Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Nov. 7, 2023, 7:40 a.m. | Nov. 7, 2023, 7:44 a.m. |
-
Services.exe "C:\Users\test22\AppData\Local\Temp\Services.exe"
2664
IP Address | Status | Action |
---|---|---|
125.253.92.50 | Active | Moloch |
104.18.146.235 | Active | Moloch |
104.244.42.1 | Active | Moloch |
104.26.5.15 | Active | Moloch |
121.254.136.18 | Active | Moloch |
149.154.167.99 | Active | Moloch |
164.124.101.2 | Active | Moloch |
172.67.193.129 | Active | Moloch |
172.67.75.166 | Active | Moloch |
213.180.204.24 | Active | Moloch |
34.117.59.81 | Active | Moloch |
5.255.255.70 | Active | Moloch |
62.217.160.2 | Active | Moloch |
91.92.243.151 | Active | Moloch |
94.142.138.131 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49167 5.255.255.70:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=*.xn--d1acpjx3f.xn--p1ai | e4:ba:b2:7f:bf:93:b8:22:10:26:70:37:9c:03:1a:9d:fb:23:17:24 |
TLSv1 192.168.56.101:49169 213.180.204.24:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=sso.passport.yandex.ru | 3a:82:43:a9:43:9c:c8:90:01:04:4f:74:1b:6c:cd:4b:9b:19:7d:93 |
TLSv1 192.168.56.101:49177 104.26.5.15:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5 |
TLSv1 192.168.56.101:49168 62.217.160.2:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.dzen.ru | 6a:31:14:29:60:07:c9:c6:17:7b:d1:27:ad:53:57:ec:d8:c1:d8:d2 |
TLSv1 192.168.56.101:49172 172.67.193.129:443 |
C=US, O=Let's Encrypt, CN=E1 | CN=ironhost.io | bf:96:55:fe:92:31:2c:3b:86:d9:a5:21:ac:2a:4c:b7:56:b7:9e:19 |
TLSv1 192.168.56.101:49178 172.67.75.166:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5 |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
section | .vmp0 |
section | .vmp1 |
section | .vmp2 |
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://91.92.243.151/api/tracemap.php | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://94.142.138.131/api/tracemap.php | ||||||
suspicious_features | POST method with no referer header, Connection to IP address | suspicious_request | POST http://94.142.138.131/api/firecom.php |
request | GET http://91.92.243.151/api/tracemap.php |
request | GET http://apps.identrust.com/roots/dstrootcax3.p7c |
request | GET http://94.142.138.131/api/tracemap.php |
request | POST http://94.142.138.131/api/firecom.php |
request | GET http://www.maxmind.com/geoip/v2.1/city/me |
request | GET https://yandex.ru/ |
request | GET https://dzen.ru/?yredirect=true |
request | GET https://sso.passport.yandex.ru/push?uuid=17ee63be-a01d-4351-b836-3f7809d3449d&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue |
request | GET https://db-ip.com/ |
request | POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self |
request | POST http://94.142.138.131/api/firecom.php |
request | POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self |
domain | ipinfo.io |
section | {u'size_of_data': u'0x004af400', u'virtual_address': u'0x002e2000', u'entropy': 7.993526835082115, u'name': u'.vmp2', u'virtual_size': u'0x004af280'} | entropy | 7.99352683508 | description | A section with a high entropy has been found | |||||||||
section | {u'size_of_data': u'0x00018400', u'virtual_address': u'0x00794000', u'entropy': 7.392826746214749, u'name': u'.rsrc', u'virtual_size': u'0x000267e6'} | entropy | 7.39282674621 | description | A section with a high entropy has been found | |||||||||
entropy | 0.998266190719 | description | Overall entropy of this PE file is high |
section | .vmp0 | description | Section name indicates VMProtect | ||||||
section | .vmp1 | description | Section name indicates VMProtect | ||||||
section | .vmp2 | description | Section name indicates VMProtect |
host | 125.253.92.50 | |||
host | 91.92.243.151 | |||
host | 94.142.138.131 |