newrock2.exe| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6401 | Jan. 13, 2024, 7:15 p.m. | Jan. 13, 2024, 7:24 p.m. |
-
-
-
-
-
chcp.com chcp 1251
1400 -
schtasks.exe schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
2256
-
-
-
-
rty25.exe "C:\Users\test22\AppData\Local\Temp\rty25.exe"
2716
-
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| apps.identrust.com |
CNAME
a1952.dscq.akamai.net
CNAME
identrust.edgesuite.net
|
23.67.53.27 |
| i.alie3ksgaa.com | 154.92.15.189 |
Suricata Alerts
Suricata TLS
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
| suspicious_features | Connection to IP address | suspicious_request | GET http://185.172.128.90/cpa/ping.php?substr=seven&s=ab | ||||||
| suspicious_features | Connection to IP address | suspicious_request | GET http://185.172.128.53/syncUpd.exe | ||||||
| request | GET http://185.172.128.90/cpa/ping.php?substr=seven&s=ab |
| request | GET http://185.172.128.53/syncUpd.exe |
| request | GET http://apps.identrust.com/roots/dstrootcax3.p7c |
| file | C:\Users\test22\AppData\Local\Temp\nswF2BD.tmp\INetC.dll |
| file | C:\Users\test22\AppData\Roaming\Temp\Task.bat |
| file | C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe |
| file | C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe |
| file | C:\Users\test22\AppData\Local\Temp\BroomSetup.exe |
| file | C:\Users\test22\AppData\Local\Temp\rty25.exe |
| cmdline | schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F |
| file | C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe |
| file | C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe |
| file | C:\Users\test22\AppData\Local\Temp\rty25.exe |
| file | C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe |
| file | C:\Users\test22\AppData\Local\Temp\BroomSetup.exe |
| file | C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\winamp58_3660_beta_full_en-us[1].exe |
| file | C:\Users\test22\AppData\Local\Temp\nstF8B9.tmp |
| file | C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe |
| file | C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe |
| file | C:\Users\test22\AppData\Local\Temp\nswF2BD.tmp\INetC.dll |
| file | C:\Users\test22\AppData\Local\Temp\newrock2.exe |
| section | {u'size_of_data': u'0x006b0e00', u'virtual_address': u'0x00002000', u'entropy': 7.964969129070033, u'name': u'.text', u'virtual_size': u'0x006b0c54'} | entropy | 7.96496912907 | description | A section with a high entropy has been found | |||||||||
| entropy | 0.999708178303 | description | Overall entropy of this PE file is high | |||||||||||
| cmdline | chcp 1251 |
| cmdline | schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F |
| host | 185.172.128.53 | |||
| host | 185.172.128.90 | |||
| file | C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe |
| cmdline | schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F |
| file | C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe |
| process | InstallSetup7.exe | useragent | NSIS_Inetc (Mozilla) | ||||||
| process | rty25.exe | useragent | HTTPREAD | ||||||
| file | C:\Windows\Prefetch\SDIAGNHOST.EXE-8D72177C.pf |
| file | C:\Windows\Prefetch\CHCP.COM-198E8AEB.pf |
| file | c:\Windows\Temp\fwtsqmfile01.sqm |
| file | C:\Windows\Prefetch\CSC.EXE-BE9AC2DF.pf |
| file | c:\Windows\Temp\fwtsqmfile00.sqm |
| file | C:\Windows\Prefetch\RUNDLL32.EXE-87432CEE.pf |
| file | C:\Windows\Prefetch\WERMGR.EXE-0F2AC88C.pf |
| file | C:\Windows\Prefetch\RUNDLL32.EXE-7BCB21A1.pf |
| file | C:\Windows\Prefetch\INJECT-X64.EXE-AAEEB6EB.pf |
| file | C:\Windows\Prefetch\Layout.ini |
| file | C:\Windows\Prefetch\LOGONUI.EXE-09140401.pf |
| file | C:\Users\test22\AppData\Local\Temp\~DF8C0F100C7231519A.TMP |
| file | C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf |
| file | C:\Windows\Prefetch\SETUP.EXE-A9A86358.pf |
| file | C:\Windows\Prefetch\SEARCHINDEXER.EXE-4A6353B9.pf |
| file | C:\Windows\Prefetch\SVCHOST.EXE-CF79EE4C.pf |
| file | C:\Windows\Prefetch\IS32BIT.EXE-9A90D66E.pf |
| file | C:\Windows\Prefetch\SEARCHFILTERHOST.EXE-77482212.pf |
| file | C:\Windows\Prefetch\MAINTENANCESERVICE.EXE-FA0B1B99.pf |
| file | C:\Windows\Prefetch\PING.EXE-7E94E73E.pf |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\uglified_jindo[1].js |
| file | C:\Windows\Prefetch\ReadyBoot\Trace9.fx |
| file | C:\Windows\Prefetch\SETUP-STUB.EXE-8F842224.pf |
| file | C:\Users\test22\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A |
| file | C:\Windows\Prefetch\DLLHOST.EXE-40DD444D.pf |
| file | C:\Windows\Prefetch\MSIEXEC.EXE-A2D55CB6.pf |
| file | C:\Windows\Prefetch\REGSVR32.EXE-8461DBEE.pf |
| file | C:\Windows\Prefetch\PW.EXE-1D40DDAD.pf |
| file | C:\Windows\Prefetch\ReadyBoot\Trace1.fx |
| file | C:\Windows\Prefetch\AgGlGlobalHistory.db |
| file | C:\Windows\Prefetch\DEFAULT-BROWSER-AGENT.EXE-01C82E17.pf |
| file | C:\Windows\Prefetch\INJECT-X86.EXE-6FB1ED76.pf |
| file | C:\Windows\Prefetch\INJECT-X64.EXE-7E2195F2.pf |
| file | C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf |
| file | C:\Windows\Prefetch\ReadyBoot\Trace8.fx |
| file | C:\Windows\Prefetch\WMIADAP.EXE-F8DFDFA2.pf |
| file | C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf |
| file | C:\Windows\Prefetch\SVCHOST.EXE-5901D5E8.pf |
| file | C:\Windows\Prefetch\MMC.EXE-561C5A40.pf |
| file | C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT |
| file | C:\Windows\Prefetch\W32TM.EXE-1101AF41.pf |
| file | C:\Windows\Prefetch\MSCORSVW.EXE-57D17DAF.pf |
| file | C:\Windows\Prefetch\7ZG.EXE-0F8C4081.pf |
| file | C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000009.log |
| file | C:\Windows\Prefetch\SVCHOST.EXE-A1476A17.pf |
| file | C:\Windows\Prefetch\PfSvPerfStats.bin |
| file | C:\Windows\Prefetch\SVCHOST.EXE-80F4A784.pf |
| file | C:\Windows\Prefetch\MSCORSVW.EXE-C3C515BD.pf |
| file | C:\Windows\Prefetch\EDITPLUS.EXE-BB0BC86D.pf |
| file | C:\Users\test22\AppData\Local\Temp\nsaF06A.tmp |
| file | C:\Users\test22\AppData\Local\Temp\nswF2BD.tmp |
| file | C:\Users\test22\AppData\Local\Temp\nswF2BD.tmp\INetC.dll |
| file | C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\dthumb[10].jpg |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\dthumb[3].png |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1F4WQUHZ\dropbox_logo_text_2015-vfld7_dJ8[1].svg |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\013[1].png |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\sprite-20210713@2x[2].png |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\7028d2d448816aeaab0e_20211029092933036[1].jpg |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\spr_lft_white_150916[1].png |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\AdPostInjectAsync[1].nhn |
| file | c:\Windows\Temp\fwtsqmfile01.sqm |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\dthumbCAUKPFFO.jpg |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\m_920_294_0729[1].png |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\cropImg_196x196_38699317823237099[1].jpg |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\e84a7e15-e6a9-41ec-9eb7-883e9b5e7249[1].jpg |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\348acc74d7ad9acbdda7_20211101182838273[1].jpg |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\1_237[1].png |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\favicon[3].png |
| file | C:\Windows\Prefetch\WMIADAP.EXE-F8DFDFA2.pf |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\dthumb[9].jpg |
| file | C:\Windows\Prefetch\SVCHOST.EXE-80F4A784.pf |
| file | C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log |
| file | C:\Users\test22\AppData\Local\Temp\BroomSetup.exe |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\desktop.ini |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\jquery-1.12.4.min_v1[1].js |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\w[1].css |
| file | C:\Windows\Prefetch\MAINTENANCESERVICE.EXE-FA0B1B99.pf |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\S6uyw4BMUTPHjx4wWA[1].woff |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CURBIYE7\icon_spacer-vflN3BYt2[1].gif |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\3a7f4c4cb962a54fae75_20200728093632144[1].jpg |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\cropImg_728x360_77691188554226350[1].jpg |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\8c9b6e5b-4abb-45c6-9aa7-aa28806e8e84[1].jpg |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\TopNav[1].js |
| file | C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\adf7905c-28ea-4ddf-93b2-aa96dad57752[1].jpg |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\977[1].png |
| file | C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\015[1].png |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\dthumbCAR5WT7S.jpg |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\smart_editor2.me.min.200716[1].css |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\ipsec[3].htm |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\nsd13728808[1].png |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\327[1].png |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\sample-doc-download[1].htm |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\SOC-Facebook[1].png |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f[2].txt |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\images[1].png |
| file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f1e83251-9248-4d4e-8d2e-d1505a55bc83[1].jpg |
| file | C:\Windows\Prefetch\VBOXDRVINST.EXE-7DCD6070.pf |