34.0.0 Boulder Opal
IR
528704
CloudBasic
17:29:12
25/11/2021
TT_SWIFT_Export Order_noref S10SMG00318021.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
fff91c58119d3cd7f68457e8565f7116
4201eb7214bd3658889739e4856412b8063e0405
f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
5FB1F2A73499F0915A78C3AC50BE1B07
8EE5A7E5FB66313371ECD18C20196F695F18D3CB
F033460017CB192F6AFA7E662803081BA0612D827432B9275B692E9FBDB6F5E3
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ic10stv.gry.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3vwogde.4ck.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xt5nzkl2.tah.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ys5lr1qk.smh.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp3FD.tmp
true
073226D0EFA0A26416EDDC6944D51BCC
38A3F2287EE0FEF6BCD822073F86465BC07A0410
72B3E02ACCA5893BA29C7A20D4A175DCD624EB47A5CF4EB5EC7281CA527209BF
C:\Users\user\AppData\Roaming\AnsPejV.exe
true
FFF91C58119D3CD7F68457E8565F7116
4201EB7214BD3658889739E4856412B8063E0405
F8C0D385ECE89CD926B2C74680C036F9927414955E7FF4ED12B576470B8C1745
C:\Users\user\AppData\Roaming\AnsPejV.exe:Zone.Identifier
false
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20211125\PowerShell_transcript.767668.c7I805VN.20211125173008.txt
false
8AE9A22691D773B86900B6325C03EC43
E80D83E1253AB678CA43BAA3085013D08A937D1E
0A7BCD43B7E1DC35C193F4A4F5E5D63763FBC98B088E8914440ACBB81C0313E7
C:\Users\user\Documents\20211125\PowerShell_transcript.767668.vc7f5t7q.20211125173011.txt
false
C0C13A582E37634B29E0F4BC6F44BA47
397AFD879056F2B3E24F5C096AA34FCF841B5AAA
7B9B0E595B666EF88EC3BD1DB118A3E00341E7EE4085A44236BEC3C19237B1C3
23.227.38.74
34.102.136.180
156.226.250.165
209.17.116.163
webredir.vip.gandi.net
false
217.70.184.50
www.oki-net.com
true
154.196.11.204
hpsaddlerock.com
false
34.102.136.180
www.wamhsh.com
true
156.226.250.165
www.aarondecker.online
true
209.17.116.163
shops.myshopify.com
true
23.227.38.74
www.innovativepropsolutions.com
true
unknown
www.754711.com
true
unknown
www.pyjama-france.com
true
unknown
www.hpsaddlerock.com
true
unknown
www.elderlycareacademy.com
true
unknown
www.blueharepress.com
true
unknown
Sample uses process hollowing technique
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Yara detected AntiVM3
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Adds a directory exclusion to Windows Defender
Multi AV Scanner detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules