Summary

Category	Machine	Started	Completed
ARCHIVE	s1_win7_x6402	March 9, 2023, 1:44 p.m.	March 9, 2023, 1:46 p.m.

Archive INVOICE 589 03_23.doc @ INVOICE N L96505 03_23.zip

Size	526.2MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Moulaye Sellens, Template: Normal, Last Saved By: Microsoft account, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Mar 1 17:01:00 2023, Last Saved Time/Date: Wed Mar 1 17:01:00 2023, Number of Pages: 1, Number of Words: 6720, Number of Characters: 38309, Security: 0
MD5	`b59808aba76dd0095aa06133382de9ed`
SHA1	`59aed06213b305d2877031e8ef489064ef74ca74`
SHA256	`2e116e6a43dcc2ee55df34664a7d5bfae36918f3a8ce5af97be6cb99e3a4de5b`
SHA512	`134c7c9929c277a3ec0403c2246214059d107c78c0056f8190218e0d16ded3cfaa7a4682d695f9e6212c66220cb222589c8fcd19f6ea70a00994eb06eec6566b`
CRC32	`0F0BB376`
ssdeep	`3072:eoEW2aOtFjH0lP2IpjctfRcVVwEi/A8NVM1wIOCbX6bYLjWFJuvx7ueK6:ZE1aOtFa2I9c3aVw4zwxCbJ4Jup`
Yara	Generic_Malware_Zero - Generic Malware Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

regsvr32.exe "C:\Windows\System32\regsvr32.exe" /s "C:\Users\test22\AppData\Local\Temp\134425.tmp"
664
- regsvr32.exe /s "C:\Users\test22\AppData\Local\Temp\134425.tmp"
  1112
  - regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JYnNIYZ\vHZBVEG.dll"
    2496
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
mtp.evotek.vn	A 101.99.3.20	101.99.3.20
midcoastsupplies.com.au	A 203.26.41.132	203.26.41.132

IP Address	Status	Action
101.99.3.20	Active	Moloch
104.168.155.143	Active	Moloch
164.124.101.2	Active	Moloch
164.90.222.65	Active	Moloch
167.172.199.165	Active	Moloch
182.162.143.56	Active	Moloch
187.63.160.88	Active	Moloch
203.26.41.132	Active	Moloch
66.228.32.31	Active	Moloch
91.121.146.47	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 203.26.41.132:443 -> 192.168.56.102:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49164 -> 203.26.41.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49208 -> 187.63.160.88:80	2404307	ET CNC Feodo Tracker Reported CnC Server group 8	A Network Trojan was detected
TCP 66.228.32.31:7080 -> 192.168.56.102:49204	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 187.63.160.88:80 -> 192.168.56.102:49208	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49211 -> 164.90.222.65:443	2404304	ET CNC Feodo Tracker Reported CnC Server group 5	A Network Trojan was detected
TCP 167.172.199.165:8080 -> 192.168.56.102:49210	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49205 -> 182.162.143.56:443	2404306	ET CNC Feodo Tracker Reported CnC Server group 7	A Network Trojan was detected
TCP 192.168.56.102:49212 -> 104.168.155.143:8080	2404300	ET CNC Feodo Tracker Reported CnC Server group 1	A Network Trojan was detected
TCP 91.121.146.47:8080 -> 192.168.56.102:49202	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 182.162.143.56:443 -> 192.168.56.102:49206	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 9, 2023, 1:38 p.m.	computer_name: TEST22-PC	1	1	0

Office document has indirect calls (18 events)

Statement	CallByName sbQrKWe, KZcpQkXS, 1, Fi, FdHmEj & e
Statement	CallByName LmVngSM, VyLpaM, 1, F
Statement	CallByName(ActiveDocument, JJxPwJuC, 2)
Statement	CallByName LmVngSM, cf, 1, F
Statement	CallByName Um, jyQhujN, 1, XIflfm
Statement	CallByName(UQSuSREa, CVKld, 2)
Statement	CallByName Um, s, 1
Statement	CallByName LmVngSM, TAKzWZ, 1, F
Statement	CallByName Um, TXxlVcxe, 1
Statement	CallByName UQSuSREa, NozEpPV, 1
Statement	CallByName(UQSuSREa, jVksI, 2)
Statement	CallByName Um, cLB, 4, 1
Statement	CallByName dllBRu, mDCEr, 1, yGgfO.Items, 4
Statement	CallByName atasC, wSg, 1, VthNzHxD.Path, F
Statement	CallByName UQSuSREa, s, 1, ys, mooaT, False
Statement	CallByName UQSuSREa, SouiCA, 4, 4, 13056
Statement	CallByName Um, hbJwOpZz, 1, F, 2
Statement	CallByName(sbQrKWe, tgcAmc, 1, uAsB)

Performs some HTTP requests (1 event)

request

GET http://mtp.evotek.vn/wp-content/L/?134427

Allocates read-write-execute memory (usually to unpack itself) (37 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001df0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd0e7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd92f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd799000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d50000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc7d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f8e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ee0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef835c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef82db000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb8da000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff38b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefda31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd851000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefba71000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdf1a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004f60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd0e7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd92f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd799000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d50000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc7d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f8e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ee0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef835c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef82db000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb8da000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe351000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe203000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefcf81000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefcb51000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefcf64000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefcdde000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:38 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefcd53000 process_handle: 0xffffffffffffffff	1

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JYnNIYZ\vHZBVEG.dll"

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW March 9, 2023, 1:38 p.m.	snapshot_handle: 0x0000000000000148 process_name: tvnserver.exe process_identifier: 2676	1	1
Process32NextW March 9, 2023, 1:38 p.m.	snapshot_handle: 0x0000000000000148 process_name: taskhost.exe process_identifier: 2880	1	1
Process32NextW March 9, 2023, 1:38 p.m.	snapshot_handle: 0x0000000000000148 process_name: WINWORD.EXE process_identifier: 3068	1	1
Process32NextW March 9, 2023, 1:38 p.m.	snapshot_handle: 0x0000000000000148 process_name: cmd.exe process_identifier: 1620	1	1
Process32NextW March 9, 2023, 1:38 p.m.	snapshot_handle: 0x0000000000000148 process_name: pw.exe process_identifier: 2244	1	1
Process32NextW March 9, 2023, 1:38 p.m.	snapshot_handle: 0x0000000000000148 process_name: regsvr32.exe process_identifier: 664	1	1
Process32NextW March 9, 2023, 1:38 p.m.	snapshot_handle: 0x0000000000000148 process_name: OSPPSVC.EXE process_identifier: 1844	1	1
Process32NextW March 9, 2023, 1:38 p.m.	snapshot_handle: 0x0000000000000148 process_name: regsvr32.exe process_identifier: 2496	1	1

Expresses interest in specific running processes (1 event)

process

regsvr32.exe

Potentially malicious URLs were found in the process memory dump (50 out of 124 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com
url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://users.ocsp.d-trust.net03
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.e-szigno.hu/SZSZ/0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://www.certplus.com/CRL/class3.crl0
url	http://logo.verisign.com/vslogo.gif0
url	http://www.acabogacia.org/doc0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	https://www.catcert.net/verarrel
url	http://www.sk.ee/cps/0
url	http://www.quovadis.bm0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	http://crl.chambersign.org/chambersroot.crl0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url	http://crl.ssc.lt/root-a/cacrl.crl0
url	http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url	http://www.certicamara.com/certicamaraca.crl0
url	http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url	http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url	http://www.post.trust.ie/reposit/cps.html0
url	http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
url	http://www2.public-trust.com/crl/ct/ctroot.crl0
url	http://www.certicamara.com0
url	http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url	http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url	http://www.comsign.co.il/cps0
url	http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url	http://www.microsoft.com/pki/crl/products/TrustListPCA.crl

Yara rule detected in process memory (50 out of 74 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Steal credential	rule	local_credential_Steal
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network

Communicates with host for which no DNS query was performed (7 events)

host	104.168.155.143
host	164.90.222.65
host	167.172.199.165
host	182.162.143.56
host	187.63.160.88
host	66.228.32.31
host	91.121.146.47

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

164.90.222.65:443

Archive INVOICE 589 03_23.doc @ INVOICE N L96505 03_23.zip

Summary

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All