Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Dec. 8, 2022, 10:31 a.m. | Dec. 8, 2022, 10:42 a.m. |
-
-
TUN3.tmp "C:\Users\test22\AppData\Local\Temp\is-GK0T2.tmp\TUN3.tmp" /SL5="$30028,140559,56832,C:\Users\test22\AppData\Local\Temp\TUN3.exe"
1156-
-
-
poweroff.tmp "C:\Users\test22\AppData\Local\Temp\is-FIOTD.tmp\poweroff.tmp" /SL5="$8002C,490199,350720,C:\Program Files\HashTab Shell Extension\OUVIFXRJHA\poweroff.exe" /VERYSILENT
2940-
Power Off.exe "C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
3052
-
-
-
Bymixiliti.exe "C:\Users\test22\AppData\Local\Temp\d5-11fc1-9d3-a4ab1-2b1b74524b84f\Bymixiliti.exe"
2876-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
2700-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2700 CREDAT:145409
2012
-
-
-
Lejaerosholy.exe "C:\Users\test22\AppData\Local\Temp\05-d7c6e-2df-0e0b2-8e8cba4909419\Lejaerosholy.exe"
2964
-
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1236
IP Address | Status | Action |
---|---|---|
104.21.1.91 | Active | Moloch |
142.250.204.142 | Active | Moloch |
142.251.42.164 | Active | Moloch |
151.115.10.1 | Active | Moloch |
164.124.101.2 | Active | Moloch |
192.243.59.12 | Active | Moloch |
192.243.61.227 | Active | Moloch |
23.160.193.16 | Active | Moloch |
23.50.121.153 | Active | Moloch |
23.67.53.18 | Active | Moloch |
37.230.138.123 | Active | Moloch |
37.230.138.66 | Active | Moloch |
52.219.170.30 | Active | Moloch |
61.111.58.34 | Active | Moloch |
61.111.58.35 | Active | Moloch |
95.214.24.96 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.2 192.168.56.103:49168 52.219.170.30:443 |
C=US, O=Amazon, OU=Server CA 1B, CN=Amazon | CN=*.s3.eu-central-1.amazonaws.com | bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb |
TLSv1 192.168.56.103:49166 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
TLS 1.2 192.168.56.103:49169 151.115.10.1:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=s3.pl-waw.scw.cloud | 13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd |
TLSv1 192.168.56.103:49200 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
TLS 1.2 192.168.56.103:49170 151.115.10.1:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=s3.pl-waw.scw.cloud | 13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd |
TLSv1 192.168.56.103:49205 192.243.61.227:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=profitabletrustednetwork.com | 6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99 |
TLSv1 192.168.56.103:49206 192.243.61.227:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=profitabletrustednetwork.com | 6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99 |
TLSv1 192.168.56.103:49191 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
section | CODE |
section | DATA |
section | BSS |
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.google.com/ | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://connectini.net/Series/SuperNitouDisc.php | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/pub-nv5fyed7t8r9ykva.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/up-da-nv5fyed7t8r9ykva.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/hand-h6vuy332pnrr8zq9.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/S2S/Disc/Disc.php?ezok=pwoffch2&tesla=6 | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://connectini.net/Series/Conumer4Publisher.php | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/Series/publisher/1/KR.json | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://connectini.net/Series/Conumer2kenpachi.php | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/Series/configPoduct/2/goodchannel.json | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_file2Ww | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_Trustnero | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_MyFileWW | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_PegasunWW |
request | HEAD http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe |
request | GET http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe |
request | GET http://apps.identrust.com/roots/dstrootcax3.p7c |
request | POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies |
request | GET http://www.google.com/ |
request | POST https://connectini.net/Series/SuperNitouDisc.php |
request | GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe |
request | GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/pub-nv5fyed7t8r9ykva.exe |
request | GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/up-da-nv5fyed7t8r9ykva.exe |
request | GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/hand-h6vuy332pnrr8zq9.exe |
request | GET https://connectini.net/S2S/Disc/Disc.php?ezok=pwoffch2&tesla=6 |
request | POST https://connectini.net/Series/Conumer4Publisher.php |
request | GET https://connectini.net/Series/publisher/1/KR.json |
request | POST https://connectini.net/Series/Conumer2kenpachi.php |
request | GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json |
request | GET https://connectini.net/Series/configPoduct/2/goodchannel.json |
request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW |
request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_file2Ww |
request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_Trustnero |
request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_MyFileWW |
request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_PegasunWW |
request | POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies |
request | POST https://connectini.net/Series/SuperNitouDisc.php |
request | POST https://connectini.net/Series/Conumer4Publisher.php |
request | POST https://connectini.net/Series/Conumer2kenpachi.php |
description | Bymixiliti.exe tried to sleep 124 seconds, actually delayed analysis time by 124 seconds |
file | C:\Users\test22\AppData\Local\Temp\is-QN97K.tmp\idp.dll |
file | C:\Users\test22\AppData\Local\Temp\is-O6PNL.tmp\_isetup\_shfoldr.dll |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\powerOff.lnk |
file | C:\Users\Public\Desktop\powerOff.lnk |
file | C:\Program Files (x86)\7-Zip\Naegajysipae.exe |
file | C:\Users\test22\AppData\Local\Temp\is-QN97K.tmp\zizou.exe |
file | C:\Program Files\HashTab Shell Extension\OUVIFXRJHA\poweroff.exe |
file | C:\Users\test22\AppData\Local\Temp\05-d7c6e-2df-0e0b2-8e8cba4909419\Lejaerosholy.exe |
file | C:\Users\test22\AppData\Local\Temp\d5-11fc1-9d3-a4ab1-2b1b74524b84f\Bymixiliti.exe |
file | C:\Users\test22\AppData\Local\Temp\is-QN97K.tmp\_isetup\_shfoldr.dll |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\powerOff.lnk |
file | C:\Users\Public\Desktop\powerOff.lnk |
file | C:\Program Files\HashTab Shell Extension\OUVIFXRJHA\poweroff.exe |
file | C:\Users\test22\AppData\Local\Temp\d5-11fc1-9d3-a4ab1-2b1b74524b84f\Bymixiliti.exe |
file | C:\Users\test22\AppData\Local\Temp\05-d7c6e-2df-0e0b2-8e8cba4909419\Lejaerosholy.exe |
file | C:\Users\test22\AppData\Local\Temp\is-GK0T2.tmp\TUN3.tmp |
file | C:\Users\test22\AppData\Local\Temp\05-d7c6e-2df-0e0b2-8e8cba4909419\Lejaerosholy.exe |
file | C:\Users\test22\AppData\Local\Temp\is-FIOTD.tmp\poweroff.tmp |
file | C:\Users\test22\AppData\Local\Temp\is-QN97K.tmp\_isetup\_shfoldr.dll |
file | C:\Users\test22\AppData\Local\Temp\is-QN97K.tmp\idp.dll |
file | C:\Users\test22\AppData\Local\Temp\is-QN97K.tmp\zizou.exe |
file | C:\Users\test22\AppData\Local\Temp\d5-11fc1-9d3-a4ab1-2b1b74524b84f\Bymixiliti.exe |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
cmdline | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6 |
cmdline | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2700 CREDAT:145409 |
cmdline | C:\Program Files (x86)\Internet Explorer\iexplore.exe https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6 |
host | 95.214.24.96 |
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover | reg_value | "C:\Program Files (x86)\7-Zip\Naegajysipae.exe" |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob |
process | TUN3.tmp | useragent | InnoDownloadPlugin/1.5 | ||||||
process | iexplore.exe | useragent | Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) |
cmdline | "C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu |
Bkav | W32.AIDetect.malware2 |
Lionic | Trojan.Win32.Csdi.4!c |
MicroWorld-eScan | Gen:Variant.Babar.125028 |
ALYac | Gen:Variant.Babar.125028 |
Cylance | Unsafe |
Sangfor | Trojan.Win32.Agent.Aohr |
Cybereason | malicious.fd714b |
Arcabit | Trojan.Babar.D1E864 |
Symantec | Trojan.Gen.MBT |
Elastic | malicious (high confidence) |
APEX | Malicious |
Kaspersky | UDS:DangerousObject.Multi.Generic |
BitDefender | Gen:Variant.Babar.125028 |
Avast | FileRepMalware [Cryp] |
Ad-Aware | Gen:Variant.Babar.125028 |
Emsisoft | Gen:Variant.Babar.125028 (B) |
VIPRE | Gen:Variant.Babar.125028 |
McAfee-GW-Edition | BehavesLike.Win32.AdwareFileTour.fc |
FireEye | Gen:Variant.Babar.125028 |
Sophos | Mal/Generic-S |
Avira | HEUR/AGEN.1233171 |
MAX | malware (ai score=82) |
Kingsoft | Win32.Troj.Undef.(kcloud) |
Microsoft | Trojan:Win32/Manuscrypt!MTB |
ZoneAlarm | UDS:DangerousObject.Multi.Generic |
GData | Gen:Variant.Babar.125028 |
Cynet | Malicious (score: 99) |
AhnLab-V3 | Malware/Win.Generic.C5190104 |
McAfee | Artemis!F59160F8BF6D |
Malwarebytes | Trojan.Dropper |
TrendMicro-HouseCall | TROJ_GEN.R002H07L722 |
Fortinet | W32/PossibleThreat |
AVG | FileRepMalware [Cryp] |
CrowdStrike | win/malicious_confidence_100% (W) |
dead_host | 192.168.56.103:49202 |
dead_host | 192.243.59.12:443 |
dead_host | 192.168.56.103:49201 |