Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | April 20, 2021, 3:46 p.m. | April 20, 2021, 3:49 p.m. |
-
setupapp.exe "C:\Users\test22\AppData\Local\Temp\setupapp.exe"
2616
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49808 204.79.197.219:443 |
C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 05 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=msdl.microsoft.com | 59:ef:31:b0:03:89:82:c9:2b:90:9a:8c:60:24:70:85:f6:45:ed:9a |
TLSv1 192.168.56.102:49809 204.79.197.219:443 |
C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 05 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=msdl.microsoft.com | 59:ef:31:b0:03:89:82:c9:2b:90:9a:8c:60:24:70:85:f6:45:ed:9a |
TLS 1.3 192.168.56.102:49811 104.21.16.228:443 |
None | None | None |
TLS 1.3 192.168.56.102:49812 104.21.16.228:443 |
None | None | None |
TLSv1 192.168.56.102:49810 20.150.39.196:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | CN=*.blob.core.windows.net | d0:4c:33:5f:cd:ac:48:a4:00:ff:d5:6a:1c:fc:1c:61:d5:84:05:4d |
TLSv1 192.168.56.102:49813 204.79.197.219:443 |
C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 05 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=msdl.microsoft.com | 59:ef:31:b0:03:89:82:c9:2b:90:9a:8c:60:24:70:85:f6:45:ed:9a |
TLSv1 192.168.56.102:49814 13.84.56.16:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | CN=*.blob.core.windows.net | 70:c1:14:b5:95:35:c0:4b:01:19:5c:47:78:be:e0:40:bc:d4:62:09 |
TLS 1.3 192.168.56.102:49816 172.67.161.225:443 |
None | None | None |
TLS 1.3 192.168.56.102:49815 104.21.1.88:443 |
None | None | None |
TLS 1.3 192.168.56.102:49817 172.67.207.106:443 |
None | None | None |
packer | UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser |
request | GET https://msdl.microsoft.com/download/symbols/index2.txt |
request | GET https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb |
request | GET https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=7AbuFcy6rVsv90SWbhZYjX%2F1l2smGDcgr940AwiIF4k%3D&spr=https&se=2021-04-21T07%3A12%3A02Z&rscl=x-e2eid-d85b51fb-5af2448b-86391750-db8470b1-session-1ebff91c-856e4d36-a4b4e0af-5a74b6de |
request | GET https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb |
request | GET https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=9UUozfiE%2FOpxeeckU6eKE51prLyA7vjOQSQhv8%2F4Goc%3D&spr=https&se=2021-04-21T07%3A35%3A45Z&rscl=x-e2eid-1750f897-21ec47fd-858b9192-280e65c5-session-4d66908c-74d44857-ac54d7ee-2d4cedfc |
section | {u'size_of_data': u'0x003b8600', u'virtual_address': u'0x0056c000', u'entropy': 7.89301260559595, u'name': u'UPX1', u'virtual_size': u'0x003b9000'} | entropy | 7.8930126056 | description | A section with a high entropy has been found | |||||||||
entropy | 0.999868766404 | description | Overall entropy of this PE file is high |
section | UPX0 | description | Section name indicates UPX | ||||||
section | UPX1 | description | Section name indicates UPX | ||||||
section | UPX2 | description | Section name indicates UPX |
wmi | SELECT Name FROM Win32_Processor |
domain | sndvoices.com |
domain | cd525338-6a0f-400b-a98a-ae23e317d921.sndvoices.com |
host | 172.217.25.14 |
wmi | SELECT displayName FROM AntiVirusProduct |
wmi | SELECT OSArchitecture FROM Win32_OperatingSystem |
wmi | SELECT Name FROM Win32_VideoController |
wmi | SELECT Caption FROM Win32_OperatingSystem |
wmi | SELECT Name FROM Win32_Processor |
process: potential process injection target | winlogon.exe |
Bkav | W32.AIDetect.malware1 |
Elastic | malicious (high confidence) |
DrWeb | Trojan.Siggen13.6110 |
MicroWorld-eScan | Trojan.Agent.ETWT |
FireEye | Generic.mg.73eb70ca5994df6e |
CAT-QuickHeal | Trojan.Generic |
McAfee | Artemis!73EB70CA5994 |
Cylance | Unsafe |
VIPRE | Trojan.Win32.Generic!BT |
Sangfor | Trojan.Win32.Save.a |
K7AntiVirus | Trojan ( 00575e511 ) |
Alibaba | Trojan:Win32/RanumBot.91cc2273 |
K7GW | Trojan ( 00575e511 ) |
Cybereason | malicious.a5994d |
BitDefenderTheta | AI:Packer.9D62356B1F |
Cyren | W32/RanumBot.E.gen!Eldorado |
Symantec | Trojan.Glupteba |
ESET-NOD32 | a variant of WinGo/RanumBot.J |
APEX | Malicious |
Avast | FileRepMalware |
ClamAV | Win.Trojan.MSShellcode-7 |
Kaspersky | HEUR:Trojan.Win32.Generic |
BitDefender | Trojan.Agent.ETWT |
NANO-Antivirus | Trojan.Win32.Mlw.itxuuo |
Paloalto | generic.ml |
ViRobot | Trojan.Win32.Z.Ranumbot.3901952 |
Rising | Trojan.RanumBot!8.112AC (CLOUD) |
Ad-Aware | Trojan.Agent.ETWT |
Sophos | Mal/Behav-030 |
Comodo | Malware@#3r3hhrh1xmw8g |
Zillya | Trojan.Agent.Win32.1965981 |
McAfee-GW-Edition | BehavesLike.Win32.Generic.wc |
Emsisoft | Trojan.Agent.ETWT (B) |
SentinelOne | Static AI - Malicious PE |
Jiangmin | TrojanDDoS.Windigo.oa |
Webroot | W32.Malware.Gen |
Avira | TR/Agent.hofzi |
Gridinsoft | Trojan.Win32.Agent.oa |
Microsoft | Trojan:Win32/RanumBot.MT!MTB |
AegisLab | Trojan.Win32.Generic.4!c |
ZoneAlarm | HEUR:Trojan.Win32.Generic |
GData | Trojan.Agent.ETWT |
Cynet | Malicious (score: 100) |
AhnLab-V3 | Trojan/Win.RanumBot.C4414318 |
VBA32 | Rootkit.Agent |
MAX | malware (ai score=82) |
Malwarebytes | Trojan.Ranumbot |
TrendMicro-HouseCall | TROJ_GEN.R002C0DDB21 |
Ikarus | Trojan.Win32.Ranumbot |
eGambit | Unsafe.AI_Score_99% |