Analysis

Category Package Started Completed Duration Options Log
URL ie 2020-02-07 17:22:39 2020-02-07 17:26:44 245 seconds Show Options Show Log
route = inetsim
procdump = 0
free = yes
norefer = 1
2020-02-07 18:22:51,015 [root] INFO: Date set to: 02-07-20, time set to: 17:22:51, timeout set to: 200
2020-02-07 18:22:51,062 [root] DEBUG: Starting analyzer from: C:\nsjtppe
2020-02-07 18:22:51,062 [root] DEBUG: Storing results at: C:\ljKbcyWvew
2020-02-07 18:22:51,062 [root] DEBUG: Pipe server name: \\.\PIPE\jBMjwO
2020-02-07 18:22:51,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-02-07 18:22:51,062 [root] INFO: Automatically selected analysis package "ie"
2020-02-07 18:22:53,530 [root] DEBUG: Started auxiliary module Browser
2020-02-07 18:22:53,530 [root] DEBUG: Started auxiliary module Curtain
2020-02-07 18:22:53,530 [modules.auxiliary.digisig] DEBUG: Skipping authenticode validation, analysis is not a file.
2020-02-07 18:22:53,530 [root] DEBUG: Started auxiliary module DigiSig
2020-02-07 18:22:53,546 [root] DEBUG: Started auxiliary module Disguise
2020-02-07 18:22:53,546 [root] DEBUG: Started auxiliary module Human
2020-02-07 18:22:53,546 [root] DEBUG: Started auxiliary module Screenshots
2020-02-07 18:22:53,546 [root] DEBUG: Started auxiliary module Sysmon
2020-02-07 18:22:53,546 [root] DEBUG: Started auxiliary module Usage
2020-02-07 18:22:53,546 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL option
2020-02-07 18:22:53,546 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL_64 option
2020-02-07 18:22:53,625 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files\Internet Explorer\iexplore.exe" with arguments ""https://onedrive.live.com/redir?resid=3AADA808C1858F4A%21112&authkey=%21ADgD5hhv3eAst6I&page=View&wd=target%28Quick%20Notes.one%7C37a31a00-f592-4d33-bd50-5dcbd78d4776%2FProTech%20Thermal%20Services%202020-02-06%7Caacc9179-286c-4ce2-b69b-2c3c242ec7b9%2F%29"" with pid 3596
2020-02-07 18:22:53,625 [root] INFO: No process IDs returned by the package, running for the full timeout.
2020-02-07 18:24:01,296 [modules.auxiliary.human] INFO: Found button "&OK", clicking it
2020-02-07 18:26:13,921 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2020-02-07 18:26:13,921 [root] INFO: Created shutdown mutex.
2020-02-07 18:26:14,921 [root] INFO: Shutting down package.
2020-02-07 18:26:14,921 [root] INFO: Stopping auxiliary modules.
2020-02-07 18:26:14,937 [root] INFO: Finishing auxiliary modules.
2020-02-07 18:26:14,937 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-02-07 18:26:14,937 [root] WARNING: File at path "C:\ljKbcyWvew\debugger" does not exist, skip.
2020-02-07 18:26:14,937 [root] INFO: Analysis completed.

MalScore

1.0

Benign

Machine

Name Label Manager Started On Shutdown On
win7_3 win7_3 KVM 2020-02-07 17:22:39 2020-02-07 17:26:44

URL Details

URL
https://onedrive.live.com/redir?resid=3AADA808C1858F4A%21112&authkey=%21ADgD5hhv3eAst6I&page=View&wd=target%28Quick%20Notes.one%7C37a31a00-f592-4d33-bd50-5dcbd78d4776%2FProTech%20Thermal%20Services%202020-02-06%7Caacc9179-286c-4ce2-b69b-2c3c242ec7b9%2F%29

Signatures

Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1

Screenshots


Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

WHOIS Information

Name: Domain Administrator
Country: US
State: WA
City: Redmond
ZIP Code: 98052
Address: None

Orginization: Microsoft Corporation
Domain Name(s):
    LIVE.COM
    live.com
Creation Date:
    1994-12-28 05:00:00
    1994-12-28 00:00:00
Updated Date:
    2019-12-23 06:15:20
    2019-12-23 01:15:20
Expiration Date:
    2020-12-27 05:00:00
Email(s):
    [email protected]
    [email protected]
    [email protected]

Registrar(s):
    CSC CORPORATE DOMAINS, INC.
Name Server(s):
    NS1.MSFT.NET
    NS2.MSFT.NET
    NS3.MSFT.NET
    NS4.MSFT.NET
    NSE12.O365FILTERING.COM
    NSE13.O365FILTERING.COM
    NSE21.O365FILTERING.COM
    NSE24.O365FILTERING.COM
    nse24.o365filtering.com
    nse12.o365filtering.com
    nse21.o365filtering.com
    ns1.msft.net
    ns4.msft.net
    nse13.o365filtering.com
    ns2.msft.net
    ns3.msft.net
Referral URL(s):
    None
This file is not on VirusTotal.

Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.3 49168 192.0.2.123 443
192.168.1.3 49170 192.0.2.123 443
192.168.1.3 49172 192.0.2.123 443
192.168.1.3 49177 192.0.2.123 443
192.168.1.3 49181 192.0.2.123 443
192.168.1.3 49183 192.0.2.123 443
192.168.1.3 49185 192.0.2.123 443
192.168.1.3 49187 192.0.2.123 443

UDP

Source Source Port Destination Destination Port
192.168.1.3 49274 1.1.1.1 53
192.168.1.3 50041 1.1.1.1 53
192.168.1.3 50933 1.1.1.1 53
192.168.1.3 52876 1.1.1.1 53
192.168.1.3 53111 1.1.1.1 53
192.168.1.3 54362 1.1.1.1 53
192.168.1.3 54558 1.1.1.1 53
192.168.1.3 56090 1.1.1.1 53
192.168.1.3 56293 1.1.1.1 53
192.168.1.3 56366 1.1.1.1 53
192.168.1.3 58789 1.1.1.1 53
192.168.1.3 59007 1.1.1.1 53
192.168.1.3 59801 1.1.1.1 53
192.168.1.3 60411 1.1.1.1 53
192.168.1.3 60715 1.1.1.1 53
192.168.1.3 62112 1.1.1.1 53
192.168.1.3 62840 1.1.1.1 53
192.168.1.3 62988 1.1.1.1 53
192.168.1.3 63679 1.1.1.1 53
192.168.1.3 64015 1.1.1.1 53
192.168.1.3 64159 1.1.1.1 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-02-07 17:23:55.165 192.168.1.3 [VT] 49167 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-07 17:23:55.563 192.168.1.3 [VT] 49168 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-07 17:23:55.634 192.168.1.3 [VT] 49169 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-07 17:23:55.686 192.168.1.3 [VT] 49170 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-07 17:23:55.736 192.168.1.3 [VT] 49171 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-07 17:23:56.309 192.168.1.3 [VT] 49172 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-07 17:23:56.608 192.168.1.3 [VT] 49173 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-07 17:24:28.974 192.168.1.3 [VT] 49177 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-07 17:24:29.141 192.168.1.3 [VT] 49178 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-07 17:24:33.422 192.168.1.3 [VT] 49181 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-07 17:24:33.507 192.168.1.3 [VT] 49182 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-07 17:24:33.566 192.168.1.3 [VT] 49183 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-07 17:24:33.610 192.168.1.3 [VT] 49184 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-07 17:24:40.997 192.168.1.3 [VT] 49185 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-07 17:24:41.047 192.168.1.3 [VT] 49186 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-07 17:24:41.444 192.168.1.3 [VT] 49187 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-07 17:24:41.485 192.168.1.3 [VT] 49188 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.3 49167 192.0.2.123 443 67f9e6835a46017b668ace14afaaac17 unknown
192.168.1.3 49168 192.0.2.123 443 6cf2950f5ac159f6717f4cc48fff5f67 unknown
192.168.1.3 49169 192.0.2.123 443 6cf2950f5ac159f6717f4cc48fff5f67 unknown
192.168.1.3 49170 192.0.2.123 443 6cf2950f5ac159f6717f4cc48fff5f67 unknown
192.168.1.3 49171 192.0.2.123 443 6cf2950f5ac159f6717f4cc48fff5f67 unknown
192.168.1.3 49172 192.0.2.123 443 6cf2950f5ac159f6717f4cc48fff5f67 unknown
192.168.1.3 49173 192.0.2.123 443 6cf2950f5ac159f6717f4cc48fff5f67 unknown
192.168.1.3 49173 192.0.2.123 443 6cf2950f5ac159f6717f4cc48fff5f67 unknown
192.168.1.3 49177 192.0.2.123 443 6cf2950f5ac159f6717f4cc48fff5f67 unknown
192.168.1.3 49178 192.0.2.123 443 6cf2950f5ac159f6717f4cc48fff5f67 unknown
192.168.1.3 49181 192.0.2.123 443 67f9e6835a46017b668ace14afaaac17 unknown
192.168.1.3 49182 192.0.2.123 443 67f9e6835a46017b668ace14afaaac17 unknown
192.168.1.3 49183 192.0.2.123 443 67f9e6835a46017b668ace14afaaac17 unknown
192.168.1.3 49184 192.0.2.123 443 67f9e6835a46017b668ace14afaaac17 unknown
192.168.1.3 49185 192.0.2.123 443 6cf2950f5ac159f6717f4cc48fff5f67 unknown
192.168.1.3 49186 192.0.2.123 443 6cf2950f5ac159f6717f4cc48fff5f67 unknown
192.168.1.3 49187 192.0.2.123 443 6cf2950f5ac159f6717f4cc48fff5f67 unknown
192.168.1.3 49187 192.0.2.123 443 6cf2950f5ac159f6717f4cc48fff5f67 unknown
192.168.1.3 49188 192.0.2.123 443 6cf2950f5ac159f6717f4cc48fff5f67 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
JSON Report Download
MAEC Report Download

Comments



No comments posted

Processing ( 6.243 seconds )

  • 5.087 Suricata
  • 0.454 Deduplicate
  • 0.32 VirusTotal
  • 0.253 Static
  • 0.119 NetworkAnalysis
  • 0.008 AnalysisInfo
  • 0.002 Debug

Signatures ( 0.023 seconds )

  • 0.004 antiav_detectreg
  • 0.004 ransomware_files
  • 0.003 persistence_autorun
  • 0.002 antiav_detectfile
  • 0.002 ransomware_extensions
  • 0.001 tinba_behavior
  • 0.001 kibex_behavior
  • 0.001 browser_security
  • 0.001 disables_browser_warn
  • 0.001 infostealer_bitcoin
  • 0.001 infostealer_ftp
  • 0.001 infostealer_im
  • 0.001 infostealer_mail

Reporting ( 0.009 seconds )

  • 0.009 JsonDump
Task ID 12501
Mongo ID 5e3d9ddf33e8114dc341c8bc
Cuckoo release 1.3-CAPE
Delete