36.0.0 Rainbow Opal
IR
745008
CloudBasic
17:15:13
13/11/2022
zzkCIdCoDt.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
e383dda8987435a6a3950aa9a6909b2c
8b3982937eddd443b671161e04c80a2ed5e68818
8c1db84c9f86675e3487960e5275fdf2e690b53eff1879e2d72673463fe1055a
Win64 Dynamic Link Library (generic) (102004/3) 86.43%
true
false
false
false
84
0
100
5
0
5
false
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
false
3DCF580A93972319E82CAFBC047D34D5
8528D2A1363E5DE77DC3B1142850E51EAD0F4B6B
40810E31F1B69075C727E6D557F9614D5880112895FF6F4DF1767E87AE5640D1
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
false
43156C86A7520289C41B5FA58959ECAE
C79779653F313D6F972EE358013D5A3E344F9E3A
5F60BF4848F60492318892444B27705228496879AC1E166F78917C1C1B620F1B
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
false
40867086CD88892047DB348A9F686336
2F8B90ABDEA0B274E574A7365D64C853A55AC941
A096F8B4C7D36A3FEEB75B860BC71F12B2727778CD3C37B9A4D54BBFE9ADB577
172.105.115.71
188.165.79.151
196.44.98.190
174.138.33.49
36.67.23.59
103.41.204.169
85.214.67.203
83.229.80.93
198.199.70.22
93.104.209.107
186.250.48.5
209.239.112.82
175.126.176.79
128.199.242.164
178.238.225.252
46.101.98.60
190.145.8.4
82.98.180.154
103.71.99.57
87.106.97.83
103.254.12.236
103.85.95.4
202.134.4.210
165.22.254.236
78.47.204.80
118.98.72.86
139.59.80.108
104.244.79.94
37.44.244.177
51.75.33.122
160.16.143.191
103.56.149.105
85.25.120.45
139.196.72.155
115.178.55.22
103.126.216.86
128.199.217.206
114.79.130.68
103.224.241.74
210.57.209.142
202.28.34.99
80.211.107.116
54.37.228.122
218.38.121.17
185.148.169.10
195.77.239.39
178.62.112.199
62.171.178.147
64.227.55.231
https://172.105.115.71:8080/xucipr/ysjolf/ncmjlqi/
false
unknown
https://172.105.115.71:8080/z
false
unknown
Creates an autostart registry key pointing to binary in C:\Windows
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Snort IDS alert for network traffic