Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | June 16, 2024, 9:54 a.m. | June 16, 2024, 10:13 a.m. |
-
-
-
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\36e244b7.bat" "
2700
-
-
csrss1.exe C:\Users\test22\AppData\Local\Temp\csrss1.exe
2120 -
-
-
ctfmon.exe ctfmon.exe
2420
-
-
-
-
ctfmon.exe ctfmon.exe
2624
-
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
ddos.dnsnb8.net | 44.221.84.105 | |
www.dropbox.com |
CNAME
www-env.dropbox-dns.com
|
162.125.84.18 |
docs.google.com | 172.217.25.174 | |
freedns.afraid.org | 69.42.215.252 | |
drive.usercontent.google.com | 142.250.206.193 | |
xred.mooo.com |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.103:49200 -> 142.250.66.129:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.103:49199 -> 216.58.203.78:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.103:49201 -> 162.125.84.18:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.103:49202 -> 162.125.84.18:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
UDP 192.168.56.103:50800 -> 164.124.101.2:53 | 2015633 | ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com | Misc activity |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.103:49200 142.250.66.129:443 |
C=US, O=Google Trust Services, CN=WR2 | CN=*.usercontent.google.com | 71:e8:8e:94:b7:3e:87:37:f2:40:e5:6d:db:4c:22:85:e4:ea:4d:63 |
TLSv1 192.168.56.103:49199 216.58.203.78:443 |
C=US, O=Google Trust Services, CN=WR2 | CN=*.google.com | 4c:c8:6f:b2:95:94:9b:85:9d:cd:50:8c:dc:35:70:a9:fa:1c:63:f0 |
file | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
file | C:\Program Files\Mozilla Firefox\firefox.exe |
section | .nsp0 |
section | .nsp1 |
section | .nsp2 |
section | O\xb0n?\xa3ux |
resource name | TEXTINCLUDE |
domain | xred.mooo.com |
request | GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 |
request | GET https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download |
request | GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download |
request | GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download |
request | GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download |
description | Synaptics.exe tried to sleep 136 seconds, actually delayed analysis time by 136 seconds | |||
description | ._cache_csrss2.exe tried to sleep 185 seconds, actually delayed analysis time by 185 seconds | |||
description | ._cache_Synaptics.exe tried to sleep 182 seconds, actually delayed analysis time by 182 seconds |
name | TEXTINCLUDE | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0024361c | size | 0x00000151 | ||||||||||||||||||
name | TEXTINCLUDE | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0024361c | size | 0x00000151 | ||||||||||||||||||
name | TEXTINCLUDE | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0024361c | size | 0x00000151 | ||||||||||||||||||
name | RT_CURSOR | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00243b0c | size | 0x000000b4 | ||||||||||||||||||
name | RT_CURSOR | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00243b0c | size | 0x000000b4 | ||||||||||||||||||
name | RT_CURSOR | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00243b0c | size | 0x000000b4 | ||||||||||||||||||
name | RT_CURSOR | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00243b0c | size | 0x000000b4 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00245214 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00245214 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00245214 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00245214 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00245214 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00245214 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00245214 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00245214 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00245214 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00245214 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00245214 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00245214 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00245214 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00245214 | size | 0x00000144 | ||||||||||||||||||
name | RT_MENU | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00245364 | size | 0x00000284 | ||||||||||||||||||
name | RT_MENU | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00245364 | size | 0x00000284 | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x002465ac | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x002465ac | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x002465ac | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x002465ac | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x002465ac | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x002465ac | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x002465ac | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x002465ac | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x002465ac | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x002465ac | size | 0x0000018c | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00246ff4 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00246ff4 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00246ff4 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00246ff4 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00246ff4 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00246ff4 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00246ff4 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00246ff4 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00246ff4 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00246ff4 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00246ff4 | size | 0x00000024 | ||||||||||||||||||
name | RT_GROUP_CURSOR | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00247040 | size | 0x00000022 | ||||||||||||||||||
name | RT_GROUP_CURSOR | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00247040 | size | 0x00000022 | ||||||||||||||||||
name | RT_GROUP_CURSOR | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00247040 | size | 0x00000022 | ||||||||||||||||||
name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00247078 | size | 0x00000014 | ||||||||||||||||||
name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00247078 | size | 0x00000014 | ||||||||||||||||||
name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | empty | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00247078 | size | 0x00000014 |
domain | docs.google.com |
file | C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe |
file | C:\Users\test22\AppData\Local\Temp\39251ACE.exe |
file | C:\Users\test22\AppData\Local\Temp\49791C4E.exe |
file | C:\Users\test22\AppData\Local\Temp\280D2AB5.exe |
file | C:\Users\test22\AppData\Local\Temp\645E3936.exe |
file | C:\Users\test22\AppData\Local\Temp\014F1B8E.exe |
file | C:\Users\test22\AppData\Local\Temp\csrss1.exe |
file | C:\Program Files (x86)\7-Zip\7zFM.exe |
file | C:\Python27\Lib\distutils\command\wininst-7.1.exe |
file | C:\tmpvmqcut\bin\inject-x86.exe |
file | C:\Python27\Lib\site-packages\setuptools\cli-32.exe |
file | C:\Program Files (x86)\Hnc\PDF80\x86\HNCE2PPRCONV80.exe |
file | C:\tmp6o6lvv\bin\execsc.exe |
file | C:\Users\test22\AppData\Local\Temp\18EE6058.exe |
file | C:\Users\test22\AppData\Local\Temp\36e244b7.bat |
file | C:\Users\test22\AppData\Local\Temp\0CC72395.exe |
file | C:\Program Files\7-Zip\Uninstall.exe |
file | C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe |
file | C:\Python27\Lib\distutils\command\wininst-9.0.exe |
file | C:\Program Files (x86)\7-Zip\7z.exe |
file | C:\Users\test22\AppData\Local\Temp\2CFF5E0B.exe |
file | C:\Python27\Lib\distutils\command\wininst-6.0.exe |
file | C:\util\pafish.exe |
file | C:\Users\test22\AppData\Local\Temp\._cache_Synaptics.exe |
file | C:\Python27\Lib\site-packages\setuptools\cli.exe |
file | C:\tmp6o6lvv\bin\inject-x86.exe |
file | C:\Program Files (x86)\7-Zip\7zG.exe |
file | C:\Program Files (x86)\Hnc\PDF80\x64\HNCE2PPRCONV80.exe |
file | C:\Python27\Lib\site-packages\setuptools\gui-32.exe |
file | C:\ProgramData\Synaptics\Synaptics.dll |
file | C:\Python27\Lib\site-packages\pip\_vendor\distlib\w32.exe |
file | C:\tmpvmqcut\bin\is32bit.exe |
file | C:\tmp6o6lvv\bin\is32bit.exe |
file | C:\Users\test22\AppData\Local\Temp\BIwL.exe |
file | C:\tmpvmqcut\bin\execsc.exe |
file | C:\Python27\Lib\distutils\command\wininst-8.0.exe |
file | C:\Program Files (x86)\7-Zip\Uninstall.exe |
file | C:\Users\test22\AppData\Local\Temp\csrss2.exe |
file | C:\Python27\Lib\site-packages\setuptools\gui.exe |
domain | www.dropbox.com |
file | C:\Users\test22\AppData\Local\Temp\36e244b7.bat |
file | C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe |
file | C:\Users\test22\AppData\Local\Temp\BIwL.exe |
file | C:\Users\test22\AppData\Local\Temp\13314968\TemporaryFile\TemporaryFile |
file | C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe |
file | C:\Users\test22\AppData\Local\Temp\csrss2.exe |
section | {u'size_of_data': u'0x00110c3d', u'virtual_address': u'0x00248000', u'entropy': 7.9959277993918345, u'name': u'.nsp1', u'virtual_size': u'0x00111000'} | entropy | 7.99592779939 | description | A section with a high entropy has been found | |||||||||
section | {u'size_of_data': u'0x00004200', u'virtual_address': u'0x0035b000', u'entropy': 6.934006008765163, u'name': u'O\\xb0n?\\xa3ux', u'virtual_size': u'0x00005000'} | entropy | 6.93400600877 | description | A section with a high entropy has been found | |||||||||
entropy | 1.0 | description | Overall entropy of this PE file is high |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
buffer | Buffer with sha1: b99d52ea98bdd45b252cfea79029b570a81e622b |
host | 38.147.172.248 | |||
host | 51.15.193.130 |
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\systeamst | reg_value | C:\Users\test22\AppData\Local\Temp\csrss1.exe | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver | reg_value | C:\ProgramData\Synaptics\Synaptics.exe | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\name | reg_value | C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver | reg_value | C:\ProgramData\Synaptics\Synaptics.exe | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\name | reg_value | C:\Users\test22\AppData\Local\Temp\._cache_Synaptics.exe | ||||||
service_name | Mnopqr | service_path | C:\Windows\SysWOW64\ctfmon.exe | ||||||
service_name | Mnopqr | service_path | C:\Windows\SysWOW64\ctfmon.exe |