LIVE
CRITICAL: Ransomware beacon detected on PROD-DB-04 — T1486 Data EncryptedHIGH: Brute force SSH attempt from 185.220.101.47 — 2,847 attempts in 5minHIGH: Lateral movement detected CORP-WS-112 → CORP-WS-089 via SMBMEDIUM: Unusual PowerShell execution on CORP-WS-055 — T1059.001CRITICAL: C2 beacon to 91.92.251.103:443 from CORP-WS-034 — TA0011CRITICAL: Ransomware beacon detected on PROD-DB-04 — T1486 Data EncryptedHIGH: Brute force SSH attempt from 185.220.101.47 — 2,847 attempts in 5minHIGH: Lateral movement detected CORP-WS-112 → CORP-WS-089 via SMBMEDIUM: Unusual PowerShell execution on CORP-WS-055 — T1059.001CRITICAL: C2 beacon to 91.92.251.103:443 from CORP-WS-034 — TA0011
UTC --:--:--
AI

CyberSentra AI — Threat Hunting Assistant

Powered by threat intelligence · MITRE ATT&CK integrated

GPT-4o + TI Feed
AI

CyberSentra AI ready. I'm integrated with your live SIEM, threat intelligence feeds, and MITRE ATT&CK framework.

I can help you:

  • ·Analyze IOCs (IPs, domains, file hashes, URLs)
  • ·Map observed behaviors to MITRE ATT&CK techniques
  • ·Generate incident triage recommendations
  • ·Build incident timelines from alert data
  • ·Recommend response playbooks

    • Current context: 23 unresolved critical alerts · 11 active incidents · Anomaly score: 73/100

    What would you like to investigate?

    14:48:00
    KL

    Analyze the suspicious connection from 10.0.1.55 to 91.92.251.103:443. We're seeing 14.2 MB outbound over 12 minutes.

    14:49:22
    AI

    Threat Analysis: 10.0.1.55 → 91.92.251.103:443

    IOC Reputation Check:

  • ·`91.92.251.103` — **MALICIOUS** · Confidence: 97%

    • - Listed in: Abuse.ch, Emerging Threats, MISP

    - Associated with: **LockBit 3.0 C2 infrastructure**

    - First seen: 2024-03-14 · Last seen: 2026-06-11

    - ASN: AS49505 (Selectel LLC, Russia 🇷🇺)

    Behavioral Analysis:

    The 14.2 MB transfer over 12 minutes at a consistent ~20 KB/s rate is characteristic of **staged data exfiltration** or **ransomware encryption key exchange**. The low-and-slow transfer rate is a deliberate evasion technique to avoid bandwidth anomaly detection.

    MITRE ATT&CK Mapping:

  • ·T1041 — Exfiltration Over C2 Channel
  • ·T1486 — Data Encrypted for Impact (likely staging)
  • ·T1071.001 — Application Layer Protocol: Web Protocols

    • Risk Assessment: CRITICAL

    This strongly indicates an active ransomware deployment in progress on host PROD-DB-04 (10.0.1.55).

    Immediate Recommended Actions:

    1. 🔴 Isolate PROD-DB-04 from network immediately

    2. 🔴 Block 91.92.251.103 at perimeter firewall (all ports)

    3. 🟡 Capture full PCAP of remaining session

    4. 🟡 Initiate Ransomware Response Playbook RB-007

    5. 🟢 Preserve memory dump before isolation

    [IP] 91.92.251.103[IP] 10.0.1.55
    T1041T1486T1071.001
    14:49:35
    KL

    What about the hash d4f8a2c1e9b3047a5f6d2e8c4b1a9f3e2? Found it in the PROD-DB-04 temp directory.

    14:50:11
    AI

    File Hash Analysis: `d4f8a2c1e9b3047a5f6d2e8c4b1a9f3e2`

    VirusTotal / Threat Intel Result:

  • ·Detection Rate: 58/72 engines — CONFIRMED MALWARE
  • ·Malware Family: LockBit 3.0 (ransomware)
  • ·File Type: PE32+ executable (Windows x64)
  • ·File Size: 342 KB
  • ·Compiled: 2026-05-28 (recently compiled — likely custom build)
  • ·Packer: UPX 3.96 + custom obfuscation layer

    • Capabilities Identified:

  • ·Shadow copy deletion (`vssadmin delete shadows`)
  • ·Windows Defender disablement via registry
  • ·Network share enumeration
  • ·RSA-2048 + AES-256 encryption routine
  • ·Ransom note deployment: `LockBit_README.txt`

    • MITRE ATT&CK Mapping:

  • ·T1490 — Inhibit System Recovery
  • ·T1562.001 — Impair Defenses: Disable/Modify Tools
  • ·T1135 — Network Share Discovery
  • ·T1486 — Data Encrypted for Impact

    • Verdict: ACTIVE RANSOMWARE PAYLOAD — CRITICAL INCIDENT

    This confirms INC-2024-0847 is an active LockBit 3.0 deployment. The payload was likely dropped via the C2 channel we identified. Recommend immediate escalation to IR team lead.

    [Hash] d4f8a2c1e9b3047a5f6d2e8c…
    T1490T1562.001T1135T1486
    14:50:28
    ↵ Send · Shift+↵ Newline
    IPTLP:RED
    MALICIOUS

    91.92.251.103

    LockBit 3.0 C2

    Confidence:
    97%
    🇷🇺 RU
    HashTLP:RED
    MALICIOUS

    d4f8a2c1e9b304...

    LockBit 3.0 Payload

    Confidence:
    94%
    IPTLP:AMBER
    MALICIOUS

    185.220.101.47

    TOR Exit Node / BruteForce

    Confidence:
    88%
    🇩🇪 DE
    DomainTLP:AMBER
    SUSPICIOUS

    corp-update-service.ru

    Lookalike domain — APT29

    Confidence:
    71%
    🇷🇺 RU
    IPTLP:AMBER
    SUSPICIOUS

    45.142.212.100

    Hosting — known bulletproof

    Confidence:
    64%
    🇳🇱 NL
    URLTLP:RED
    MALICIOUS

    hxxp://93.184.216.34/d/payload.exe

    Malware distribution URL

    Confidence:
    91%
    🇺🇸 US
    DomainTLP:AMBER
    SUSPICIOUS

    telemetry-cdn-update.com

    Possible C2 — monitoring

    Confidence:
    58%
    🇺🇸 US
    HashTLP:WHITE
    CLEAN

    a1b2c3d4e5f60789...

    No detections

    Confidence:
    2%
    IPTLP:RED
    MALICIOUS

    77.88.21.3

    Cobalt Strike Beacon C2

    Confidence:
    83%
    🇷🇺 RU
    IPTLP:AMBER
    MALICIOUS

    193.32.162.48

    Known C2 infrastructure

    Confidence:
    79%
    🇷🇺 RU
    DomainTLP:AMBER
    SUSPICIOUS

    secure-login-portal.xyz

    Phishing infrastructure

    Confidence:
    66%
    🇳🇱 NL
    HashTLP:RED
    MALICIOUS

    f9e8d7c6b5a43210...

    APT41 Backdoor — DEADEYE

    Confidence:
    96%

    12 IOCs · 7 malicious · 4 suspicious