Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | March 23, 2021, 10:48 a.m. | March 23, 2021, 10:50 a.m. |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49213 -> 35.166.81.240:443 | 2028401 | ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex | Unknown Traffic |
TCP 35.166.81.240:443 -> 192.168.56.101:49213 | 2023476 | ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) | A Network Trojan was detected |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49213 35.166.81.240:443 |
C=AT, ST=Bohn, L=Bohn, O=Amadey TM, OU=Amadey Org, CN=amadeamadey.at | C=AT, ST=Bohn, L=Bohn, O=Amadey TM, OU=Amadey Org, CN=amadeamadey.at | db:43:d0:55:5c:42:2f:4a:67:c8:eb:0d:da:a9:e7:13:22:8f:d9:28 |
suspicious_features | Connection to IP address | suspicious_request | GET https://35.166.81.240/waters/travel/new21 |
request | GET https://35.166.81.240/waters/travel/new21 |
file | C:\Users\test22\AppData\Local\Temp\U4X2138.exe |
cmdline | cmd.exe |
Paloalto | generic.ml |
Sophos | ML/PE-A |
AhnLab-V3 | Malware/Win64.Generic.C4370271 |
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper | ||||||
description | Communications over FTP | rule | network_ftp | ||||||
description | Communications over RAW socket | rule | network_tcp_socket | ||||||
description | Communications use DNS | rule | network_dns | ||||||
description | Communication using dga | rule | network_dga | ||||||
description | Escalade priviledges | rule | escalate_priv | ||||||
description | Take screenshot | rule | screenshot | ||||||
description | Run a keylogger | rule | keylogger | ||||||
description | Steal credential | rule | cred_local | ||||||
description | Record Audio | rule | sniff_audio | ||||||
description | APC queue tasks migration | rule | migrate_apc | ||||||
description | Malware can spread east-west using share drive | rule | spreading_share | ||||||
description | Create or check mutex | rule | win_mutex | ||||||
description | Affect system registries | rule | win_registry | ||||||
description | Affect system token | rule | win_token | ||||||
description | Affect private profile | rule | win_private_profile | ||||||
description | Affect private profile | rule | win_files_operation | ||||||
description | Match Winsock 2 API library declaration | rule | Str_Win32_Winsock2_Library | ||||||
description | Match Windows Inet API library declaration | rule | Str_Win32_Wininet_Library | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper | ||||||
description | Communications over FTP | rule | network_ftp | ||||||
description | Communications over RAW socket | rule | network_tcp_socket |
cmdline | ping 8.8.7.7 -n 2 |
cmdline | cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\U4X2138.exe MLUO54B |
cmdline | cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\U4X2138.exe TQ8AX |
cmdline | cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\rl8.exe M41OFD |
host | 35.166.81.240 | |||
host | 8.8.7.7 |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\CRN6I0NGBZ | reg_value | cmd.exe /c reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v W2Y5JPZ00 /t REG_SZ /d "C:\Users\test22\AppData\Local\Temp\U4X2138.exe TQ8AX" & start "H" C:\Users\test22\AppData\Local\Temp\U4X2138.exe TQ8AX |
file | C:\Users\test22\AppData\Local\Temp\U4X2138.exe |