Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | March 26, 2021, 3:07 p.m. | March 26, 2021, 3:09 p.m. |
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\date.php.dll,StartW
2416-
wermgr.exe C:\Windows\system32\wermgr.exe
1512
-
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\date.php.dll,
1772
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
164.124.101.2 | Active | Moloch |
50.197.243.125 | Active | Moloch |
67.212.241.178 | Active | Moloch |
68.201.55.46 | Active | Moloch |
70.119.149.64 | Active | Moloch |
71.40.62.107 | Active | Moloch |
71.42.188.85 | Active | Moloch |
71.66.92.190 | Active | Moloch |
72.128.158.51 | Active | Moloch |
73.103.36.158 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49211 71.42.188.85:443 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | 50:fd:fd:4e:2c:57:ea:f7:c9:cd:3f:61:4a:a2:40:01:1b:b8:df:02 |
TLSv1 192.168.56.101:49207 68.201.55.46:443 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | 50:fd:fd:4e:2c:57:ea:f7:c9:cd:3f:61:4a:a2:40:01:1b:b8:df:02 |
TLSv1 192.168.56.101:49203 72.128.158.51:443 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | f8:68:0a:74:96:dc:19:0a:62:fa:35:3d:ca:ef:06:ff:20:bd:f4:c8 |
TLSv1 192.168.56.101:49205 67.212.241.178:443 |
C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-80:2A:A8:F2:69:9A/emailAddress=support@ubnt.com | C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-80:2A:A8:F2:69:9A/emailAddress=support@ubnt.com | 36:b8:d5:9a:af:b4:cf:80:19:44:d3:fd:5e:8f:d1:75:49:3d:7a:71 |
TLSv1 192.168.56.101:49212 71.66.92.190:443 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | f8:68:0a:74:96:dc:19:0a:62:fa:35:3d:ca:ef:06:ff:20:bd:f4:c8 |
TLSv1 192.168.56.101:49213 71.40.62.107:443 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | 50:fd:fd:4e:2c:57:ea:f7:c9:cd:3f:61:4a:a2:40:01:1b:b8:df:02 |
pdb_path | k:\dll\tabcontrol_demo\Release\TabControl.pdb |
section | .didat |
suspicious_features | Connection to IP address | suspicious_request | GET https://72.128.158.51/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://67.212.241.178/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://67.212.241.178/cookiechecker?uri=/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://67.212.241.178/index.html | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://67.212.241.178/login.cgi?uri=/index.html | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://68.201.55.46/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://71.42.188.85/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://71.66.92.190/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://71.40.62.107/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ |
request | GET https://72.128.158.51/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ |
request | GET https://67.212.241.178/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ |
request | GET https://67.212.241.178/cookiechecker?uri=/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ |
request | GET https://67.212.241.178/index.html |
request | GET https://67.212.241.178/login.cgi?uri=/index.html |
request | GET https://68.201.55.46/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ |
request | GET https://71.42.188.85/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ |
request | GET https://71.66.92.190/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ |
request | GET https://71.40.62.107/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ |
name | RT_MESSAGETABLE | language | LANG_ENGLISH | filetype | data | sublanguage | SUBLANG_ENGLISH_AUS | offset | 0x0008c7d8 | size | 0x00036133 |
cmdline | C:\Windows\system32\cmd.exe |
section | {u'size_of_data': u'0x00047000', u'virtual_address': u'0x0008b000', u'entropy': 7.029550106387185, u'name': u'.rsrc', u'virtual_size': u'0x000460d9'} | entropy | 7.02955010639 | description | A section with a high entropy has been found | |||||||||
entropy | 0.333333333333 | description | Overall entropy of this PE file is high |
host | 50.197.243.125 | |||
host | 67.212.241.178 | |||
host | 68.201.55.46 | |||
host | 70.119.149.64 | |||
host | 71.40.62.107 | |||
host | 71.42.188.85 | |||
host | 71.66.92.190 | |||
host | 72.128.158.51 | |||
host | 73.103.36.158 |
FireEye | Generic.mg.ab70894ecc3d92c5 |
CrowdStrike | win/malicious_confidence_80% (D) |
APEX | Malicious |
Kaspersky | UDS:DangerousObject.Multi.Generic |
Paloalto | generic.ml |
Sophos | ML/PE-A |
Webroot | W32.Trojan.Trickbot |
Kingsoft | Win32.Troj.Undef.(kcloud) |
ZoneAlarm | UDS:DangerousObject.Multi.Generic |
Cynet | Malicious (score: 100) |
BitDefenderTheta | Gen:NN.ZedlaF.34628.1C8@aOkxFIbi |
dead_host | 50.197.243.125:443 |
dead_host | 70.119.149.64:443 |
dead_host | 73.103.36.158:443 |