Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Dec. 2, 2022, 10:31 a.m. | Dec. 2, 2022, 10:50 a.m. |
-
-
TUN.tmp "C:\Users\test22\AppData\Local\Temp\is-4AJQ8.tmp\TUN.tmp" /SL5="$80178,140559,56832,C:\Users\test22\AppData\Local\Temp\TUN.exe"
2612-
-
-
poweroff.tmp "C:\Users\test22\AppData\Local\Temp\is-07SP5.tmp\poweroff.tmp" /SL5="$9012E,490199,350720,C:\Program Files\Java\LSYEJYHNMF\poweroff.exe" /VERYSILENT
192-
Power Off.exe "C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
2224
-
-
-
Laecojylavae.exe "C:\Users\test22\AppData\Local\Temp\19-31e4f-36c-236a3-319701c66ecc1\Laecojylavae.exe"
2328-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
936-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:936 CREDAT:145409
176
-
-
-
Huqelamano.exe "C:\Users\test22\AppData\Local\Temp\ae-f366a-5e1-f73a7-d26d813624d7d\Huqelamano.exe"
2280
-
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1452
IP Address | Status | Action |
---|---|---|
104.21.73.149 | Active | Moloch |
104.74.168.254 | Active | Moloch |
107.180.41.158 | Active | Moloch |
142.93.169.197 | Active | Moloch |
154.35.175.225 | Active | Moloch |
162.241.24.197 | Active | Moloch |
177.11.54.131 | Active | Moloch |
178.20.55.16 | Active | Moloch |
178.63.41.183 | Active | Moloch |
184.168.97.42 | Active | Moloch |
186.202.127.56 | Active | Moloch |
190.228.29.114 | Active | Moloch |
121.254.136.27 | Active | Moloch |
142.250.207.78 | Active | Moloch |
142.251.220.4 | Active | Moloch |
151.115.10.1 | Active | Moloch |
164.124.101.2 | Active | Moloch |
192.243.59.12 | Active | Moloch |
3.5.136.176 | Active | Moloch |
37.230.138.123 | Active | Moloch |
37.230.138.66 | Active | Moloch |
61.111.58.34 | Active | Moloch |
195.219.57.43 | Active | Moloch |
199.250.214.152 | Active | Moloch |
202.124.241.201 | Active | Moloch |
207.32.181.122 | Active | Moloch |
217.70.178.4 | Active | Moloch |
23.216.159.81 | Active | Moloch |
43.250.140.44 | Active | Moloch |
51.68.204.139 | Active | Moloch |
52.73.17.211 | Active | Moloch |
64.13.192.154 | Active | Moloch |
70.39.146.5 | Active | Moloch |
80.237.132.210 | Active | Moloch |
81.2.195.201 | Active | Moloch |
85.13.163.220 | Active | Moloch |
93.186.117.3 | Active | Moloch |
95.214.53.210 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49167 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
TLS 1.2 192.168.56.101:49170 151.115.10.1:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=s3.pl-waw.scw.cloud | 13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd |
TLS 1.2 192.168.56.101:49169 151.115.10.1:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=s3.pl-waw.scw.cloud | 13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd |
TLS 1.2 192.168.56.101:49168 3.5.136.176:443 |
C=US, O=Amazon, OU=Server CA 1B, CN=Amazon | CN=*.s3.eu-central-1.amazonaws.com | bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb |
TLSv1 192.168.56.101:49185 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
TLSv1 192.168.56.101:49186 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
TLSv1 192.168.56.101:49191 192.243.59.12:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=profitabletrustednetwork.com | 6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99 |
TLSv1 192.168.56.101:49192 192.243.59.12:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=profitabletrustednetwork.com | 6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99 |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
section | CODE |
section | DATA |
section | BSS |
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.google.com/ | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://connectini.net/Series/SuperNitouDisc.php | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/up-da-nv5fyed7t8r9ykva.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/pub-nv5fyed7t8r9ykva.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/widgets/powerOff.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/hand-h6vuy332pnrr8zq9.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=6 | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://connectini.net/Series/Conumer2kenpachi.php | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://connectini.net/Series/Conumer4Publisher.php | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/Series/publisher/1/KR.json | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/Series/configPoduct/2/goodchannel.json |
request | HEAD http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe |
request | GET http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe |
request | GET http://apps.identrust.com/roots/dstrootcax3.p7c |
request | POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies |
request | GET http://www.google.com/ |
request | POST https://connectini.net/Series/SuperNitouDisc.php |
request | GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe |
request | GET https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/up-da-nv5fyed7t8r9ykva.exe |
request | GET https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/pub-nv5fyed7t8r9ykva.exe |
request | GET https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/widgets/powerOff.exe |
request | GET https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/hand-h6vuy332pnrr8zq9.exe |
request | GET https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=6 |
request | POST https://connectini.net/Series/Conumer2kenpachi.php |
request | POST https://connectini.net/Series/Conumer4Publisher.php |
request | GET https://connectini.net/Series/publisher/1/KR.json |
request | GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json |
request | GET https://connectini.net/Series/configPoduct/2/goodchannel.json |
request | POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies |
request | POST https://connectini.net/Series/SuperNitouDisc.php |
request | POST https://connectini.net/Series/Conumer2kenpachi.php |
request | POST https://connectini.net/Series/Conumer4Publisher.php |
description | Laecojylavae.exe tried to sleep 196 seconds, actually delayed analysis time by 196 seconds | |||
description | Huqelamano.exe tried to sleep 181 seconds, actually delayed analysis time by 181 seconds |
file | C:\Users\test22\AppData\Local\Temp\is-UG08R.tmp\_isetup\_shfoldr.dll |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\powerOff.lnk |
file | C:\Users\test22\AppData\Local\Temp\is-BH2K6.tmp\_isetup\_shfoldr.dll |
file | C:\Users\Public\Desktop\powerOff.lnk |
file | C:\Program Files (x86)\Common Files\Haekaeleshywo.exe |
file | C:\Users\test22\AppData\Local\Temp\19-31e4f-36c-236a3-319701c66ecc1\Laecojylavae.exe |
file | C:\Users\test22\AppData\Local\Temp\ae-f366a-5e1-f73a7-d26d813624d7d\Huqelamano.exe |
file | C:\Users\test22\AppData\Local\Temp\is-UG08R.tmp\zizou.exe |
file | C:\Users\test22\AppData\Local\Temp\is-UG08R.tmp\idp.dll |
file | C:\Program Files\Java\LSYEJYHNMF\poweroff.exe |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\powerOff.lnk |
file | C:\Users\Public\Desktop\powerOff.lnk |
file | C:\Program Files\Java\LSYEJYHNMF\poweroff.exe |
file | C:\Users\test22\AppData\Local\Temp\19-31e4f-36c-236a3-319701c66ecc1\Laecojylavae.exe |
file | C:\Users\test22\AppData\Local\Temp\ae-f366a-5e1-f73a7-d26d813624d7d\Huqelamano.exe |
file | C:\Users\test22\AppData\Local\Temp\is-07SP5.tmp\poweroff.tmp |
file | C:\Users\test22\AppData\Local\Temp\19-31e4f-36c-236a3-319701c66ecc1\Laecojylavae.exe |
file | C:\Users\test22\AppData\Local\Temp\is-4AJQ8.tmp\TUN.tmp |
file | C:\Users\test22\AppData\Local\Temp\is-UG08R.tmp\_isetup\_shfoldr.dll |
file | C:\Users\test22\AppData\Local\Temp\is-UG08R.tmp\idp.dll |
file | C:\Users\test22\AppData\Local\Temp\is-UG08R.tmp\zizou.exe |
file | C:\Users\test22\AppData\Local\Temp\ae-f366a-5e1-f73a7-d26d813624d7d\Huqelamano.exe |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
cmdline | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6 |
cmdline | C:\Program Files (x86)\Internet Explorer\iexplore.exe https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6 |
cmdline | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:936 CREDAT:145409 |
host | 104.21.73.149 | |||
host | 104.74.168.254 | |||
host | 107.180.41.158 | |||
host | 142.93.169.197 | |||
host | 154.35.175.225 | |||
host | 162.241.24.197 | |||
host | 177.11.54.131 | |||
host | 178.20.55.16 | |||
host | 178.63.41.183 | |||
host | 184.168.97.42 | |||
host | 186.202.127.56 | |||
host | 190.228.29.114 | |||
host | 195.219.57.43 | |||
host | 199.250.214.152 | |||
host | 202.124.241.201 | |||
host | 207.32.181.122 | |||
host | 217.70.178.4 | |||
host | 23.216.159.81 | |||
host | 43.250.140.44 | |||
host | 51.68.204.139 | |||
host | 52.73.17.211 | |||
host | 64.13.192.154 | |||
host | 70.39.146.5 | |||
host | 80.237.132.210 | |||
host | 81.2.195.201 | |||
host | 85.13.163.220 | |||
host | 93.186.117.3 | |||
host | 95.214.53.210 |
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover | reg_value | "C:\Program Files (x86)\Common Files\Haekaeleshywo.exe" |
file | C:\Users\test22\AppData\Local\Temp\is-4AJQ8.tmp\TUN.tmp |
process | TUN.tmp | useragent | InnoDownloadPlugin/1.5 | ||||||
process | iexplore.exe | useragent | Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) |
cmdline | "C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu |
Bkav | W32.AIDetect.malware2 |
Lionic | Trojan.Win32.Csdi.4!c |
MicroWorld-eScan | Trojan.GenericKD.63967133 |
FireEye | Trojan.GenericKD.63967133 |
Cylance | Unsafe |
Sangfor | Downloader.Msil.Agent.Vuem |
Cybereason | malicious.2011c4 |
Arcabit | Trojan.Generic.D3D00F9D |
Cyren | W32/ABRisk.NNBA-9309 |
Symantec | Trojan.Gen.MBT |
Elastic | malicious (high confidence) |
TrendMicro-HouseCall | Trojan.Win32.PRIVATELOADER.YXCK4Z |
Kaspersky | Trojan-Downloader.MSIL.Csdi.fd |
BitDefender | Trojan.GenericKD.63967133 |
Cynet | Malicious (score: 99) |
Avast | FileRepMalware [Misc] |
Tencent | Msil.Trojan-Downloader.Csdi.Gajl |
Ad-Aware | Trojan.GenericKD.63967133 |
Sophos | Generic ML PUA (PUA) |
Comodo | Malware@#2q0mwq1ko9jd8 |
VIPRE | Trojan.GenericKD.63967133 |
TrendMicro | Trojan.Win32.PRIVATELOADER.YXCK4Z |
Emsisoft | Trojan.GenericKD.63967133 (B) |
APEX | Malicious |
Webroot | W32.Malware.Gen |
Avira | HEUR/AGEN.1233171 |
Kingsoft | Win32.TrojDownloader.MSIL.fd.(kcloud) |
Gridinsoft | Malware.Win32.Phonzy.cl |
Microsoft | Trojan:Script/Phonzy.A!ml |
GData | Trojan.GenericKD.63967133 |
Detected | |
AhnLab-V3 | Malware/Win.Generic.C5190104 |
McAfee | RDN/Generic.dx |
Fortinet | W32/PossibleThreat |
AVG | FileRepMalware [Misc] |
CrowdStrike | win/grayware_confidence_60% (D) |
dead_host | 177.11.54.131:995 |
dead_host | 199.250.214.152:993 |
dead_host | 186.202.127.56:995 |
dead_host | 192.168.56.101:49754 |
dead_host | 81.2.195.201:995 |