Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | March 19, 2021, 2:58 p.m. | March 19, 2021, 3 p.m. |
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44273.4360444444.dat.dll,?uop@@YAHXZ
8024-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44273.4360444444.dat.dll,?uop@@YAHXZ
8780
-
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44273.4360444444.dat.dll,DllRegisterServer
4864-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44273.4360444444.dat.dll,DllRegisterServer
4256-
rundll32.exe rundll32.exe "C:\Users\test22\AppData\Local\Temp\mustx64.tmp",update /i:"DebateMixed\license.dat"
2724-
-
chcp.com chcp
7352
-
-
WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
3716 -
ipconfig.exe ipconfig /all
5264 -
systeminfo.exe systeminfo
2456 -
-
net1.exe C:\Windows\system32\net1 config workstation
3284
-
-
nltest.exe nltest /domain_trusts
4464 -
nltest.exe nltest /domain_trusts /all_trusts
8776 -
net.exe net view /all /domain
5144 -
net.exe net view /all
3408 -
-
net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
1436
-
-
-
-
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44273.4360444444.dat.dll,
7636
Name | Response | Post-Analysis Lookup |
---|---|---|
188criolaserz.space | 178.128.243.14 | |
aws.amazon.com | 13.225.123.73 | |
ugolkuzjaspace.website | 161.35.109.184 | |
lissikopopo.fun | 161.35.109.184 |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49813 13.225.123.73:443 |
C=US, O=Amazon, OU=Server CA 1B, CN=Amazon | CN=aws.amazon.com | f7:53:97:5e:76:1e:fb:f6:70:72:02:95:d5:9f:2f:05:52:79:5d:ae |
TLSv1 192.168.56.102:49821 161.35.109.184:443 |
CN=localhost/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd | CN=localhost/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd | 86:27:7b:7e:02:2a:7e:0d:d6:e7:73:43:e3:af:e0:5a:54:e2:ec:3e |
TLSv1 192.168.56.102:49822 161.35.109.184:443 |
CN=localhost/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd | CN=localhost/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd | 86:27:7b:7e:02:2a:7e:0d:d6:e7:73:43:e3:af:e0:5a:54:e2:ec:3e |
TLSv1 192.168.56.102:49823 161.35.109.184:443 |
CN=localhost/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd | CN=localhost/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd | 86:27:7b:7e:02:2a:7e:0d:d6:e7:73:43:e3:af:e0:5a:54:e2:ec:3e |
TLSv1 192.168.56.102:49829 161.35.109.184:443 |
CN=localhost/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd | CN=localhost/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd | 86:27:7b:7e:02:2a:7e:0d:d6:e7:73:43:e3:af:e0:5a:54:e2:ec:3e |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
suspicious_features | GET method with no useragent header | suspicious_request | GET http://188criolaserz.space/ | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://aws.amazon.com/ | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://lissikopopo.fun/news/1/255/0 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://lissikopopo.fun/news/18/255/0 | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://lissikopopo.fun/news/4/2/0 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://lissikopopo.fun/sqlite64.dll | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://ugolkuzjaspace.website/news/4/1/1 | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://ugolkuzjaspace.website/news/8/0/1 | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://ugolkuzjaspace.website/news/8/1/0 | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://ugolkuzjaspace.website/news/4/3/1 |
request | GET http://188criolaserz.space/ |
request | GET https://aws.amazon.com/ |
request | POST https://lissikopopo.fun/news/1/255/0 |
request | GET https://lissikopopo.fun/news/18/255/0 |
request | POST https://lissikopopo.fun/news/4/2/0 |
request | GET https://lissikopopo.fun/sqlite64.dll |
request | POST https://ugolkuzjaspace.website/news/4/1/1 |
request | POST https://ugolkuzjaspace.website/news/8/0/1 |
request | POST https://ugolkuzjaspace.website/news/8/1/0 |
request | POST https://ugolkuzjaspace.website/news/4/3/1 |
request | POST https://lissikopopo.fun/news/1/255/0 |
request | POST https://lissikopopo.fun/news/4/2/0 |
request | POST https://ugolkuzjaspace.website/news/4/1/1 |
request | POST https://ugolkuzjaspace.website/news/8/0/1 |
request | POST https://ugolkuzjaspace.website/news/8/1/0 |
request | POST https://ugolkuzjaspace.website/news/4/3/1 |
description | rundll32.exe tried to sleep 298 seconds, actually delayed analysis time by 298 seconds |
file | C:\Users\test22\AppData\Local\Temp\sqlite64.dll |
file | C:\Users\test22\AppData\Roaming\{91705EE5-DFF4-903C-6CF9-EBE60A86BC6F}\eqpenu4.dll |
cmdline | cmd.exe /c chcp >&2 |
cmdline | WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List |
url | http://crl.comodo.net/TrustedCertificateServices.crl0 |
url | http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0 |
url | http://crl.identrust.com/DSTROOTCAX3CRL.crl0 |
url | http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q |
url | http://cert.startcom.org/policy.pdf0 |
url | http://crl.securetrust.com/STCA.crl0 |
url | http://crl.securetrust.com/SGCA.crl0 |
url | http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0= |
url | http://www.ssc.lt/cps03 |
url | http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0 |
url | http://crt.comodoca.com/COMODORSAAddTrustCA.crt0 |
url | http://users.ocsp.d-trust.net03 |
url | http://crl.startcom.org/sfsca-crl.crl0 |
url | http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0 |
url | http://www.microsoft.com/pki/certs/TrustListPCA.crt0 |
url | http://crl.comodo.net/AAACertificateServices.crl0 |
url | http://www.pkioverheid.nl/policies/root-policy0 |
url | http://cps.chambersign.org/cps/chambersroot.html0 |
url | http://www.disig.sk/ca/crl/ca_disig.crl0 |
url | http://www.entrust.net/CRL/Client1.crl0 |
url | http://crl.chambersign.org/publicnotaryroot.crl0 |
url | http://ocsp.comodoca.com0 |
url | http://logo.verisign.com/vslogo.gif0 |
url | https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0 |
url | http://www.crc.bg0 |
url | http://www.acabogacia.org/doc0 |
url | http://www.e-szigno.hu/SZSZ/0 |
url | http://crl.ssc.lt/root-b/cacrl.crl0 |
url | http://isrg.trustid.ocsp.identrust.com0 |
url | https://www.verisign.com/rpa0 |
url | http://www.quovadis.bm0 |
url | https://www.catcert.net/verarrel05 |
url | http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0 |
url | http://crl.chambersign.org/chambersroot.crl0 |
url | http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0 |
url | http://crl.globalsign.net/root-r2.crl0 |
url | http://certificates.starfieldtech.com/repository/1604 |
url | http://www.d-trust.net0 |
url | https://www.catcert.net/verarrel |
url | http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0 |
url | http://crl.ssc.lt/root-a/cacrl.crl0 |
url | http://crl.usertrust.com/UTN-DATACorpSGC.crl0 |
url | http://www.certicamara.com/certicamaraca.crl0 |
url | http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0 |
url | http://crl.usertrust.com/UTN-USERFirst-Object.crl0) |
url | http://www.post.trust.ie/reposit/cps.html0 |
url | http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0 |
url | http://www2.public-trust.com/crl/ct/ctroot.crl0 |
url | http://cert.startcom.org/sfsca-crl.crl0 |
url | http://www.certicamara.com0 |
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper | ||||||
description | Communications over FTP | rule | network_ftp | ||||||
description | Communications over RAW socket | rule | network_tcp_socket | ||||||
description | Communications use DNS | rule | network_dns | ||||||
description | Communication using dga | rule | network_dga | ||||||
description | Escalade priviledges | rule | escalate_priv | ||||||
description | Take screenshot | rule | screenshot | ||||||
description | Run a keylogger | rule | keylogger | ||||||
description | Steal credential | rule | cred_local | ||||||
description | Record Audio | rule | sniff_audio | ||||||
description | APC queue tasks migration | rule | migrate_apc | ||||||
description | Malware can spread east-west using share drive | rule | spreading_share | ||||||
description | Create or check mutex | rule | win_mutex | ||||||
description | Affect system registries | rule | win_registry | ||||||
description | Affect system token | rule | win_token | ||||||
description | Affect private profile | rule | win_private_profile | ||||||
description | Affect private profile | rule | win_files_operation | ||||||
description | Match Winsock 2 API library declaration | rule | Str_Win32_Winsock2_Library | ||||||
description | Match Windows Inet API library declaration | rule | Str_Win32_Wininet_Library | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper | ||||||
description | Communications over FTP | rule | network_ftp | ||||||
description | Communications over RAW socket | rule | network_tcp_socket |
cmdline | cmd.exe /c chcp >&2 |
cmdline | net group "Domain Admins" /domain |
cmdline | systeminfo |
cmdline | net view /all /domain |
cmdline | net config workstation |
cmdline | chcp |
cmdline | WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List |
cmdline | ipconfig /all |
cmdline | net view /all |
host | 172.217.25.14 |
registry | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
registry | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
cmdline | nltest /domain_trusts |
cmdline | nltest /domain_trusts /all_trusts |