Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | July 1, 2024, 11 a.m. | July 1, 2024, 11:02 a.m. |
-
-
netsh.exe netsh ipsec static add policy name=Block
2208 -
netsh.exe netsh ipsec static add filterlist name=Filter1
292 -
netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
284 -
netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
664 -
netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
1716 -
netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
2544 -
netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
3036 -
netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
2336 -
netsh.exe netsh ipsec static add filteraction name=FilteraAtion1 action=block
2116 -
netsh.exe netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
260 -
netsh.exe netsh ipsec static set policy name=Block assign=y
2804 -
powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\Users\test22\AppData\Local\Temp\Hooks.jpg.exe"
1116
-
IP Address | Status | Action |
---|---|---|
1.226.84.135 | Active | Moloch |
119.203.212.165 | Active | Moloch |
16.162.201.176 | Active | Moloch |
164.124.101.2 | Active | Moloch |
193.228.196.69 | Active | Moloch |
213.188.196.246 | Active | Moloch |
23.45.52.224 | Active | Moloch |
43.198.152.240 | Active | Moloch |
51.161.196.188 | Active | Moloch |
93.189.62.83 | Active | Moloch |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
UDP 192.168.56.102:51405 -> 164.124.101.2:53 | 2027758 | ET DNS Query for .cc TLD | Potentially Bad Traffic |
TCP 119.203.212.165:80 -> 192.168.56.102:49174 | 2026537 | ET HUNTING Suspicious EXE Download Content-Type image/jpeg | Potential Corporate Privacy Violation |
TCP 192.168.56.102:49191 -> 51.161.196.188:443 | 2038968 | ET INFO SSH-2.0-Go version string Observed in Network Traffic | Misc activity |
UDP 192.168.56.102:50014 -> 164.124.101.2:53 | 2034196 | ET INFO External IP Lookup Domain DNS Lookup (my-ip .io) | Potentially Bad Traffic |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49168 23.45.52.224:443 |
C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 08 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=akamai.download.microsoft.com | 2c:c1:3d:3d:70:5a:9a:56:25:7c:d3:41:93:bc:76:f2:78:8b:81:63 |
TLS 1.2 192.168.56.102:49176 93.189.62.83:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=api.iproyal.com | 80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23 |
TLS 1.2 192.168.56.102:49194 193.228.196.69:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=api.iproyal.com | 75:ce:fc:4e:72:d9:c8:06:65:40:3b:ca:5a:f6:97:bf:df:c3:e8:ae |
TLS 1.3 192.168.56.102:49197 213.188.196.246:443 |
None | None | None |
TLS 1.2 192.168.56.102:49188 93.189.62.83:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=api.iproyal.com | 80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23 |
TLS 1.2 192.168.56.102:49192 93.189.62.83:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=api.iproyal.com | 80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23 |
packer | UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser |
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://43.198.152.240:8080/api/node/ip_validate |
request | GET http://download.microsoft.com/download/E/4/1/E4173890-A24A-4936-9FC9-AF930FE3FA40/NDP461-KB3102436-x86-x64-AllOS-ENU.exe |
request | GET http://down.ftp21.cc/64.jpg |
request | GET http://down.ftp21.cc/Update.txt |
request | GET http://43.198.152.240:8080/api/node/ip_validate |
name | RT_VERSION | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x017f305c | size | 0x00000254 |
file | C:\Users\test22\AppData\Roaming\GraphicsPerfSvcs.dll |
file | C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
cmdline | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\Users\test22\AppData\Local\Temp\Hooks.jpg.exe" |
file | C:\Users\test22\AppData\Local\Temp\Hooks.jpg.exe |
file | C:\Users\test22\AppData\Roaming\GraphicsPerfSvcs.dll |
section | {u'size_of_data': u'0x00bace00', u'virtual_address': u'0x00c46000', u'entropy': 7.904992015828074, u'name': u'UPX1', u'virtual_size': u'0x00bad000'} | entropy | 7.90499201583 | description | A section with a high entropy has been found | |||||||||
entropy | 0.999874550473 | description | Overall entropy of this PE file is high |
section | UPX0 | description | Section name indicates UPX | ||||||
section | UPX1 | description | Section name indicates UPX |
cmdline | netsh ipsec static add filteraction name=FilteraAtion1 action=block |
cmdline | netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP |
cmdline | netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP |
cmdline | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\Users\test22\AppData\Local\Temp\Hooks.jpg.exe" |
cmdline | netsh ipsec static add filterlist name=Filter1 |
cmdline | netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP |
cmdline | netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP |
cmdline | netsh ipsec static add policy name=Block |
cmdline | netsh ipsec static set policy name=Block assign=y |
cmdline | netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1 |
cmdline | netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP |
cmdline | netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP |
host | 43.198.152.240 | |||
host | 51.161.196.188 |
service_name | GraphicsPerfSvcs | service_path | C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k GraphicsPerfSvcsGroup | ||||||
reg_key | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\GraphicsPerfSvcs\Parameters\ServiceDll | reg_value | C:\Users\test22\AppData\Roaming\GraphicsPerfSvcs.dll |
file | C:\Windows\System32\ie4uinit.exe |
file | C:\Program Files\Windows Sidebar\sidebar.exe |
file | C:\Windows\System32\WindowsAnytimeUpgradeUI.exe |
file | C:\Windows\System32\xpsrchvw.exe |
file | C:\Windows\System32\displayswitch.exe |
file | C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe |
file | C:\Windows\System32\mblctr.exe |
file | C:\Windows\System32\mstsc.exe |
file | C:\Windows\System32\SnippingTool.exe |
file | C:\Windows\System32\SoundRecorder.exe |
file | C:\Windows\System32\dfrgui.exe |
file | C:\Windows\System32\msinfo32.exe |
file | C:\Windows\System32\rstrui.exe |
file | C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe |
file | C:\Program Files\Windows Journal\Journal.exe |
file | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
file | C:\Windows\System32\MdSched.exe |
file | C:\Windows\System32\msconfig.exe |
file | C:\Windows\System32\recdisc.exe |
file | C:\Windows\System32\msra.exe |
Bkav | W32.AIDetectMalware |
Lionic | Trojan.Win32.Generic.4!c |
Elastic | malicious (moderate confidence) |
Cynet | Malicious (score: 99) |
CAT-QuickHeal | Trojan.Generic |
Skyhigh | BehavesLike.Win32.Generic.wc |
ALYac | Gen:Variant.Zusy.551315 |
Cylance | Unsafe |
VIPRE | Gen:Variant.Zusy.551315 |
Sangfor | Trojan.Win32.Save.a |
K7AntiVirus | CryptoMiner ( 005942761 ) |
BitDefender | Gen:Variant.Zusy.551315 |
K7GW | CryptoMiner ( 005942761 ) |
Cybereason | malicious.3021f8 |
Arcabit | Trojan.Zusy.D86993 |
Symantec | ML.Attribute.HighConfidence |
ESET-NOD32 | a variant of Win32/CoinMiner.CIB |
APEX | Malicious |
McAfee | Artemis!422F3763021F |
Avast | Win32:Trojan-gen |
ClamAV | Win.Virus.Gh0stRAT-6997801-0 |
Kaspersky | HEUR:Trojan.Win32.Generic |
Alibaba | Backdoor:Win32/Zegost.f6cb248b |
NANO-Antivirus | Trojan.Win32.CoinMiner.kogggh |
MicroWorld-eScan | Gen:Variant.Zusy.551315 |
Rising | Backdoor.Zegost!8.177 (TFE:5:ZJ9JS4CoS8B) |
Emsisoft | Gen:Variant.Zusy.551315 (B) |
F-Secure | Heuristic.HEUR/AGEN.1369711 |
DrWeb | BackDoor.Spy.422 |
Zillya | Trojan.CoinMiner.Win32.52025 |
TrendMicro | TROJ_GEN.R03BC0DFA24 |
McAfeeD | ti!A1871F4F0149 |
Trapmine | malicious.high.ml.score |
FireEye | Gen:Variant.Zusy.551315 |
Sophos | Mal/Generic-S |
Ikarus | Trojan.Win32.CoinMiner |
Webroot | W32.Trojan.Gen |
Detected | |
Avira | HEUR/AGEN.1369711 |
Antiy-AVL | Trojan/Win32.Blamon.a |
Kingsoft | Win32.Trojan.Generic.a |
Xcitium | Packed.Win32.MUPX.Gen@24tbus |
Microsoft | Backdoor:Win32/Zegost.AD |
ZoneAlarm | HEUR:Backdoor.Win32.Farfli.gen |
GData | Win32.Trojan.Agent.WP |
AhnLab-V3 | Backdoor/Win.Zegost.C5630478 |
BitDefenderTheta | Gen:NN.ZexaF.36808.@pKfae9LWmkb |
DeepInstinct | MALICIOUS |
VBA32 | BScope.Trojan.Miancha |
Panda | Trj/CI.A |
dead_host | 1.226.84.135:53 |
dead_host | 192.168.56.102:49186 |