Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | July 19, 2021, 10:30 a.m. | July 19, 2021, 10:53 a.m. |
-
-
-
icacls.exe icacls "C:\Users\test22\AppData\Local\057e0315-19ab-4b5f-ac0a-2ac31eb16c86" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2664 -
-
-
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe" & del C:\ProgramData\*.dll & exit
2324-
taskkill.exe taskkill /im build2.exe /f
2500 -
timeout.exe timeout /t 6
2680
-
-
-
-
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
astdg.top | 211.170.70.237 | |
api.2ip.ua | 77.123.139.190 | |
sslamlssa1.tumblr.com | 74.114.154.22 | |
securebiz.org | 187.212.182.122 |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49183 74.114.154.22:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=*.tumblr.com | 14:78:ba:5b:b5:54:5d:a1:2c:d2:79:4c:42:99:bb:3a:a9:db:86:c2 |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
pdb_path | C:\zocatubewu\ficigeruja yopogexotuyuta\nutax.pdb |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome |
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://116.202.183.50/517 | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://116.202.183.50/freebl3.dll | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://116.202.183.50/mozglue.dll | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://116.202.183.50/msvcp140.dll | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://116.202.183.50/nss3.dll | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://116.202.183.50/softokn3.dll | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://116.202.183.50/vcruntime140.dll | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://116.202.183.50/ | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://sslamlssa1.tumblr.com/ |
request | GET http://astdg.top/nddddhsspen6/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true |
request | GET http://securebiz.org/dl/build2.exe |
request | POST http://116.202.183.50/517 |
request | GET http://116.202.183.50/freebl3.dll |
request | GET http://116.202.183.50/mozglue.dll |
request | GET http://116.202.183.50/msvcp140.dll |
request | GET http://116.202.183.50/nss3.dll |
request | GET http://116.202.183.50/softokn3.dll |
request | GET http://116.202.183.50/vcruntime140.dll |
request | POST http://116.202.183.50/ |
request | GET https://sslamlssa1.tumblr.com/ |
request | POST http://116.202.183.50/517 |
request | POST http://116.202.183.50/ |
domain | astdg.top | description | Generic top level domain TLD |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
file | C:\Users\test22\AppData\Local\Chromium\User Data\Local State |
file | C:\Users\test22\AppData\Local\Nichrome\User Data\Local State |
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_SERBIAN | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_DEFAULT | offset | 0x00519c20 | size | 0x00000468 | ||||||||||||||||||
name | RT_STRING | language | LANG_SERBIAN | filetype | data | sublanguage | SUBLANG_DEFAULT | offset | 0x0051fc38 | size | 0x0000029e | ||||||||||||||||||
name | RT_STRING | language | LANG_SERBIAN | filetype | data | sublanguage | SUBLANG_DEFAULT | offset | 0x0051fc38 | size | 0x0000029e | ||||||||||||||||||
name | RT_STRING | language | LANG_SERBIAN | filetype | data | sublanguage | SUBLANG_DEFAULT | offset | 0x0051fc38 | size | 0x0000029e | ||||||||||||||||||
name | RT_STRING | language | LANG_SERBIAN | filetype | data | sublanguage | SUBLANG_DEFAULT | offset | 0x0051fc38 | size | 0x0000029e | ||||||||||||||||||
name | RT_STRING | language | LANG_SERBIAN | filetype | data | sublanguage | SUBLANG_DEFAULT | offset | 0x0051fc38 | size | 0x0000029e | ||||||||||||||||||
name | RT_STRING | language | LANG_SERBIAN | filetype | data | sublanguage | SUBLANG_DEFAULT | offset | 0x0051fc38 | size | 0x0000029e | ||||||||||||||||||
name | RT_STRING | language | LANG_SERBIAN | filetype | data | sublanguage | SUBLANG_DEFAULT | offset | 0x0051fc38 | size | 0x0000029e | ||||||||||||||||||
name | RT_ACCELERATOR | language | LANG_SERBIAN | filetype | data | sublanguage | SUBLANG_DEFAULT | offset | 0x0051a120 | size | 0x00000010 | ||||||||||||||||||
name | RT_ACCELERATOR | language | LANG_SERBIAN | filetype | data | sublanguage | SUBLANG_DEFAULT | offset | 0x0051a120 | size | 0x00000010 | ||||||||||||||||||
name | RT_GROUP_ICON | language | LANG_SERBIAN | filetype | data | sublanguage | SUBLANG_DEFAULT | offset | 0x0051a088 | size | 0x00000068 | ||||||||||||||||||
name | RT_GROUP_ICON | language | LANG_SERBIAN | filetype | data | sublanguage | SUBLANG_DEFAULT | offset | 0x0051a088 | size | 0x00000068 | ||||||||||||||||||
name | RT_GROUP_ICON | language | LANG_SERBIAN | filetype | data | sublanguage | SUBLANG_DEFAULT | offset | 0x0051a088 | size | 0x00000068 |
file | C:\ProgramData\freebl3.dll |
file | C:\ProgramData\msvcp140.dll |
file | C:\ProgramData\nss3.dll |
file | C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe |
file | C:\ProgramData\vcruntime140.dll |
file | C:\ProgramData\mozglue.dll |
file | C:\ProgramData\softokn3.dll |
cmdline | C:\Windows\System32\cmd.exe /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe" & del C:\ProgramData\*.dll & exit |
cmdline | "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe" & del C:\ProgramData\*.dll & exit |
file | C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe |
file | C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "build2.exe") |