Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Sept. 11, 2023, 5:54 p.m. | Sept. 11, 2023, 5:58 p.m. |
-
cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mdconfig_01" /tr '"C:\Users\test22\AppData\Roaming\mdconfig_01.exe"' & exit
1336-
schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mdconfig_01" /tr '"C:\Users\test22\AppData\Roaming\mdconfig_01.exe"'
2204
-
Name | Response | Post-Analysis Lookup |
---|---|---|
pastebin.com | 172.67.34.170 |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.2 192.168.56.101:49165 172.67.34.170:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f |
TLS 1.2 192.168.56.101:49178 172.67.34.170:443 |
None | None | None |
TLS 1.2 192.168.56.101:49168 172.67.34.170:443 |
None | None | None |
TLS 1.2 192.168.56.101:49170 172.67.34.170:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f |
TLS 1.2 192.168.56.101:49177 172.67.34.170:443 |
None | None | None |
TLS 1.2 192.168.56.101:49171 172.67.34.170:443 |
None | None | None |
TLS 1.2 192.168.56.101:49181 172.67.34.170:443 |
None | None | None |
TLS 1.2 192.168.56.101:49179 172.67.34.170:443 |
None | None | None |
TLS 1.2 192.168.56.101:49176 172.67.34.170:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f |
TLS 1.2 192.168.56.101:49173 172.67.34.170:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f |
TLS 1.2 192.168.56.101:49169 172.67.34.170:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f |
TLS 1.2 192.168.56.101:49180 172.67.34.170:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f |
TLS 1.2 192.168.56.101:49174 172.67.34.170:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f |
section | \x00 |
section | .idata |
section | |
section | biyclhoc |
section | ydkemxvc |
suspicious_features | GET method with no useragent header | suspicious_request | GET https://pastebin.com/raw/pdRjLLjy |
request | GET https://pastebin.com/raw/pdRjLLjy |
cmdline | schtasks /create /f /sc onlogon /rl highest /tn "mdconfig_01" /tr '"C:\Users\test22\AppData\Roaming\mdconfig_01.exe"' |
section | {u'size_of_data': u'0x00008800', u'virtual_address': u'0x00002000', u'entropy': 7.9688270567333594, u'name': u' \\x00 ', u'virtual_size': u'0x00012000'} | entropy | 7.96882705673 | description | A section with a high entropy has been found | |||||||||
section | {u'size_of_data': u'0x0013de00', u'virtual_address': u'0x00234000', u'entropy': 7.952969592314331, u'name': u'biyclhoc', u'virtual_size': u'0x0013e000'} | entropy | 7.95296959231 | description | A section with a high entropy has been found | |||||||||
entropy | 0.997326203209 | description | Overall entropy of this PE file is high |
cmdline | schtasks /create /f /sc onlogon /rl highest /tn "mdconfig_01" /tr '"C:\Users\test22\AppData\Roaming\mdconfig_01.exe"' |
host | 195.58.51.109 |
cmdline | schtasks /create /f /sc onlogon /rl highest /tn "mdconfig_01" /tr '"C:\Users\test22\AppData\Roaming\mdconfig_01.exe"' |
dead_host | 195.58.51.109:4449 |
Bkav | W32.AIDetectMalware |
Lionic | Trojan.Win32.Darkrat.4!c |
Elastic | malicious (high confidence) |
MicroWorld-eScan | Gen:Variant.Zusy.483087 |
FireEye | Generic.mg.c9a2e54e8501a2f6 |
ALYac | Gen:Variant.Zusy.483087 |
Malwarebytes | Generic.Malware.AI.DDS |
Sangfor | Suspicious.Win32.Save.a |
CrowdStrike | win/malicious_confidence_100% (W) |
Arcabit | Trojan.Zusy.D75F0F |
BitDefenderTheta | Gen:NN.ZexaF.36662.sz0aa0kM5rd |
Cyren | W32/Themida.B.gen!Eldorado |
Symantec | ML.Attribute.HighConfidence |
tehtris | Generic.Malware |
ESET-NOD32 | a variant of Win32/Packed.Themida.BEK |
APEX | Malicious |
Cynet | Malicious (score: 100) |
Kaspersky | UDS:Trojan.Win32.DInvoke.gen |
BitDefender | Gen:Variant.Zusy.483087 |
Avast | Win32:Malware-gen |
Tencent | Win32.Risktool.Generic.Osmw |
Emsisoft | Gen:Variant.Zusy.483087 (B) |
F-Secure | Heuristic.HEUR/AGEN.1313458 |
VIPRE | Gen:Variant.Zusy.483087 |
McAfee-GW-Edition | BehavesLike.Win32.Generic.tc |
Trapmine | malicious.high.ml.score |
Sophos | Mal/Generic-S |
SentinelOne | Static AI - Suspicious PE |
Avira | HEUR/AGEN.1313458 |
MAX | malware (ai score=80) |
Gridinsoft | Trojan.Heur!.038100A1 |
Microsoft | Backdoor:Win32/Bladabindi!ml |
ZoneAlarm | UDS:Trojan.Win32.DInvoke.gen |
GData | Gen:Variant.Zusy.483087 |
Detected | |
AhnLab-V3 | Trojan/Win.Generic.C5473877 |
McAfee | Artemis!C9A2E54E8501 |
Cylance | unsafe |
Zoner | Probably Heur.ExeHeaderL |
Rising | Trojan.Generic@AI.100 (RDML:wCt8w7kFjG/5ff5IKkx3YQ) |
Ikarus | Trojan.Win32.Themida |
AVG | Win32:Malware-gen |
DeepInstinct | MALICIOUS |