Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Dec. 11, 2023, 7:16 p.m. | Dec. 11, 2023, 7:53 p.m. |
-
-
-
-
tasklist.exe tasklist
2788 -
findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
2824 -
tasklist.exe tasklist
2936 -
findstr.exe findstr /I "wrsa.exe"
2972 -
cmd.exe cmd /c mkdir 29577
3044 -
cmd.exe cmd /c copy /b Hole + Mechanics + Fever + Queens + Period + Sussex 29577\Represent.pif
604 -
cmd.exe cmd /c copy /b Via + Petroleum + Spider 29577\k
2088 -
Represent.pif 29577\Represent.pif 29577\k
2100 -
PING.EXE ping -n 5 localhost
2220
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
UKnDvWMKHLvcOHop.UKnDvWMKHLvcOHop | ||
JDyyDoFHAd.JDyyDoFHAd |
Suricata Alerts
No Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.2 192.168.56.101:49177 91.92.252.85:6800 |
C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.92.251.242: Self-signed certificate | C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.92.251.242: Self-signed certificate | e5:ee:c1:0d:b5:e8:fa:9a:f0:b5:9d:1a:93:c7:d0:24:b6:28:4d:99 |
TLS 1.2 192.168.56.101:49178 91.92.252.85:6800 |
C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.92.251.242: Self-signed certificate | C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.92.251.242: Self-signed certificate | e5:ee:c1:0d:b5:e8:fa:9a:f0:b5:9d:1a:93:c7:d0:24:b6:28:4d:99 |
TLS 1.2 192.168.56.101:49179 91.92.252.85:6800 |
C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.92.251.242: Self-signed certificate | C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.92.251.242: Self-signed certificate | e5:ee:c1:0d:b5:e8:fa:9a:f0:b5:9d:1a:93:c7:d0:24:b6:28:4d:99 |
section | CODE |
section | DATA |
section | BSS |
file | C:\Users\test22\AppData\Local\Temp\11590\29577\Represent.pif |
file | C:\Users\test22\AppData\Local\Temp\11590\29577\Represent.pif |
file | C:\Users\test22\AppData\Local\Temp\MedicinesViews.exe |
file | C:\Users\test22\AppData\Local\Temp\11590\Hole |
file | C:\Users\test22\AppData\Local\Temp\11590\29577\Represent.pif |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process |
process | medicinesviews.exe |
process | cmd.exe |
process | represent.pif |
url | http://www.microsoft.com/schemas/ie8tldlistdescription/1.0 |
url | http://purl.org/rss/1.0/ |
url | http://www.passport.com |
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Hijack network configuration | rule | Hijack_Network | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Install itself for autorun at Windows startup | rule | Persistence | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win |
cmdline | tasklist |
cmdline | cmd /c mkdir 29577 |
cmdline | ping -n 5 localhost |
buffer | Buffer with sha1: fcf3a403bef45071fb6b9d3c4eea8f85fc39b45a |
host | 91.92.252.85 |
Bkav | W32.AIDetectMalware |
Lionic | Trojan.Win32.Agent.Y!c |
MicroWorld-eScan | Trojan.GenericKD.70716860 |
FireEye | Trojan.GenericKD.70716860 |
ALYac | Trojan.GenericKD.70716860 |
Malwarebytes | Trojan.MalPack |
VIPRE | Trojan.GenericKD.70716860 |
Sangfor | Trojan.Win32.Save.a |
Alibaba | TrojanDropper:Win32/Generic.04938747 |
CrowdStrike | win/malicious_confidence_100% (W) |
Symantec | ML.Attribute.HighConfidence |
Elastic | malicious (high confidence) |
ESET-NOD32 | a variant of Win32/TrojanDropper.Delf.ACK |
APEX | Malicious |
Kaspersky | HEUR:Backdoor.Win32.Agent.gen |
BitDefender | Trojan.GenericKD.70716860 |
Avast | Win32:PWSX-gen [Trj] |
Tencent | Malware.Win32.Gencirc.11b9b42a |
Emsisoft | Trojan.GenericKD.70716860 (B) |
F-Secure | Trojan.TR/Drop.Agent.nfmuh |
DrWeb | Trojan.Siggen22.29177 |
TrendMicro | TrojanSpy.Win32.RHADAMANTHYS.YXDLIZ |
Sophos | Mal/Generic-S |
MAX | malware (ai score=89) |
Webroot | W32.Trojan.Gen |
Detected | |
Avira | TR/Drop.Agent.nfmuh |
Antiy-AVL | Trojan/Win32.Sabsik |
Kingsoft | Win32.Troj.Unknown.a |
Microsoft | Trojan:Win32/Sabsik.TE.B!ml |
Gridinsoft | Trojan.Win32.Wacapew.sa |
Xcitium | Malware@#1tmve2tbz67ir |
Arcabit | Trojan.Generic.D4370DBC |
ZoneAlarm | HEUR:Backdoor.Win32.Agent.gen |
GData | Trojan.GenericKD.70716860 |
Cynet | Malicious (score: 99) |
AhnLab-V3 | Trojan/Win.Generic.C5560675 |
Cylance | unsafe |
Panda | Trj/Chgt.AD |
TrendMicro-HouseCall | TrojanSpy.Win32.RHADAMANTHYS.YXDLIZ |
Rising | Backdoor.Agent!8.C5D (TFE:4:lSgtrGCtvkE) |
Ikarus | Trojan-Dropper.Win32.Delf |
MaxSecure | Trojan.Malware.9530778.susgen |
AVG | Win32:PWSX-gen [Trj] |
DeepInstinct | MALICIOUS |