Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | June 18, 2021, 5:33 p.m. | June 18, 2021, 5:47 p.m. |
-
-
cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\63A4.tmp\63B5.tmp\63B6.bat C:\Users\test22\AppData\Local\Temp\SystemCrasher_ByDaniel.exe"
2252-
calc.exe calc
2044 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
2772 -
explorer.exe explorer
1572 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
2892 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
1276 -
mspaint.exe mspaint
668 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
2312 -
-
wordpad.exe "C:\Program Files\Windows NT\Accessories\wordpad.exe"
1684
-
-
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
1468 -
-
wordpad.exe "C:\Program Files\Windows NT\Accessories\wordpad.exe"
2644
-
-
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
1932 -
-
wordpad.exe "C:\Program Files\Windows NT\Accessories\wordpad.exe"
2620
-
-
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
2232 -
control.exe control
2988 -
-
net1.exe C:\Windows\system32\net1 user DANIEL TROJAN /add
2548
-
-
-
net1.exe C:\Windows\system32\net1 user 30298 /add
2544
-
-
-
net1.exe C:\Windows\system32\net1 user YOUR PC IS TRASHED BY DANIEL /add
3208
-
-
calc.exe calc
3256 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
3324 -
explorer.exe explorer
3408 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
3480 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
3764 -
mspaint.exe mspaint
3812 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
3884 -
-
wordpad.exe "C:\Program Files\Windows NT\Accessories\wordpad.exe"
3148
-
-
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
4024 -
-
wordpad.exe "C:\Program Files\Windows NT\Accessories\wordpad.exe"
3512
-
-
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
752 -
-
wordpad.exe "C:\Program Files\Windows NT\Accessories\wordpad.exe"
3796
-
-
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
3444 -
control.exe control
3532 -
calc.exe calc
3608 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
3956 -
explorer.exe explorer
4072 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
3168 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
3704 -
mspaint.exe mspaint
3852 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
4052 -
-
wordpad.exe "C:\Program Files\Windows NT\Accessories\wordpad.exe"
3272
-
-
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
2696 -
-
wordpad.exe "C:\Program Files\Windows NT\Accessories\wordpad.exe"
3340
-
-
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
3116 -
-
wordpad.exe "C:\Program Files\Windows NT\Accessories\wordpad.exe"
3108
-
-
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
3068 -
control.exe control
3856 -
calc.exe calc
1996 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
996 -
explorer.exe explorer
1124 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
2536 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
1340 -
mspaint.exe mspaint
2592 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
2224 -
-
wordpad.exe "C:\Program Files\Windows NT\Accessories\wordpad.exe"
4344
-
-
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
2284 -
-
wordpad.exe "C:\Program Files\Windows NT\Accessories\wordpad.exe"
4432
-
-
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
4216 -
-
wordpad.exe "C:\Program Files\Windows NT\Accessories\wordpad.exe"
4608
-
-
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
4376 -
control.exe control
4492 -
calc.exe calc
4580 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
4704 -
explorer.exe explorer
4780 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
4860 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
5088 -
mspaint.exe mspaint
1036 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
4248 -
-
wordpad.exe "C:\Program Files\Windows NT\Accessories\wordpad.exe"
4832
-
-
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
4452 -
-
wordpad.exe "C:\Program Files\Windows NT\Accessories\wordpad.exe"
4856
-
-
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
4372 -
-
wordpad.exe "C:\Program Files\Windows NT\Accessories\wordpad.exe"
4548
-
-
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
4944 -
control.exe control
5032 -
calc.exe calc
4268 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
4332 -
explorer.exe explorer
4708 -
msg.exe msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
4316
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
164.124.101.2 | Active | Moloch |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
section | .code |
description | wordpad.exe tried to sleep 360 seconds, actually delayed analysis time by 360 seconds | |||
description | mspaint.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds |
file | C:\Users\test22\AppData\Local\Temp\63A4.tmp\63B5.tmp\63B6.bat |
cmdline | "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\63A4.tmp\63B5.tmp\63B6.bat C:\Users\test22\AppData\Local\Temp\SystemCrasher_ByDaniel.exe" |
section | {u'size_of_data': u'0x0002c800', u'virtual_address': u'0x00022000', u'entropy': 7.741085923650761, u'name': u'.rsrc', u'virtual_size': u'0x0002c640'} | entropy | 7.74108592365 | description | A section with a high entropy has been found | |||||||||
entropy | 0.602368866328 | description | Overall entropy of this PE file is high |
description | Communication using DGA | rule | Network_DGA | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Create a windows service | rule | Create_Service | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Communications over P2P network | rule | Network_P2P_Win | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | Install itself for autorun at Windows startup | rule | Persistence | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Create a windows service | rule | Create_Service | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Communications over P2P network | rule | Network_P2P_Win | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI |
cmdline | net user YOUR PC IS TRASHED BY DANIEL /add |
cmdline | net user 30298 /add |
cmdline | net user DANIEL TROJAN /add |
cmdline | "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\63A4.tmp\63B5.tmp\63B6.bat C:\Users\test22\AppData\Local\Temp\SystemCrasher_ByDaniel.exe" |
cmdline | C:\Windows\System32\cmd /c "C:\Users\test22\AppData\Local\Temp\63A4.tmp\63B5.tmp\63B6.bat C:\Users\test22\AppData\Local\Temp\SystemCrasher_ByDaniel.exe" |