Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Aug. 4, 2024, 1:25 p.m. | Aug. 4, 2024, 1:39 p.m. |
-
-
-
-
cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\drsx\svchosi.exe >> NUL
2464
-
-
svchosl.exe C:\Windows\Temp\drsx\svchosl.exe
2804 -
-
net1.exe C:\Windows\system32\net1 stop xbbrowser_service
2920
-
-
-
net1.exe C:\Windows\system32\net1 stop xblanupdate_svc
3008
-
-
PING.EXE ping -n 3 127.0.0.1
3056 -
svchoxb.exe C:\Windows\Temp\drsx\svchoxb.exe
1384
-
-
IP Address | Status | Action |
---|---|---|
116.62.214.53 | Active | Moloch |
118.178.125.54 | Active | Moloch |
118.24.85.16 | Active | Moloch |
124.223.105.161 | Active | Moloch |
139.196.217.38 | Active | Moloch |
164.124.101.2 | Active | Moloch |
18.138.132.100 | Active | Moloch |
38.147.189.238 | Active | Moloch |
47.96.87.99 | Active | Moloch |
47.97.204.105 | Active | Moloch |
47.98.133.194 | Active | Moloch |
60.12.184.62 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49183 118.24.85.16:443 |
C=US, O=DigiCert, Inc., CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1 | CN=*.minibai.com | 40:08:fa:f7:f6:1a:17:0c:aa:c1:99:5b:de:37:59:0c:0e:41:db:cd |
TLSv1 192.168.56.101:49196 18.138.132.100:443 |
C=US, O=Amazon, CN=Amazon RSA 2048 M03 | CN=checkip.amazonaws.com | 3b:5d:c1:80:5a:4e:53:16:ce:0b:31:80:0c:26:91:07:c7:5b:0d:d0 |
suspicious_features | GET method with no useragent header | suspicious_request | GET http://pcupd.com/tfsoft/xftd/v2/ctf/ | ||||||
suspicious_features | POST method with no referer header | suspicious_request | POST https://mc.minibai.com/api/gv1/push |
request | GET http://pcupd.com/tfsoft/xftd/v2/ctf/ |
request | POST https://mc.minibai.com/api/gv1/push |
request | GET https://checkip.amazonaws.com/ |
request | POST https://mc.minibai.com/api/gv1/push |
ip | 116.62.214.53 |
ip | 118.178.125.54 |
ip | 124.223.105.161 |
ip | 38.147.189.238 |
ip | 47.96.87.99 |
ip | 47.97.204.105 |
ip | 47.98.133.194 |
ip | 60.12.184.62 |
name | RT_ICON | language | LANG_CHINESE | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00106b84 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00106b84 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00106b84 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00106b84 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00106b84 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00106b84 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00106b84 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00106b84 | size | 0x00000468 | ||||||||||||||||||
name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00106ff0 | size | 0x00000076 | ||||||||||||||||||
name | RT_VERSION | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0010706c | size | 0x00000350 |
domain | checkip.amazonaws.com |
file | C:\Windows\Temp\drsx\hl.bat |
file | C:\Windows\Temp\drsx\svchoxb.exe |
file | C:\Windows\Temp\drsx\sf.dll |
file | C:\Windows\Temp\drsx\svchosi.exe |
file | C:\Windows\Temp\drsx\svchosl.exe |
cmdline | C:\Windows\System32\cmd.exe /c del C:\Windows\Temp\drsx\svchosi.exe >> NUL |
cmdline | "C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\drsx\svchosi.exe >> NUL |
wmi | SELECT * FROM Win32_IP4RouteTable |
wmi | SELECT * FROM Win32_NetworkAdapterConfiguration |
wmi | SELECT * FROM Win32_PhysicalMemory |
section | {u'size_of_data': u'0x00062800', u'virtual_address': u'0x00097000', u'entropy': 7.932912008549378, u'name': u'UPX1', u'virtual_size': u'0x00063000'} | entropy | 7.93291200855 | description | A section with a high entropy has been found | |||||||||
entropy | 0.878483835006 | description | Overall entropy of this PE file is high |
url | http://crl.comodo.net/TrustedCertificateServices.crl0 |
url | http://users.ocsp.d-trust.net03 |
url | http://crl.ssc.lt/root-b/cacrl.crl0 |
url | http://crl.securetrust.com/STCA.crl0 |
url | http://crl.securetrust.com/SGCA.crl0 |
url | http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0= |
url | http://www.ssc.lt/cps03 |
url | http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0 |
url | http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0 |
url | http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0 |
url | http://www.microsoft.com/pki/certs/TrustListPCA.crt0 |
url | https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0 |
url | http://www.pkioverheid.nl/policies/root-policy0 |
url | http://cps.chambersign.org/cps/chambersroot.html0 |
url | http://www.e-szigno.hu/SZSZ/0 |
url | http://www.entrust.net/CRL/Client1.crl0 |
url | http://crl.chambersign.org/publicnotaryroot.crl0 |
url | http://crl.comodo.net/AAACertificateServices.crl0 |
url | http://www.certplus.com/CRL/class3.crl0 |
url | http://logo.verisign.com/vslogo.gif0 |
url | http://www.acabogacia.org/doc0 |
url | http://www.disig.sk/ca/crl/ca_disig.crl0 |
url | https://www.catcert.net/verarrel |
url | http://www.microsoft.com/schemas/ie8tldlistdescription/1.0 |
url | http://www.sk.ee/cps/0 |
url | http://www.quovadis.bm0 |
url | https://www.catcert.net/verarrel05 |
url | http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0 |
url | http://crl.chambersign.org/chambersroot.crl0 |
url | http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0 |
url | http://crl.globalsign.net/root-r2.crl0 |
url | http://certificates.starfieldtech.com/repository/1604 |
url | http://www.d-trust.net0 |
url | http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0 |
url | http://crl.ssc.lt/root-a/cacrl.crl0 |
url | http://crl.usertrust.com/UTN-DATACorpSGC.crl0 |
url | http://www.certicamara.com/certicamaraca.crl0 |
url | http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0 |
url | http://crl.usertrust.com/UTN-USERFirst-Object.crl0) |
url | http://www.post.trust.ie/reposit/cps.html0 |
url | http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0 |
url | http://www2.public-trust.com/crl/ct/ctroot.crl0 |
url | http://www.certicamara.com0 |
url | http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0 |
url | http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0 |
url | http://www.comsign.co.il/cps0 |
url | http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0 |
url | http://www.microsoft.com/pki/crl/products/TrustListPCA.crl |
url | http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0 |
url | http://www.signatur.rtr.at/de/directory/cps.html0 |
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Hijack network configuration | rule | Hijack_Network | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Install itself for autorun at Windows startup | rule | Persistence | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win | ||||||
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active |
section | UPX0 | description | Section name indicates UPX | ||||||
section | UPX1 | description | Section name indicates UPX |
cmdline | net stop xblanupdate_svc |
cmdline | ping -n 3 127.0.0.1 |
cmdline | net stop xbbrowser_service |
cmdline | C:\Windows\System32\cmd.exe /c del C:\Windows\Temp\drsx\svchosi.exe >> NUL |
cmdline | "C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\drsx\svchosi.exe >> NUL |
wmi | SELECT * FROM Win32_PhysicalMemory |
wmi | SELECT * FROM Win32_NetworkAdapterConfiguration |
buffer | Buffer with sha1: fa2dd7cb64847733f417736d51e7a775659df7fa |
host | 116.62.214.53 | |||
host | 124.223.105.161 | |||
host | 47.96.87.99 | |||
host | 47.97.204.105 | |||
host | 47.98.133.194 | |||
host | 60.12.184.62 |
file | C:\Windows\Temp\drsx\svchosi.exe |
file | C:\Windows\Temp\drsx\svchosl.exe |
file | C:\Windows\Temp\drsx\svchoxb.exe |