Edit tour
Windows
Analysis Report
http://clickserve.dartsearch.net/link/click?&ds_a_cid=680760384&ds_a_caid=12694754542&ds_a_agid=123477218634&ds_a_fiid=&ds_a_lid=ds_e_adid=512650395034&ds_e_matchtype=&ds_e_device=c&ds_e_network=&&ds_url_v=2&ds_dest_url=http://zutg.39.mikecarioscia.com/vljw6rub #tj_base64_encode aHR0cDovLzRic2xo
Overview
General Information
| Sample URL: | http://clickserve.dartsearch.net/link/click?&ds_a_cid=680760384&ds_a_caid=12694754542&ds_a_agid=123477218634&ds_a_fiid=&ds_a_lid=ds_e_adid=512650395034&ds_e_matchtype=&ds_e_device=c&ds_e_network=&&ds_ |
| Analysis ID: | 1297646 |
 | |
Detection
| Score: | 0 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 80% |
Signatures
URL contains potential PII (phishing indication)
Classification
- System is w10x64_ra
chrome.exe (PID: 4360 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://c lickserve. dartsearch .net/link/ click?&ds_ a_cid=6807 60384&ds_a _caid=1269 4754542&ds _a_agid=12 3477218634 &ds_a_fiid =&ds_a_lid =ds_e_adid =512650395 034&ds_e_m atchtype=& ds_e_devic e=c&ds_e_n etwork=&&d s_url_v=2& ds_dest_ur l=http://z utg.39.mik ecarioscia .com/vljw6 rub%20#tj_ base64_enc ode%20aHR0 cDovLzRic2 xob2dnLmpv am51Y25rLn NoaXJpbml6 LmlyL2RhLw ==?em=carr ie.bradley @creditone .com%22 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1) - chrome.exe (PID: 7008 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2044 --fi eld-trial- handle=179 2,i,101046 9592212169 958,252359 6798248504 704,131072 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionTarget Prediction /prefetch :8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
- cleanup
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
- • Phishing
- • Compliance
- • Networking
- • System Summary
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Directory created: | ||
| Source: | DNS traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Classification label: | ||
| Source: | File created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Window detected: | ||
| Source: | Directory created: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation | Path Interception | 1 Process Injection | 2 Masquerading | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Process Injection | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Non-Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 2 Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| accounts.google.com | 172.217.16.205 | true | false | high | |
| www.google.com | 172.217.18.4 | true | false | high | |
| clients.l.google.com | 172.217.23.110 | true | false | high | |
| clickserve.dartsearch.net | 142.250.186.174 | true | false | high | |
| clients2.google.com | unknown | unknown | false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.217.23.110 | clients.l.google.com | United States | 15169 | GOOGLEUS | false | |
| 142.250.184.195 | unknown | United States | 15169 | GOOGLEUS | false | |
| 1.1.1.1 | unknown | Australia | 13335 | CLOUDFLARENETUS | false | |
| 34.104.35.123 | unknown | United States | 15169 | GOOGLEUS | false | |
| 142.250.186.36 | unknown | United States | 15169 | GOOGLEUS | false | |
| 239.255.255.250 | unknown | Reserved | unknown | unknown | false | |
| 142.250.186.174 | clickserve.dartsearch.net | United States | 15169 | GOOGLEUS | false | |
| 172.217.16.205 | accounts.google.com | United States | 15169 | GOOGLEUS | false | |
| 142.250.186.132 | unknown | United States | 15169 | GOOGLEUS | false | |
| 172.217.16.195 | unknown | United States | 15169 | GOOGLEUS | false |
| IP |
|---|
| 192.168.2.1 |
| Joe Sandbox Version: | 38.0.0 Beryl |
| Analysis ID: | 1297646 |
| Start date and time: | 2023-08-25 22:48:15 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
| Sample URL: | http://clickserve.dartsearch.net/link/click?&ds_a_cid=680760384&ds_a_caid=12694754542&ds_a_agid=123477218634&ds_a_fiid=&ds_a_lid=ds_e_adid=512650395034&ds_e_matchtype=&ds_e_device=c&ds_e_network=&&ds_url_v=2&ds_dest_url=http://zutg.39.mikecarioscia.com/vljw6rub #tj_base64_encode aHR0cDovLzRic2xob2dnLmpvam51Y25rLnNoaXJpbml6LmlyL2RhLw==?em=carrie.bradley@creditone.com" |
| Analysis system description: | Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip) |
| Number of analysed new started processes analysed: | 4 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | stream |
| Analysis stop reason: | Timeout |
| Detection: | CLEAN |
| Classification: | clean0.win@24/0@7/116 |
- Exclude process from analysis
(whitelisted): SIHClient.exe - Excluded IPs from analysis (wh
itelisted): 172.217.16.195, 34 .104.35.123 - Excluded domains from analysis
(whitelisted): edgedl.me.gvt1 .com, login.live.com, clientse rvices.googleapis.com - Not all processes where analyz
ed, report is missing behavior information
⊘No created / dropped files found
⊘No static file info
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node