F227510E1D2
C:\Users\user\AppData\Local\Temp\33911166\rwnbbebwm.ini
false
F8DC6E3E70B4432C180B7FA0B27B8E50
5075849AB1FAEBEBD28D3660034C5C45E65EFA8F
E94A2F8E556B0195E242AB5D6E0ADE9872BD67857D150E7E4640CF2AD21669B8
C:\Users\user\AppData\Local\Temp\33911166\sbipvhb.docx
false
CCC74C070D273ABA95D7F8754706A255
171E25C7C895A8B583A8BEF713D077DE2419001A
27DF235367CCC09F310E790A89511AB986A972722CD5F1BFC39D10019C7EBC74
C:\Users\user\AppData\Local\Temp\33911166\sqbr.wlw
false
A78521017EA74E5BE68BEAF3D0ADC368
1694584C416256DE6BFB0AB72C57675910F479B3
17DCEB208F35A9966672EC161B2BA8D5A893DD51C204F2E62E291BE06F7595EC
C:\Users\user\AppData\Local\Temp\33911166\tvdjw.ppt
false
4D4F70BE0D08FD75119FE18C6F570095
654F9A02148D393B885A5803C2F3BB0146F2767F
EB0B3CCE80BA0ACBA03CFBFE229AD3590F7F913CEB3F8378D5DCB93A427114DE
C:\Users\user\AppData\Local\Temp\33911166\uetndqd.dat
false
6E7FF95EA98F7C0131B3CF7359F58AA4
78FF124AB67972F7ECC64B4BEF0B8F77B8E182FB
6E5191C99610CA5611A7F7A68F45239BB4E22B904D96E2F2DB8D24112A540FBA
C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif
true
8E699954F6B5D64683412CC560938507
8CA6708B0F158EACCE3AC28B23C23ED42C168C29
C9A2399CC1CE6F71DB9DA2F16E6C025BF6CB0F4345B427F21449CF927D627A40
C:\Users\user\AppData\Local\Temp\33911166\viah.xls
false
39583EFD61806B202DC523FE9CDA7EE8
0B9870CBAFCFD8017719B7EFB0FF192C04F73946
8D13B7155EAB011986B11319C58A49145BB3290E6CA6C1F41758365739C07496
C:\Users\user\AppData\Local\Temp\33911166\vvspktn.docx
false
F50497247FF0B9655419829B94AAB136
87BFA58A7442428899D2CFEFB207DF673FB37919
754CD760794897FCF41FC99EADAD2E31F125653E8A2A7398288E746BAC1C9881
C:\Users\user\AppData\Local\Temp\RegSvcs.exe
true
2867A3817C9245F7CF518524DFD18F28
D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
C:\Users\user\AppData\Local\Temp\tmp2BE4.tmp
true
990B7A403BC76992021F9FA8008904F2
42911051D889BC22633FB4EC99794202975260A8
2C4DC85A9C8127D7F864AB718245EBC0C5B625C04837AC84E012429E956936EE
C:\Users\user\AppData\Local\Temp\tmp2F02.tmp
false
5C2F41CFC6F988C859DA7D727AC2B62A
68999C85FC7E37BAB9216E0099836D40D4545C1C
98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
09F439F8276044197F56C9B93E11E0A8
8EE20441D07988E58B2594DDD07B87D13FFD08B8
EA4302CC1AE911347FEF20023AEDCBBBD32FAFB4FA5126B1A76E556B4B00C0CE
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
false
47370DB2229FE5D11F48C7C4DCF1D3DA
02F189B1593B564FAF6B30C1573A6C4156EEA2B8
8DA13D1ABADD97A50839C4237102C680E32B80F56B8B594ACC289D603779F743
C:\Users\user\temp\gdljljtq.cpl
false
516DFE5000E662A83C141F92FD1F5BCE
A96118D40F41AE06A8E3CAEAD9052F45D28692FC
3A2E9484A8ED6BB903A1C03DA059D22F463608CD2BBDBBA833EE4F81C628BBA8
\Device\ConDrv
false
1AEB3A784552CFD2AEDEDC1D43A97A4F
804286AB9F8B3DE053222826A69A7CDA3492411A
0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
185.19.85.175
strongodss.ddns.net
true
185.19.85.175
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Connects to many ports of the same IP (likely port scanning)
Sigma detected: NanoCore
Allocates memory in foreign processes
Detected Nanocore Rat
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected AntiVM autoit script
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Yara detected Nanocore RAT
Found malware configuration
Drops PE files with a suspicious file extension
Writes to foreign memory regions
Protects its processes via BreakOnTermination flag
Malicious sample detected (through community Yara rule)
C2 URLs / IPs found in malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file