Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | March 25, 2021, 7:49 a.m. | March 25, 2021, 7:51 a.m. |
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\merit.php.dll,StartW
112-
wermgr.exe C:\Windows\system32\wermgr.exe
1204
-
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\merit.php.dll,
2852
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49204 174.105.236.140:443 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | a1:ea:a4:fa:0a:5e:ba:b9:c1:46:42:a3:0b:3e:a6:e7:b4:e2:f7:f0 |
TLSv1 192.168.56.101:49203 70.119.220.241:443 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | a1:ea:a4:fa:0a:5e:ba:b9:c1:46:42:a3:0b:3e:a6:e7:b4:e2:f7:f0 |
TLSv1 192.168.56.101:49207 98.6.253.142:443 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | 81:c4:f0:b6:a7:40:f0:09:2b:ab:2a:1c:df:80:a0:30:da:d8:93:79 |
TLSv1 192.168.56.101:49205 67.79.117.70:443 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | 81:c4:f0:b6:a7:40:f0:09:2b:ab:2a:1c:df:80:a0:30:da:d8:93:79 |
TLSv1 192.168.56.101:49206 173.219.76.169:443 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | a1:ea:a4:fa:0a:5e:ba:b9:c1:46:42:a3:0b:3e:a6:e7:b4:e2:f7:f0 |
suspicious_features | Connection to IP address | suspicious_request | GET https://70.119.220.241/rob36/TEST22-PC_W617601.BB93B93366FF71F673BF0BB3D37F9F3F/5/kps/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://174.105.236.140/rob36/TEST22-PC_W617601.BB93B93366FF71F673BF0BB3D37F9F3F/5/kps/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://67.79.117.70/rob36/TEST22-PC_W617601.BB93B93366FF71F673BF0BB3D37F9F3F/5/kps/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://173.219.76.169/rob36/TEST22-PC_W617601.BB93B93366FF71F673BF0BB3D37F9F3F/5/kps/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://98.6.253.142/rob36/TEST22-PC_W617601.BB93B93366FF71F673BF0BB3D37F9F3F/5/kps/ |
request | GET https://70.119.220.241/rob36/TEST22-PC_W617601.BB93B93366FF71F673BF0BB3D37F9F3F/5/kps/ |
request | GET https://174.105.236.140/rob36/TEST22-PC_W617601.BB93B93366FF71F673BF0BB3D37F9F3F/5/kps/ |
request | GET https://67.79.117.70/rob36/TEST22-PC_W617601.BB93B93366FF71F673BF0BB3D37F9F3F/5/kps/ |
request | GET https://173.219.76.169/rob36/TEST22-PC_W617601.BB93B93366FF71F673BF0BB3D37F9F3F/5/kps/ |
request | GET https://98.6.253.142/rob36/TEST22-PC_W617601.BB93B93366FF71F673BF0BB3D37F9F3F/5/kps/ |
host | 173.219.76.169 | |||
host | 174.105.236.140 | |||
host | 67.212.241.127 | |||
host | 67.79.117.70 | |||
host | 70.119.220.241 | |||
host | 72.164.254.204 | |||
host | 98.6.253.142 |
Bkav | W32.AIDetect.malware2 |
Elastic | malicious (high confidence) |
FireEye | Generic.mg.2ae20b49ac0c8f59 |
Cylance | Unsafe |
CrowdStrike | win/malicious_confidence_90% (W) |
BitDefenderTheta | Gen:NN.ZedlaF.34628.Bq4@auN33ze |
Symantec | ML.Attribute.HighConfidence |
APEX | Malicious |
Avast | FileRepMalware |
Cynet | Malicious (score: 100) |
Kaspersky | VHO:Trojan-Banker.Win32.Trickster.gen |
Rising | Malware.Heuristic!ET#78% (RDMK:cmRtazoHyqnMVXOV8/VcnBQcEboS) |
AVG | FileRepMalware |
dead_host | 67.212.241.127:443 |
dead_host | 72.164.254.204:443 |