Joe Sandbox Cloud Basic
Register Login
sloganpng
flash

CN-Invoice-XXXXX9808-19011143287989.exe

Status: finished
Submission Time: 22.02.2021 09:03:37
Malicious
Trojan
Evader
Nanocore

Comments

Tags

  • exe
  • FedEx

Details

  • Analysis ID:
    355908
  • API (Web) ID:
    613792
  • Analysis Started:
    22.02.2021 09:12:32
  • Analysis Finished:
    22.02.2021 09:28:42
  • MD5:
    379482795da0042d0070e6ae599a369b
  • SHA1:
    baf26cfe3c8ba84fc3da7cc2da74741130f2bb21
  • SHA256:
    7d862f96808968bbe9ca5bf571335f86cd100faa6d131a1e148ef8c54f5a4eed
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious
New

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
20/71

malicious
14/47

IPs

IP Country Detection
104.21.71.230
 United States
172.67.172.17
 United States

Domains

Name IP Detection
coroloboxorozor.com
 104.21.71.230

URLs

Name Detection
http://coroloboxorozor.com/base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html
http://coroloboxorozor.com/base/563CB4793425B369FD0FAF05E615CF43.html
http://coroloboxorozor.com/base/EE6EDC43DDDD18D0313D668388B5ECD3.html
Click to see the 26 hidden entries
https://www.hulu.com/do-not-sell-my-info
http://ocsp.sectigo.com0
http://schemas.xmlsoap.org/soap/encoding/
https://corp.roblox.com/contact/
https://go.micro
https://www.roblox.com/develop
https://instagram.com/hiddencity_
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
https://corp.roblox.com/parents/
http://coroloboxorozor.com
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
https://www.hulu.com/ca-privacy-rights
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
http://www.hulu.com/privacy
http://www.g5e.com/G5_End_User_License_Supplemental_Terms
http://www.hulu.com/terms
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
http://schemas.xmlsoap.org/wsdl/
https://sectigo.com/CPS0C
https://sectigo.com/CPS0D
https://www.roblox.com/info/privacy
http://www.g5e.com/termsofservice
https://en.help.roblox.com/hc/en-us
http://www.nirsoft.net/
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://coroloboxorozor.com/base/563CB4793425B369FD0FAF05E615CF43

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CN-Invoice-XXXXX9808-19011143287989.exe.log
 ASCII text, with CRLF line terminators
 #
C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe:Zone.Identifier
 ASCII text, with CRLF line terminators
 #
Click to see the 10 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
 data
 #
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
 data
 #
C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe
 PE32 executable (GUI) Intel 80386, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat
 ASCII text, with very long lines, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eh4satsn.nas.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jgcjqlgh.pwd.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qnzmxykz.rbj.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wkxxjrtw.qd5.psm1
 very short file (no magic)
 #
C:\Users\user\Documents\20210222\PowerShell_transcript.320946.Re__E71x.20210222091427.txt
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\Documents\20210222\PowerShell_transcript.320946.cMT2273D.20210222091415.txt
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #