Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Sept. 19, 2024, 10:22 a.m. | Sept. 19, 2024, 10:24 a.m. |
-
-
231.tmp "C:\Users\test22\AppData\Local\Temp\is-NDD40.tmp\231.tmp" /SL5="$80178,10740751,812544,C:\Users\test22\AppData\Local\Temp\231.exe"
2660-
-
231.tmp "C:\Users\test22\AppData\Local\Temp\is-H496T.tmp\231.tmp" /SL5="$90178,10740751,812544,C:\Users\test22\AppData\Local\Temp\231.exe" /VERYSILENT /NORESTART
2792-
-
tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
2904 -
find.exe find /I "wrsa.exe"
2940
-
-
-
tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
2076 -
find.exe find /I "opssvc.exe"
2104
-
-
cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
2176-
tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
2248 -
find.exe find /I "avastui.exe"
2380
-
-
-
tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
2620 -
find.exe find /I "avgui.exe"
2744
-
-
cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
2644-
tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
2860 -
find.exe find /I "nswscsvc.exe"
2932
-
-
cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
3068-
tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
2712 -
find.exe find /I "sophoshealth.exe"
2112
-
-
AutoIt3.exe "C:\Users\test22\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\test22\AppData\Local\acetiam\\grayhound1..a3x"
2308-
cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\68vp5vaM2.a3x && del C:\ProgramData\\68vp5vaM2.a3x
2316-
PING.EXE ping -n 5 127.0.0.1
2836 -
-
MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
1376
-
-
-
-
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
45.141.86.82 | Active | Moloch |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49240 -> 45.141.86.82:15647 | 2051910 | ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity | A Network Trojan was detected |
TCP 45.141.86.82:15647 -> 192.168.56.101:49240 | 2029217 | ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init | Malware Command and Control Activity Detected |
TCP 192.168.56.101:49242 -> 45.141.86.82:9000 | 2052248 | ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) | A Network Trojan was detected |
Suricata TLS
No Suricata TLS
file | C:\Program Files\Google\Chrome\Application\65.0.3325.181\ |
file | C:\Program Files\Mozilla Firefox\firefox.exe |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome |
section | .itext |
section | .didata |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ckpaelocniggkheibcacecnmmlmeodfa |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn |
file | C:\Users\test22\AppData\Local\Temp\is-7IC0P.tmp\_isetup\_iscrypt.dll |
file | C:\Users\test22\AppData\Local\22tset\llg\background.js |
file | C:\Users\test22\AppData\Local\22tset\llg\jquery.js |
file | C:\Users\test22\AppData\Local\Temp\is-L7B9K.tmp\_isetup\_iscrypt.dll |
file | C:\Users\test22\AppData\Local\22tset\llg\content.js |
cmdline | "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe" |
cmdline | "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\68vp5vaM2.a3x && del C:\ProgramData\\68vp5vaM2.a3x |
cmdline | "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe" |
cmdline | "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe" |
cmdline | "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" |
cmdline | cmd.exe /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\68vp5vaM2.a3x && del C:\ProgramData\\68vp5vaM2.a3x |
cmdline | "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" |
cmdline | "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" |
file | C:\Users\test22\AppData\Local\Temp\is-NDD40.tmp\231.tmp |
file | C:\Users\test22\AppData\Local\Temp\is-7IC0P.tmp\maintenanceservice_installer |
file | C:\Users\test22\AppData\Local\Temp\is-L7B9K.tmp\_isetup\_iscrypt.dll |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE' |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE' |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE' |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE' |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OPSSVC.EXE' |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE' |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
cmdline | tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH |
cmdline | "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe" |
cmdline | tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH |
cmdline | ping -n 5 127.0.0.1 |
cmdline | "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\68vp5vaM2.a3x && del C:\ProgramData\\68vp5vaM2.a3x |
cmdline | "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe" |
cmdline | tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH |
cmdline | tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH |
cmdline | tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH |
cmdline | "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe" |
cmdline | "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" |
cmdline | tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH |
cmdline | cmd.exe /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\68vp5vaM2.a3x && del C:\ProgramData\\68vp5vaM2.a3x |
cmdline | "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" |
cmdline | "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" |
host | 45.141.86.82 |
description | MSBuild.exe tried to sleep 2728278 seconds, actually delayed analysis time by 2728278 seconds |
file | C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml |
file | C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml |
Bkav | W32.AIDetectMalware |
Lionic | Trojan.Win32.Penguish.4!c |
Skyhigh | Artemis!Trojan |
ALYac | Trojan.Generic.36742838 |
VIPRE | Trojan.Generic.36742838 |
Sangfor | Trojan.Msil.Agent.Vgbw |
CrowdStrike | win/grayware_confidence_70% (D) |
BitDefender | Trojan.Generic.36742838 |
K7GW | Trojan ( 0055c9131 ) |
K7AntiVirus | Trojan ( 0055c9131 ) |
Arcabit | Trojan.Generic.D230A6B6 |
Symantec | Trojan.Gen.MBT |
ESET-NOD32 | MSIL/Agent.CKL |
Avast | Win32:Malware-gen |
Kaspersky | Trojan.Win32.Penguish.cmh |
Alibaba | Trojan:Win32/Penguish.1b8fb277 |
MicroWorld-eScan | Trojan.Generic.36742838 |
Emsisoft | Trojan.Generic.36742838 (B) |
F-Secure | Trojan.TR/Agent.aaagcn |
TrendMicro | Backdoor.Win32.SECTOPRAT.YXEIDZ |
McAfeeD | ti!F358DDE7B5F8 |
CTX | exe.trojan.msil |
Sophos | Mal/Generic-S |
FireEye | Trojan.Generic.36742838 |
Webroot | W32.Malware.Gen |
Avira | TR/Agent.aaagcn |
Kingsoft | Win32.Trojan.Penguish.cmh |
Microsoft | Trojan:Win32/Wacatac.B!ml |
ZoneAlarm | Trojan.Win32.Penguish.cmh |
GData | Win32.Malware.Obfus.S4JVPL@susp |
McAfee | Artemis!4FA734DB8E9F |
DeepInstinct | MALICIOUS |
Ikarus | Trojan.MSIL.Agent |
TrendMicro-HouseCall | Backdoor.Win32.SECTOPRAT.YXEIDZ |
Tencent | Win32.Trojan.FalseSign.Lcnw |
MaxSecure | Trojan.Malware.278916312.susgen |
Fortinet | MSIL/Agent.CKL!tr |
AVG | Win32:Malware-gen |
Paloalto | generic.ml |