Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | July 15, 2024, 9:26 a.m. | July 15, 2024, 9:28 a.m. |
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe
2076-
-
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c C:\TheDream\RootDesign.exe
2280-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
RootDesign.exe "C:\TheDream\RootDesign.exe"
2408
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1236
Name | Response | Post-Analysis Lookup |
---|---|---|
smtp.mail.ru | 94.100.180.160 |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.103:49179 94.100.180.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
TLSv1 192.168.56.103:49177 94.100.180.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
TLSv1 192.168.56.103:49203 217.69.139.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
TLSv1 192.168.56.103:49183 94.100.180.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
TLSv1 192.168.56.103:49185 94.100.180.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
TLSv1 192.168.56.103:49191 94.100.180.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
TLSv1 192.168.56.103:49187 94.100.180.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
TLSv1 192.168.56.103:49189 94.100.180.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
TLSv1 192.168.56.103:49207 217.69.139.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
TLSv1 192.168.56.103:49197 217.69.139.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
TLSv1 192.168.56.103:49193 94.100.180.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
TLSv1 192.168.56.103:49195 217.69.139.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
TLSv1 192.168.56.103:49201 217.69.139.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
TLSv1 192.168.56.103:49174 94.100.180.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
TLSv1 192.168.56.103:49181 94.100.180.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
TLSv1 192.168.56.103:49199 217.69.139.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
TLSv1 192.168.56.103:49205 217.69.139.160:587 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru | f5:86:61:b5:b2:6c:9a:dd:9a:ba:a0:24:59:4d:7b:99:e6:72:ea:7e |
file | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
file | c:\program files\mozilla firefox\firefox.exe |
section | CODE |
section | DATA |
section | BSS |
packer | BobSoft Mini Delphi -> BoB / BobSoft |
domain | smtp.mail.ru | description | Russian Federation domain TLD |
file | C:\TheDream\Uninstall.exe |
file | C:\TheDream\RootDesign.exe |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk |
file | C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\Word 2013.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c C:\TheDream\RootDesign.exe |
cmdline | PowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe |
cmdline | cmd /c PowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe |
cmdline | "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe |
file | C:\TheDream\RootDesign.exe |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
ipaddr | 94.100.180.160 |
receiver | [] | sender | [] | server | 94.100.180.160 | |||||||||
receiver | [] | sender | [] | server | 94.100.180.160 | |||||||||
receiver | [] | sender | [] | server | 94.100.180.160 | |||||||||
receiver | [] | sender | [] | server | 94.100.180.160 | |||||||||
receiver | [] | sender | [] | server | 94.100.180.160 | |||||||||
receiver | [] | sender | [] | server | 94.100.180.160 | |||||||||
receiver | [] | sender | [] | server | 94.100.180.160 | |||||||||
receiver | [] | sender | [] | server | 94.100.180.160 | |||||||||
receiver | [] | sender | [] | server | 94.100.180.160 | |||||||||
receiver | [] | sender | [] | server | 94.100.180.160 | |||||||||
receiver | [] | sender | [] | server | 217.69.139.160 | |||||||||
receiver | [] | sender | [] | server | 217.69.139.160 | |||||||||
receiver | [] | sender | [] | server | 217.69.139.160 | |||||||||
receiver | [] | sender | [] | server | 217.69.139.160 | |||||||||
receiver | [] | sender | [] | server | 217.69.139.160 | |||||||||
receiver | [] | sender | [] | server | 217.69.139.160 | |||||||||
receiver | [] | sender | [] | server | 217.69.139.160 |
description | RootDesign.exe tried to sleep 46380673 seconds, actually delayed analysis time by 46380673 seconds |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUqdates | reg_value | C:\TheDream\RootDesign.exe |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob |
parent_process | powershell.exe | martian_process | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c C:\TheDream\RootDesign.exe | ||||||
parent_process | powershell.exe | martian_process | "C:\TheDream\RootDesign.exe" |
option | -windowstyle hidden | value | Attempts to execute command with a hidden window | ||||||
option | -windowstyle hidden | value | Attempts to execute command with a hidden window | ||||||
option | -windowstyle hidden | value | Attempts to execute command with a hidden window |
file | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
file | C:\TheDream\RootDesign.exe |
Lionic | Trojan.Win32.Sysn.b!c |
Elastic | malicious (moderate confidence) |
Cynet | Malicious (score: 100) |
ALYac | Gen:Variant.Tedy.577745 |
Cylance | Unsafe |
VIPRE | Gen:Variant.Tedy.577745 |
Sangfor | Trojan.Win32.Agent.Vuci |
BitDefender | Gen:Variant.Tedy.577745 |
Cybereason | malicious.64daaa |
Arcabit | Trojan.Tedy.D8D0D1 |
Symantec | ML.Attribute.HighConfidence |
APEX | Malicious |
McAfee | Artemis!E739795E2208 |
Avast | Win32:MalwareX-gen [Trj] |
Kaspersky | Trojan-Dropper.Win32.Sysn.dbnn |
MicroWorld-eScan | Gen:Variant.Tedy.577745 |
Emsisoft | Gen:Variant.Tedy.577745 (B) |
McAfeeD | ti!A94869345F7F |
Trapmine | suspicious.low.ml.score |
FireEye | Gen:Variant.Tedy.577745 |
Sophos | Generic Reputation PUA (PUA) |
Ikarus | Trojan.JS.Kilim |
Detected | |
MAX | malware (ai score=89) |
Kingsoft | malware.kb.a.891 |
Gridinsoft | Ransom.Win32.AI.sa |
Microsoft | Trojan:Win32/Casdet!rfn |
ZoneAlarm | Trojan-Dropper.Win32.Sysn.dbnn |
GData | Gen:Variant.Tedy.577745 |
Varist | W32/ABTrojan.IRMF-8743 |
BitDefenderTheta | Gen:NN.ZemsilF.36808.hu0@aO8zQFi |
DeepInstinct | MALICIOUS |
Malwarebytes | Malware.AI.106378209 |
SentinelOne | Static AI - Suspicious PE |
MaxSecure | Trojan-Ransom.Win32.Crypmod.zfq |
Fortinet | W32/PossibleThreat |
AVG | Win32:MalwareX-gen [Trj] |
Paloalto | generic.ml |