Edit tour
Windows
Analysis Report
SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Overview
General Information
Detection
Score: | 52 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Suricata IDS alerts for network traffic
Queries Google from non browser process on port 80
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Drops PE files
Found dropped PE file which has not been started or loaded
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Classification
- System is w10x64
- msiexec.exe (PID: 280 cmdline:
"C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ SecuriteIn fo.com.Bac kdoor.OLE2 .RA-Based. a.22874.19 45.msi" MD5: E5DA170027542E25EDE42FC54C929077)
- msiexec.exe (PID: 6688 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 6732 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 50AE915 73DE534A9A 96FD2BF23C 4165F C MD5: 9D09DC1EDA745A5F87553048E57620CF)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: frack113: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-07T21:53:02.522699+0200 | 2829202 | 1 | A Network Trojan was detected | 192.168.2.6 | 49715 | 142.250.185.196 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Suricata IDS: |
Source: | HTTP traffic: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |