Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Feb. 12, 2023, 2:50 p.m. | Feb. 12, 2023, 3:03 p.m. |
-
WW2.exe "C:\Users\test22\AppData\Local\Temp\WW2.exe"
2544
Name | Response | Post-Analysis Lookup |
---|---|---|
apps.identrust.com |
CNAME
a1952.dscq.akamai.net
CNAME
identrust.edgesuite.net
|
23.43.165.105 |
ipinfo.io | 34.117.59.81 | |
api.db-ip.com | 104.26.5.15 | |
www.maxmind.com | 104.17.214.67 | |
db-ip.com | 104.26.5.15 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49168 -> 104.17.214.67:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49166 -> 172.67.75.166:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49163 -> 34.117.59.81:443 | 2025331 | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) | Device Retrieving External IP Address Detected |
TCP 192.168.56.101:49163 -> 34.117.59.81:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 34.117.59.81:443 -> 192.168.56.101:49163 | 2025330 | ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) | Device Retrieving External IP Address Detected |
TCP 192.168.56.101:49165 -> 172.67.75.166:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49166 172.67.75.166:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 8d:c8:6e:29:ea:e9:15:f8:85:80:ae:fd:51:f0:44:ca:8c:7d:0c:dc |
TLSv1 192.168.56.101:49163 34.117.59.81:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=ipinfo.io | 63:03:85:17:32:f2:5e:25:3f:4e:ca:14:a9:16:fe:4d:7c:c4:54:bf |
TLSv1 192.168.56.101:49165 172.67.75.166:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 8d:c8:6e:29:ea:e9:15:f8:85:80:ae:fd:51:f0:44:ca:8c:7d:0c:dc |
suspicious_features | Connection to IP address | suspicious_request | GET http://23.254.227.214/api/tracemap.php |
request | GET http://23.254.227.214/api/tracemap.php |
request | GET http://apps.identrust.com/roots/dstrootcax3.p7c |
request | GET http://www.maxmind.com/geoip/v2.1/city/me |
request | GET https://db-ip.com/ |
request | POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self |
request | POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self |
name | RT_VERSION | language | LANG_NEUTRAL | filetype | data | sublanguage | SUBLANG_ARABIC_OMAN | offset | 0x00247970 | size | 0x000002ac |
domain | ipinfo.io |
host | 172.217.175.68 | |||
host | 23.254.227.214 |
description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring | ||||||
description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification | ||||||
description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection | ||||||
description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware | ||||||
description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe | ||||||
description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection | ||||||
description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring | ||||||
description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable | ||||||
description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction | ||||||
description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions |
MicroWorld-eScan | Gen:Heur.Mint.PrivateLoader.1 |
McAfee | Artemis!6CC7D9664C1A |
Cylance | Unsafe |
VIPRE | Gen:Heur.Mint.PrivateLoader.1 |
Sangfor | Trojan.Win32.Agent.Vzn3 |
K7AntiVirus | Trojan ( 0057eb8e1 ) |
Alibaba | Trojan:Win32/Nekark.a05e38b9 |
K7GW | Trojan ( 0057eb8e1 ) |
CrowdStrike | win/malicious_confidence_100% (W) |
Arcabit | Trojan.Mint.PrivateLoader.1 |
Symantec | ML.Attribute.HighConfidence |
Elastic | Windows.Trojan.PrivateLoader |
ESET-NOD32 | a variant of Win32/Agent.ADGH |
APEX | Malicious |
Paloalto | generic.ml |
Cynet | Malicious (score: 100) |
Kaspersky | UDS:DangerousObject.Multi.Generic |
BitDefender | Gen:Heur.Mint.PrivateLoader.1 |
Avast | Win32:PWSX-gen [Trj] |
Tencent | Win32.Trojan.Generic.Jtgl |
Emsisoft | Gen:Heur.Mint.PrivateLoader.1 (B) |
DrWeb | Trojan.DownLoader45.42282 |
TrendMicro | Trojan.Win32.PRIVATELOADER.YXDBKZ |
McAfee-GW-Edition | Artemis!Trojan |
FireEye | Gen:Heur.Mint.PrivateLoader.1 |
Avira | TR/AD.Nekark.jtxwk |
MAX | malware (ai score=89) |
Antiy-AVL | Trojan/Win32.Wacatac |
Kingsoft | Win32.Troj.Generic_a.a.(kcloud) |
Gridinsoft | Ransom.Win32.Wacatac.sa |
Microsoft | Trojan:Win32/Casdet!rfn |
GData | Gen:Heur.Mint.PrivateLoader.1 |
AhnLab-V3 | Trojan/Win.Generic.C5272956 |
BitDefenderTheta | Gen:NN.ZexaF.36276.tw0@aOND2PkQ |
ALYac | Gen:Heur.Mint.PrivateLoader.1 |
VBA32 | BScope.TrojanPSW.Arkei |
Malwarebytes | Trojan.WDDisabler |
TrendMicro-HouseCall | Trojan.Win32.PRIVATELOADER.YXDBKZ |
Rising | Downloader.Agent!1.D93C (CLASSIC) |
MaxSecure | Trojan.Malware.300983.susgen |
Fortinet | W32/Agent.ADGH!tr |
AVG | Win32:PWSX-gen [Trj] |