Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | April 13, 2021, 9:56 a.m. | April 13, 2021, 9:59 a.m. |
-
-
4.exe "C:\Users\test22\AppData\Local\Temp\New Feature\4.exe"
5292 -
-
makecab.exe "C:\Windows\System32\makecab.exe"
8232 -
makecab.exe "C:\Windows\System32\makecab.exe"
3800 -
makecab.exe "C:\Windows\System32\makecab.exe"
3752 -
makecab.exe "C:\Windows\System32\makecab.exe"
5332 -
makecab.exe "C:\Windows\System32\makecab.exe"
8084 -
makecab.exe "C:\Windows\System32\makecab.exe"
6568 -
makecab.exe "C:\Windows\System32\makecab.exe"
6696 -
-
-
findstr.exe findstr /V /R "^NfIeItKcjkOKepYZCKFMkXrWzIisyYsXhQiMykUBGlqQrbUBrzKTMfJQkLIqWadhUQvkejTdQtuqWhTWOFgLgbkYudAzCUEhUMWjqInRmzrHoJTYSLjdtEYvFnyLLmOVmSupsGWyibjVxDPb$" Notti.eps
4788 -
-
Nobile.exe.com C:\Users\test22\AppData\Roaming\GcyTFWdPMenYYzQBBj\Nobile.exe.com m
9112
-
-
PING.EXE ping 127.0.0.1 -n 30
5596
-
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
EiodCJGkPupHarewIHgoYXhjJQvRZ.EiodCJGkPupHarewIHgoYXhjJQvRZ |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
section | .ndata |
file | C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe |
file | C:\Users\test22\AppData\Local\Temp\nsbFFC6.tmp\UAC.dll |
file | C:\Users\test22\AppData\Roaming\GcyTFWdPMenYYzQBBj\Nobile.exe.com |
file | C:\Users\test22\AppData\Local\Temp\New Feature\4.exe |
cmdline | cmd /c C:\Windows\System32\cmd.exe < Scoprirvi.eps |
cmdline | "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Scoprirvi.eps |
cmdline | C:\Windows\System32\cmd.exe |
file | C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe |
file | C:\Users\test22\AppData\Local\Temp\nsbFFC6.tmp\UAC.dll |
file | C:\Users\test22\AppData\Local\Temp\New Feature\4.exe |
url | http://www.microsoft.com/schemas/ie8tldlistdescription/1.0 |
url | http://purl.org/rss/1.0/ |
url | http://www.passport.com |
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Hijack network configuration | rule | hijack_network | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Create a COM server | rule | create_com_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over Toredo network | rule | network_toredo | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper | ||||||
description | Communications over FTP | rule | network_ftp | ||||||
description | Communications over RAW socket | rule | network_tcp_socket | ||||||
description | Communications use DNS | rule | network_dns | ||||||
description | Communication using dga | rule | network_dga | ||||||
description | Escalade priviledges | rule | escalate_priv | ||||||
description | Take screenshot | rule | screenshot | ||||||
description | Run a keylogger | rule | keylogger | ||||||
description | Steal credential | rule | cred_local | ||||||
description | Record Audio | rule | sniff_audio | ||||||
description | APC queue tasks migration | rule | migrate_apc | ||||||
description | Malware can spread east-west file | rule | spreading_file | ||||||
description | Malware can spread east-west using share drive | rule | spreading_share | ||||||
description | Create or check mutex | rule | win_mutex | ||||||
description | Affect system registries | rule | win_registry | ||||||
description | Affect system token | rule | win_token | ||||||
description | Affect private profile | rule | win_private_profile | ||||||
description | Affect private profile | rule | win_files_operation | ||||||
description | Match Winsock 2 API library declaration | rule | Str_Win32_Winsock2_Library | ||||||
description | Match Windows Inet API library declaration | rule | Str_Win32_Wininet_Library | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook |
cmdline | ping 127.0.0.1 -n 30 |
host | 172.217.25.14 |
file | C:\ProgramData\AVAST Software |
file | C:\ProgramData\AVG |
Elastic | malicious (high confidence) |
McAfee | Artemis!AFF6F8C75217 |
Cylance | Unsafe |
Sangfor | Trojan.Win32.Save.a |
Symantec | ML.Attribute.HighConfidence |
ESET-NOD32 | a variant of Win32/Kryptik.HKJF |
APEX | Malicious |
Avast | Win32:Malware-gen |
Cynet | Malicious (score: 100) |
Kaspersky | UDS:Trojan-Dropper.Win32.Scrop |
BitDefender | Trojan.GenericKD.46080700 |
Paloalto | generic.ml |
Rising | Trojan.Kryptik!1.D4B0 (CLOUD) |
Ad-Aware | Trojan.GenericKD.46080700 |
Emsisoft | Trojan-Downloader.Agent (A) |
McAfee-GW-Edition | BehavesLike.Win32.Generic.tc |
FireEye | Generic.mg.aff6f8c7521796d3 |
Sophos | Mal/Generic-S |
SentinelOne | Static AI - Suspicious PE |
Webroot | W32.Malware.Gen |
Avira | HEUR/AGEN.1140895 |
Kingsoft | Win32.PSWTroj.Undef.(kcloud) |
Microsoft | Trojan:Win32/Bomitag.D!ml |
AegisLab | Trojan.Win32.Scrop.b!c |
GData | Win32.Trojan-Stealer.Clipper.QIHLU4 |
AhnLab-V3 | Malware/Win.Generic.C4413150 |
BitDefenderTheta | Gen:NN.ZexaF.34670.uCW@auojIGiG |
MAX | malware (ai score=99) |
Ikarus | Backdoor.Win32.Kredoor |
AVG | Win32:Malware-gen |
Qihoo-360 | Win32/TrojanSpy.Coins.HgIASSkA |