Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Nov. 3, 2022, 9:51 a.m. | Nov. 3, 2022, 10:04 a.m. |
-
-
Bolt.tmp "C:\Users\test22\AppData\Local\Temp\is-CGK7S.tmp\Bolt.tmp" /SL5="$30028,140559,56832,C:\Users\test22\AppData\Local\Temp\Bolt.exe"
2060-
-
Rufifitajy.exe "C:\Users\test22\AppData\Local\Temp\3a-51b55-b43-4a28d-3a13d327ec8e4\Rufifitajy.exe"
2840 -
Lyshusazhitae.exe "C:\Users\test22\AppData\Local\Temp\ed-e0dc9-70f-6739a-d042ac606a444\Lyshusazhitae.exe"
2848-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
2156-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2156 CREDAT:145409
1664
-
-
-
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1236
IP Address | Status | Action |
---|---|---|
142.251.42.142 | Active | Moloch |
142.251.42.164 | Active | Moloch |
151.115.10.1 | Active | Moloch |
164.124.101.2 | Active | Moloch |
173.233.137.44 | Active | Moloch |
23.43.165.66 | Active | Moloch |
23.59.72.17 | Active | Moloch |
37.230.138.123 | Active | Moloch |
37.230.138.66 | Active | Moloch |
52.219.75.64 | Active | Moloch |
95.214.24.96 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.2 192.168.56.103:49168 52.219.75.64:443 |
C=US, O=Amazon, OU=Server CA 1B, CN=Amazon | CN=*.s3.eu-central-1.amazonaws.com | bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb |
TLS 1.2 192.168.56.103:49169 151.115.10.1:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=s3.pl-waw.scw.cloud | 13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd |
TLSv1 192.168.56.103:49181 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
TLSv1 192.168.56.103:49166 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
TLSv1 192.168.56.103:49189 173.233.137.44:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=profitabletrustednetwork.com | 6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99 |
TLSv1 192.168.56.103:49188 173.233.137.44:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=profitabletrustednetwork.com | 6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99 |
TLSv1 192.168.56.103:49183 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
section | CODE |
section | DATA |
section | BSS |
suspicious_features | GET method with no useragent header | suspicious_request | GET http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-pub.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-hand.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-upda.exe | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.google.com/ | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://connectini.net/Series/SuperNitouDisc.php | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://connectini.net/Series/Conumer4Publisher.php | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/Series/publisher/1/KR.json | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://connectini.net/Series/Conumer2kenpachi.php | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/Series/configPoduct/2/goodchannel.json | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_MyFileWW |
request | HEAD http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/ATP-VW/power-5033-off.exe |
request | GET http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/ATP-VW/power-5033-off.exe |
request | GET http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-pub.exe |
request | GET http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-hand.exe |
request | GET http://apps.identrust.com/roots/dstrootcax3.p7c |
request | GET http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-upda.exe |
request | POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies |
request | GET http://www.google.com/ |
request | POST https://connectini.net/Series/SuperNitouDisc.php |
request | GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe |
request | GET https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe |
request | POST https://connectini.net/Series/Conumer4Publisher.php |
request | GET https://connectini.net/Series/publisher/1/KR.json |
request | POST https://connectini.net/Series/Conumer2kenpachi.php |
request | GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json |
request | GET https://connectini.net/Series/configPoduct/2/goodchannel.json |
request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW |
request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_MyFileWW |
request | POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies |
request | POST https://connectini.net/Series/SuperNitouDisc.php |
request | POST https://connectini.net/Series/Conumer4Publisher.php |
request | POST https://connectini.net/Series/Conumer2kenpachi.php |
description | Lyshusazhitae.exe tried to sleep 202 seconds, actually delayed analysis time by 202 seconds |
file | C:\Program Files (x86)\Microsoft SQL Server\Taexelupeqo.exe |
file | C:\Users\test22\AppData\Local\Temp\is-5Q4M8.tmp\idp.dll |
file | C:\Users\test22\AppData\Local\Temp\is-5Q4M8.tmp\_isetup\_shfoldr.dll |
file | C:\Users\test22\AppData\Local\Temp\is-5Q4M8.tmp\PowerOff.exe |
file | C:\Users\test22\AppData\Local\Temp\ed-e0dc9-70f-6739a-d042ac606a444\Lyshusazhitae.exe |
file | C:\Users\test22\AppData\Local\Temp\3a-51b55-b43-4a28d-3a13d327ec8e4\Rufifitajy.exe |
file | C:\Users\test22\AppData\Local\Temp\3a-51b55-b43-4a28d-3a13d327ec8e4\Rufifitajy.exe |
file | C:\Users\test22\AppData\Local\Temp\ed-e0dc9-70f-6739a-d042ac606a444\Lyshusazhitae.exe |
file | C:\Users\test22\AppData\Local\Temp\3a-51b55-b43-4a28d-3a13d327ec8e4\Rufifitajy.exe |
file | C:\Users\test22\AppData\Local\Temp\is-5Q4M8.tmp\PowerOff.exe |
file | C:\Users\test22\AppData\Local\Temp\ed-e0dc9-70f-6739a-d042ac606a444\Lyshusazhitae.exe |
file | C:\Users\test22\AppData\Local\Temp\is-5Q4M8.tmp\_isetup\_shfoldr.dll |
file | C:\Users\test22\AppData\Local\Temp\is-5Q4M8.tmp\idp.dll |
file | C:\Users\test22\AppData\Local\Temp\is-CGK7S.tmp\Bolt.tmp |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
cmdline | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6 |
cmdline | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2156 CREDAT:145409 |
cmdline | C:\Program Files (x86)\Internet Explorer\iexplore.exe https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6 |
host | 95.214.24.96 |
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover | reg_value | "C:\Program Files (x86)\Microsoft SQL Server\Taexelupeqo.exe" |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob |
process | Bolt.tmp | useragent | InnoDownloadPlugin/1.5 | ||||||
process | iexplore.exe | useragent | Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) |
Bkav | W32.AIDetect.malware2 |
Lionic | Trojan.Win32.Adload.a!c |
Elastic | malicious (high confidence) |
MicroWorld-eScan | Trojan.GenericKD.63282927 |
ALYac | Trojan.GenericKD.63282927 |
Cylance | Unsafe |
Sangfor | Downloader.Win32.AdLoad.Vksq |
K7AntiVirus | Trojan-Downloader ( 00599e201 ) |
Alibaba | AdWare:Win32/AdLoad.355f6f2e |
Cybereason | malicious.86742a |
Arcabit | Trojan.Generic.D3C59EEF |
Symantec | Trojan.Gen.MBT |
ESET-NOD32 | a variant of Win32/TrojanDownloader.Adload.NVT |
APEX | Malicious |
Paloalto | generic.ml |
Kaspersky | Trojan-Downloader.Win32.Adload.scty |
BitDefender | Trojan.GenericKD.63282927 |
Avast | FileRepMalware [Misc] |
Ad-Aware | Trojan.GenericKD.63282927 |
Emsisoft | Trojan.GenericKD.63282927 (B) |
TrendMicro | Trojan.Win32.PRIVATELOADER.YXCKAZ |
McAfee-GW-Edition | BehavesLike.Win32.AdwareFileTour.fc |
FireEye | Trojan.GenericKD.63282927 |
Sophos | Mal/Generic-S |
Detected | |
Avira | HEUR/AGEN.1233171 |
MAX | malware (ai score=99) |
Antiy-AVL | Trojan/Generic.ASSuf.577FC |
Kingsoft | Win32.Troj.Undef.(kcloud) |
Gridinsoft | Trojan.Win32.Downloader.sa |
Microsoft | Trojan:Script/Phonzy.A!ml |
SUPERAntiSpyware | Backdoor.Manuscrypt/Variant |
GData | Trojan.GenericKD.63282927 |
Cynet | Malicious (score: 99) |
AhnLab-V3 | Trojan/Win.Generic.C4501722 |
McAfee | Artemis!AA290CFE7546 |
Malwarebytes | Trojan.Downloader |
TrendMicro-HouseCall | Trojan.Win32.PRIVATELOADER.YXCKAZ |
Tencent | Win32.Trojan-Downloader.Adload.Qcnw |
Ikarus | Trojan-Downloader.Win32.Adload |
MaxSecure | Trojan.Malware.118513902.susgen |
Fortinet | W32/PossibleThreat |
AVG | FileRepMalware [Misc] |
Panda | Trj/CI.A |
CrowdStrike | win/malicious_confidence_100% (W) |