Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | April 16, 2021, 6:01 p.m. | April 16, 2021, 6:03 p.m. |
-
-
CL_Debug_Log.txt C:\Users\test22\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\test22\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\test22\AppData\Local\Temp\"
2240 -
cmd.exe C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\test22\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
2876-
schtasks.exe schtasks.exe /Create /XML "C:\Users\test22\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
2044
-
-
cmd.exe C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\test22\AppData\Local\Temp\winsdk.exe"&&timeout /t 0&&if not exist "C:\Users\test22\AppData\Local\Temp\winsdk.exe" exit)
2672-
timeout.exe timeout /t 0
2908
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
ezstat.ru | 88.99.66.31 | |
pool.hashvault.pro | 131.153.159.26 |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.3 192.168.56.101:49220 54.36.227.247:443 |
None | None | None |
TLS 1.3 192.168.56.101:49221 51.75.169.249:443 |
None | None | None |
TLS 1.2 192.168.56.101:49218 163.172.157.213:443 |
CN=www.kbh6c2mkb3ep3gmmbunj.com | CN=www.msbmibde6afmtoudkx.net | d2:a9:57:33:22:05:5f:8e:9d:0c:31:87:f8:9d:28:26:8d:48:1a:e7 |
TLS 1.3 192.168.56.101:49219 145.239.66.236:9001 |
None | None | None |
TLS 1.3 192.168.56.101:49216 176.10.104.240:8443 |
None | None | None |
TLS 1.3 192.168.56.101:49222 51.75.169.249:443 |
None | None | None |
TLSv1 192.168.56.101:49226 88.99.66.31:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=iplogger.com | a6:9e:b0:a2:7d:aa:50:d1:63:45:45:aa:4b:92:18:ef:3b:1e:2e:94 |
request | GET https://ezstat.ru/1DEqw7 |
domain | ezstat.ru | description | Russian Federation domain TLD |
file | C:\Users\test22\AppData\Local\Temp\64.exe |
file | C:\Users\test22\AppData\Local\Temp\32.exe |
cmdline | schtasks.exe /Create /XML "C:\Users\test22\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck" |
cmdline | C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\test22\AppData\Local\Temp\winsdk.exe"&&timeout /t 0&&if not exist "C:\Users\test22\AppData\Local\Temp\winsdk.exe" exit) |
cmdline | C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\test22\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck" |
file | C:\Users\test22\AppData\Local\Temp\CL_Debug_Log.txt |
file | C:\Users\test22\AppData\Local\Temp\32.exe |
file | C:\Users\test22\AppData\Local\Temp\winsdk.exe |
section | {u'size_of_data': u'0x00f27e00', u'virtual_address': u'0x000c8000', u'entropy': 7.99983884848177, u'name': u'.rsrc', u'virtual_size': u'0x00f27c68'} | entropy | 7.99983884848 | description | A section with a high entropy has been found | |||||||||
entropy | 0.950483831455 | description | Overall entropy of this PE file is high |
cmdline | schtasks.exe /Create /XML "C:\Users\test22\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck" |
cmdline | C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\test22\AppData\Local\Temp\winsdk.exe"&&timeout /t 0&&if not exist "C:\Users\test22\AppData\Local\Temp\winsdk.exe" exit) |
cmdline | C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\test22\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck" |
host | 145.239.66.236 | |||
host | 163.172.157.213 | |||
host | 176.10.104.240 | |||
host | 51.75.169.249 | |||
host | 54.36.227.247 |
file | C:\Users\test22\AppData\Local\Temp\SystemCheck.xml |
Elastic | malicious (high confidence) |
MicroWorld-eScan | AIT:Trojan.Nymeria.1546 |
CAT-QuickHeal | Trojan.AutoIt.MineDropper.C |
McAfee | Artemis!35AB7B989418 |
Sangfor | Trojan.Win32.Save.a |
Arcabit | AIT:Trojan.Nymeria.D60A |
ESET-NOD32 | a variant of Win32/TrojanDropper.Autoit.TL |
APEX | Malicious |
Avast | AutoIt:Injector-JY [Trj] |
Kaspersky | HEUR:Trojan.Script.Generic |
BitDefender | AIT:Trojan.Nymeria.1546 |
Rising | Trojan.CoinMiner/Autoit!1.C937 (CLASSIC) |
Ad-Aware | AIT:Trojan.Nymeria.1546 |
Emsisoft | AIT:Trojan.Nymeria.1546 (B) |
McAfee-GW-Edition | BehavesLike.Win32.TrojanAitInject.wc |
FireEye | Generic.mg.35ab7b989418f63d |
Sophos | ML/PE-A |
Ikarus | Trojan-Dropper.Win32.Autoit |
Avira | DR/AutoIt.Gen |
MAX | malware (ai score=100) |
Microsoft | TrojanDropper:AutoIt/Nymeria.AR!MTB |
GData | AIT:Trojan.Nymeria.1546 (2x) |
Cynet | Malicious (score: 99) |
AhnLab-V3 | Dropper/AU3.Miner.S1098 |
BitDefenderTheta | AI:Packer.BC75735117 |
ALYac | AIT:Trojan.Nymeria.1546 |
eGambit | Unsafe.AI_Score_99% |
Fortinet | AutoIt/CoinMiner.TL!tr |
AVG | AutoIt:Injector-JY [Trj] |
Qihoo-360 | HEUR/QVM10.1.9EDA.Malware.Gen |