OVERVIEW
GENERAL
General Details
Reputation Details
ENTRY POINT
Summary
Complete
REMEDIATION
BUSINESS IMPACT
SUSPICIOUS ACTIVITY
Mitre ATT&CK™ Matrix
Suspicious Events
Network Events
INCIDENT DETAILS
Tree
Tree Timeline
Script/Shortcut Content
CLEANED
status
Nova
malware family
HIGH
severity
Endpoint Behavioral Guard
triggered by
c:\windows\system32\reg.exe
trigger
infostealer.win.clipper.a
protection name
IEUser
local user
ATTACK STATS
What sort of connections and processes were involved?
Remote Logon
Internal
Malicious
Connections
Suspicious
Connections
1
Unclassified
Connections
Malicious
Processes
1
Suspicious
Processes
Unclassified
Processes
Malicious
Files
4
Suspicious
Files
Unsigned
Processes
1
Script
Processes
ATTACK TYPES
What were the attacks types seen or prevented?
evader
infostealer
ENTRY POINT
How did it enter the system?
Incident started through vmtoolsd.exe
BUSINESS IMPACT
What was the potential damage done?
No damage detected
REMEDIATION
Were all incident created elements removed?
No remediation needed
100%
165/165
Terminated processes
100%
21/21
Quarantined/Deleted files
Restored files
Remediated registry keys
Remediated services
Remediated scheduled tasks
Remediated WMI persistence events
Remediated bcdedit commands
INCIDENT DETAILS (165 processes)
How do I analyze further?
kyrazon setup.exe
kyrazongame-ns.exe.exe
cmd.exe
chcp.com
kyrazongame-ns.exe.exe
cmd.exe
findstr.exe
powershell.exe
conhost.exe
tasklist.exe
conhost.exe
reg.exe
conhost.exe
cmd.exe
conhost.exe
reg.exe
MITRE ATT&CK™
Tactics and techniques seen as defined by the MITRE ATT&CK™ framework
Initial Access
Execution
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Windows Command Shell
Native API
Unsigned Process
User Execution: Malicious File
Persistence
Privilege Escalation
Process Injection: Portable Executable Injection
Defense Evasion
Indicator Removal on Host: File Deletion
Masquerading
Masquerading: Invalid Code Signature
Modify Registry
Process Injection: Portable Executable Injection
Subvert Trust Controls: Code Signing
Credential Access
Discovery
Application Window Discovery
Process Discovery
Query Registry
System Information Discovery
Lateral Movement
Collection
Archive Collected Data
Command and Control
Commonly Used Port
Encrypted Channel: Asymmetric Cryptography
Non-Standard Port
Exfiltration
Archive Collected Data
Impact
Process Termination
NETWORK MAP
Where were the untrusted connections being made?
Country
France (2 unknown)
INCIDENT DETAILS (165 processes)
How do I analyze further?
kyrazon setup.exe
kyrazongame-ns.exe.exe
cmd.exe
chcp.com
kyrazongame-ns.exe.exe
cmd.exe
findstr.exe
powershell.exe
conhost.exe
tasklist.exe
conhost.exe
reg.exe
conhost.exe
cmd.exe
conhost.exe
reg.exe
MITRE ATT&CK™
Tactics and techniques seen as defined by the MITRE ATT&CK™ framework
Initial Access
Execution
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Windows Command Shell
Native API
Unsigned Process
User Execution: Malicious File
Persistence
Privilege Escalation
Process Injection: Portable Executable Injection
Defense Evasion
Indicator Removal on Host: File Deletion
Masquerading
Masquerading: Invalid Code Signature
Modify Registry
Process Injection: Portable Executable Injection
Subvert Trust Controls: Code Signing
Credential Access
Discovery
Application Window Discovery
Process Discovery
Query Registry
System Information Discovery
Lateral Movement
Collection
Archive Collected Data
Command and Control
Commonly Used Port
Encrypted Channel: Asymmetric Cryptography
Non-Standard Port
Exfiltration
Archive Collected Data
Impact
Process Termination
NETWORK MAP
Where were the untrusted connections being made?
Country
France (2 unknown)
INCIDENT DETAILS (165 processes)
How do I analyze further?
kyrazon setup.exe
kyrazongame-ns.exe.exe
cmd.exe
chcp.com
kyrazongame-ns.exe.exe
cmd.exe
findstr.exe
powershell.exe
conhost.exe
tasklist.exe
conhost.exe
reg.exe
conhost.exe
cmd.exe
conhost.exe
reg.exe