Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | March 12, 2021, 6:43 p.m. | March 12, 2021, 6:46 p.m. |
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\solution.iops.exe.dll,DllRegisterServer1
3588-
wermgr.exe C:\Windows\system32\wermgr.exe
8728
-
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\solution.iops.exe.dll,
7144
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
103.91.244.102 | Active | Moloch |
111.235.66.83 | Active | Moloch |
117.212.193.62 | Active | Moloch |
172.217.25.14 | Active | Moloch |
187.190.116.59 | Active | Moloch |
201.184.190.59 | Active | Moloch |
202.142.151.190 | Active | Moloch |
36.94.202.131 | Active | Moloch |
79.122.166.236 | Active | Moloch |
80.78.77.116 | Active | Moloch |
85.159.214.61 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49816 117.212.193.62:449 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | 81:c4:f0:b6:a7:40:f0:09:2b:ab:2a:1c:df:80:a0:30:da:d8:93:79 |
TLSv1 192.168.56.102:49814 201.184.190.59:449 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | 81:c4:f0:b6:a7:40:f0:09:2b:ab:2a:1c:df:80:a0:30:da:d8:93:79 |
TLSv1 192.168.56.102:49819 79.122.166.236:449 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | 81:c4:f0:b6:a7:40:f0:09:2b:ab:2a:1c:df:80:a0:30:da:d8:93:79 |
TLSv1 192.168.56.102:49820 80.78.77.116:449 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | 81:c4:f0:b6:a7:40:f0:09:2b:ab:2a:1c:df:80:a0:30:da:d8:93:79 |
TLSv1 192.168.56.102:49815 202.142.151.190:449 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | 81:c4:f0:b6:a7:40:f0:09:2b:ab:2a:1c:df:80:a0:30:da:d8:93:79 |
TLSv1 192.168.56.102:49818 85.159.214.61:443 |
C=CN, O=NL, OU=XD, CN=nxdefi.com | C=CN, O=NL, OU=XD, CN=nxdefi.com | 97:f4:02:43:96:a4:a4:0e:c8:c3:be:6f:dc:73:6f:3a:2d:35:a5:dc |
resource name | None |
suspicious_features | Connection to IP address | suspicious_request | GET https://85.159.214.61/rob28/TEST22-PC_W617601.51FA6B3783F19317BB7F3DB0B3BF6733/5/kps/ |
request | GET https://85.159.214.61/rob28/TEST22-PC_W617601.51FA6B3783F19317BB7F3DB0B3BF6733/5/kps/ |
description | wermgr.exe tried to sleep 143 seconds, actually delayed analysis time by 143 seconds |
section | {u'size_of_data': u'0x0003a000', u'virtual_address': u'0x00061000', u'entropy': 7.906858675265074, u'name': u'.rsrc', u'virtual_size': u'0x00039e7e'} | entropy | 7.90685867527 | description | A section with a high entropy has been found | |||||||||
entropy | 0.353658536585 | description | Overall entropy of this PE file is high |
url | http://crl.comodo.net/TrustedCertificateServices.crl0 |
url | http://users.ocsp.d-trust.net03 |
url | http://crl.ssc.lt/root-b/cacrl.crl0 |
url | http://crl.securetrust.com/STCA.crl0 |
url | http://crl.securetrust.com/SGCA.crl0 |
url | http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0= |
url | http://www.ssc.lt/cps03 |
url | http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0 |
url | http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0 |
url | http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0 |
url | http://www.microsoft.com/pki/certs/TrustListPCA.crt0 |
url | https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0 |
url | http://www.pkioverheid.nl/policies/root-policy0 |
url | http://cps.chambersign.org/cps/chambersroot.html0 |
url | http://www.e-szigno.hu/SZSZ/0 |
url | http://www.entrust.net/CRL/Client1.crl0 |
url | http://crl.chambersign.org/publicnotaryroot.crl0 |
url | http://crl.comodo.net/AAACertificateServices.crl0 |
url | http://www.certplus.com/CRL/class3.crl0 |
url | http://logo.verisign.com/vslogo.gif0 |
url | http://www.acabogacia.org/doc0 |
url | http://www.disig.sk/ca/crl/ca_disig.crl0 |
url | https://www.catcert.net/verarrel |
url | http://www.sk.ee/cps/0 |
url | http://www.quovadis.bm0 |
url | https://www.catcert.net/verarrel05 |
url | http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0 |
url | http://crl.chambersign.org/chambersroot.crl0 |
url | http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0 |
url | http://crl.globalsign.net/root-r2.crl0 |
url | http://certificates.starfieldtech.com/repository/1604 |
url | http://www.d-trust.net0 |
url | http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0 |
url | http://crl.ssc.lt/root-a/cacrl.crl0 |
url | http://crl.usertrust.com/UTN-DATACorpSGC.crl0 |
url | http://www.certicamara.com/certicamaraca.crl0 |
url | http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0 |
url | http://crl.usertrust.com/UTN-USERFirst-Object.crl0) |
url | http://www.post.trust.ie/reposit/cps.html0 |
url | http://qual.ocsp.d-trust.net0 |
url | http://www2.public-trust.com/crl/ct/ctroot.crl0 |
url | http://www.certicamara.com0 |
url | http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0 |
url | http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0 |
url | http://www.comsign.co.il/cps0 |
url | http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0 |
url | http://www.microsoft.com/pki/crl/products/TrustListPCA.crl |
url | http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0 |
url | http://www.signatur.rtr.at/de/directory/cps.html0 |
url | http://www.globaltrust.info0 |
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Create a COM server | rule | create_com_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper | ||||||
description | Communications over FTP | rule | network_ftp | ||||||
description | Communications over RAW socket | rule | network_tcp_socket | ||||||
description | Communications use DNS | rule | network_dns | ||||||
description | Communication using dga | rule | network_dga | ||||||
description | Escalade priviledges | rule | escalate_priv | ||||||
description | Take screenshot | rule | screenshot | ||||||
description | Run a keylogger | rule | keylogger | ||||||
description | Steal credential | rule | cred_local | ||||||
description | Record Audio | rule | sniff_audio | ||||||
description | APC queue tasks migration | rule | migrate_apc | ||||||
description | Malware can spread east-west file | rule | spreading_file | ||||||
description | Malware can spread east-west using share drive | rule | spreading_share | ||||||
description | Create or check mutex | rule | win_mutex | ||||||
description | Affect system registries | rule | win_registry | ||||||
description | Affect system token | rule | win_token | ||||||
description | Affect private profile | rule | win_private_profile | ||||||
description | Affect private profile | rule | win_files_operation | ||||||
description | Match Winsock 2 API library declaration | rule | Str_Win32_Winsock2_Library | ||||||
description | Match Windows Inet API library declaration | rule | Str_Win32_Wininet_Library | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Create a COM server | rule | create_com_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http |
host | 103.91.244.102 | |||
host | 111.235.66.83 | |||
host | 117.212.193.62 | |||
host | 172.217.25.14 | |||
host | 187.190.116.59 | |||
host | 201.184.190.59 | |||
host | 202.142.151.190 | |||
host | 36.94.202.131 | |||
host | 79.122.166.236 | |||
host | 80.78.77.116 | |||
host | 85.159.214.61 |
url | https://103.91.244.102:449/rob28/TEST22-PC_W617601.51FA6B3783F19317BB7F3DB0B3BF6733/5/kps/ |
Elastic | malicious (high confidence) |
Cynet | Malicious (score: 90) |
McAfee | Emotet-FRR!1F0D7F3144BA |
Cylance | Unsafe |
Sangfor | Trojan.Win32.Save.a |
CrowdStrike | win/malicious_confidence_80% (W) |
ESET-NOD32 | a variant of Win32/GenKryptik.FCTL |
APEX | Malicious |
Paloalto | generic.ml |
Kaspersky | HEUR:Trojan.Win32.Trickpak.gen |
Avast | Win32:Malware-gen |
F-Secure | Trojan.TR/AD.TrickBot.thkkx |
McAfee-GW-Edition | BehavesLike.Win32.Emotet.jc |
FireEye | Generic.mg.1f0d7f3144ba0d50 |
Sophos | ML/PE-A |
GData | Win32.Trojan-Spy.TrickBot.QR2F0S |
Webroot | W32.Trojan.Gen |
Avira | TR/AD.TrickBot.thkkx |
ZoneAlarm | HEUR:Trojan.Win32.Trickpak.gen |
Rising | Trojan.Trickpak!8.122C7 (TFE:dGZlOgZ9RHOveNaXyg) |
Fortinet | W32/Emotet.FRR!tr |
AVG | Win32:Malware-gen |
Qihoo-360 | Win32/Trojan.Generic.HgkASQkA |
dead_host | 103.91.244.102:449 |
dead_host | 36.94.202.131:443 |
dead_host | 187.190.116.59:443 |
dead_host | 192.168.56.102:49817 |
dead_host | 111.235.66.83:443 |