Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Aug. 2, 2024, 5:18 p.m. | Aug. 2, 2024, 5:25 p.m. |
-
guardservice.exe "C:\Users\test22\AppData\Local\Temp\guardservice.exe"
496 -
explorer.exe C:\Windows\Explorer.EXE
1236
Name | Response | Post-Analysis Lookup |
---|---|---|
sgz-1302338321.cos.ap-guangzhou.myqcloud.com |
CNAME
gz.file.myqcloud.com
|
159.75.57.69 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
UDP 192.168.56.103:52760 -> 164.124.101.2:53 | 2050736 | ET INFO Tencent Cloud Storage Domain in DNS Lookup (myqcloud .com) | Misc activity |
TCP 192.168.56.103:49163 -> 159.75.57.69:443 | 2050737 | ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI) | Misc activity |
TCP 192.168.56.103:49163 -> 159.75.57.69:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.103:49163 -> 159.75.57.69:443 | 2050737 | ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI) | Misc activity |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.103:49163 159.75.57.69:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G3 | C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Tencent Computer Systems Company Limited, CN=*.cos.ap-guangzhou.myqcloud.com | 92:52:87:fc:ce:db:af:62:b4:ce:28:44:27:01:5e:3d:63:8d:d7:12 |
packer | Armadillo v1.71 |
request | GET https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/Update.exe |
name | RT_VERSION | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0005d058 | size | 0x00000264 |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\guardservice.exe.lnk |
file | C:\Users\test22\AppData\Local\Temp\Update.exe |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\guardservice.exe.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C:\Users\test22\AppData\Local\Temp\guardservice.exe.lnk |
file | C:\Users\test22\AppData\Local\Temp\Update.exe |