Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | July 16, 2024, 2:56 a.m. | July 16, 2024, 2:59 a.m. |
-
wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\4b98d2919533ab614a7571aa0ef7c80fc177218bb778524fde3bf6f72b0d7b08_4b98d2919533ab614a7571aa0ef7c80fc177218bb778524fde3bf6f72b0d7b08.js
2556-
wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\bQiNiwTuYc.js"
2648 -
-
-
-
windowsjx.exe C:\ProgramData\Remcos\windowsjx.exe
2980
-
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
185.157.162.75 | Active | Moloch |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
description | windowsjx.exe tried to sleep 349 seconds, actually delayed analysis time by 349 seconds |
file | C:\Users\test22\AppData\Local\Temp\invoice_a_202.exe |
file | C:\Users\test22\AppData\Roaming\bQiNiwTuYc.js |
file | C:\Users\test22\AppData\Local\Temp\install.vbs |
cmdline | "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\windowsjx.exe" |
file | C:\Users\test22\AppData\Local\Temp\invoice_a_202.exe |
host | 185.157.162.75 |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\microsoftjx | reg_value | "C:\ProgramData\Remcos\windowsjx.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoftjx | reg_value | "C:\ProgramData\Remcos\windowsjx.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\microsoftjx | reg_value | "C:\ProgramData\Remcos\windowsjx.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoftjx | reg_value | "C:\ProgramData\Remcos\windowsjx.exe" |
file | C:\Users\test22\AppData\Local\Temp\install.vbs |
file | C:\Users\test22\AppData\Local\Temp\invoice_a_202.exe |
file | C:\Users\test22\AppData\Local\Temp\install.vbs |
parent_process | wscript.exe | martian_process | "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\bQiNiwTuYc.js" | ||||||
parent_process | wscript.exe | martian_process | "C:\Users\test22\AppData\Local\Temp\invoice_a_202.exe" | ||||||
parent_process | wscript.exe | martian_process | C:\Users\test22\AppData\Local\Temp\invoice_a_202.exe | ||||||
parent_process | wscript.exe | martian_process | wscript //B "C:\Users\test22\AppData\Roaming\bQiNiwTuYc.js" | ||||||
parent_process | wscript.exe | martian_process | cmd /c "C:\ProgramData\Remcos\windowsjx.exe" | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\windowsjx.exe" |
file | C:\Users\test22\AppData\Local\Temp\invoice_a_202.exe |
Lionic | Trojan.Script.Generic.4!c |
McAfee | JS/Vjw0rm.b |
ALYac | Trojan.Script.GenericKDZ.13960 |
VIPRE | Trojan.Script.GenericKDZ.13960 |
Sangfor | Malware.Generic-JS.Save.c2e12912 |
Arcabit | Trojan.Script.Generic.D3688 |
Cyren | JS/Agent.BII.gen!Eldorado |
Symantec | ISB.Dropper!gen1 |
ESET-NOD32 | JS/TrojanDropper.Agent.NSL |
Avast | JS:Cryxos-M [Trj] |
Cynet | Malicious (score: 99) |
BitDefender | Trojan.Script.GenericKDZ.13960 |
NANO-Antivirus | Trojan.Script.Dropper.foxxbq |
MicroWorld-eScan | Trojan.Script.GenericKDZ.13960 |
Rising | Dropper.Agent/JS!8.126A2 (TOPIS:E0:A4NeuhdiXIR) |
Emsisoft | Trojan.Script.GenericKDZ.13960 (B) |
F-Secure | Malware.JS/Malscript.G34 |
DrWeb | Trojan.Siggen18.29718 |
McAfee-GW-Edition | JS/Vjw0rm.b |
FireEye | Trojan.Script.GenericKDZ.13960 |
Ikarus | Trojan.Script |
Avira | JS/Malscript.G34 |
Microsoft | Trojan:Win32/Leonem |
GData | Trojan.Script.GenericKDZ.13960 |
Detected | |
VBA32 | suspected of JS.Crypted.Heur |
Tencent | Js.Virus.Malscript.Kqil |
MAX | malware (ai score=84) |
AVG | JS:Cryxos-M [Trj] |
dead_host | 185.157.162.75:62186 |
file | C:\Users\test22\AppData\Local\Temp\invoice_a_202.exe |
file | C:\Windows\SysWOW64\wscript.exe |
file | C:\Windows\System32\cmd.exe |