Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | July 2, 2024, 3:42 p.m. | July 2, 2024, 3:44 p.m. |
-
-
setup.exe .\setup.exe
2700
-
Name | Response | Post-Analysis Lookup |
---|---|---|
codeonicinc.com | 104.26.8.6 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49164 -> 104.26.9.6:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49167 -> 104.26.9.6:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.2 192.168.56.101:49164 104.26.9.6:443 |
C=US, O=Google Trust Services, CN=WE1 | CN=codeonicinc.com | 86:da:8b:36:46:21:b9:cf:2c:38:f1:8a:de:64:e9:75:47:0f:ee:47 |
TLS 1.2 192.168.56.101:49167 104.26.9.6:443 |
C=US, O=Google Trust Services, CN=WE1 | CN=codeonicinc.com | 86:da:8b:36:46:21:b9:cf:2c:38:f1:8a:de:64:e9:75:47:0f:ee:47 |
suspicious_features | POST method with no referer header | suspicious_request | POST https://codeonicinc.com/ |
request | POST https://codeonicinc.com/ |
request | POST https://codeonicinc.com/ |
file | C:\Users\test22\AppData\Local\Temp\nshFB1B.tmp\nsDialogs.dll |
file | C:\Users\test22\AppData\Local\Temp\7zS40ADCD0F\setup.exe |
file | C:\Users\test22\AppData\Local\Temp\nshFB1B.tmp\System.dll |
file | C:\Users\test22\AppData\Local\Temp\nshFB1B.tmp\UAC.dll |
file | C:\Users\test22\AppData\Local\Temp\nshFB1B.tmp\UAC.dll |
file | C:\Users\test22\AppData\Local\Temp\nshFB1B.tmp\nsDialogs.dll |
file | C:\Users\test22\AppData\Local\Temp\7zS40ADCD0F\setup.exe |
file | C:\Users\test22\AppData\Local\Temp\nshFB1B.tmp\System.dll |
section | {u'size_of_data': u'0x0008e800', u'virtual_address': u'0x0013f000', u'entropy': 7.997112804313907, u'name': u'.data', u'virtual_size': u'0x00091b7c'} | entropy | 7.99711280431 | description | A section with a high entropy has been found | |||||||||
entropy | 0.30587603971 | description | Overall entropy of this PE file is high |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet |