Edit tour

Windows Analysis Report
http://yoosee.co/PCdownload.html

Overview

General Information

Sample URL:	http://yoosee.co/PCdownload.html
Analysis ID:	1323881
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sample execution stops while process was sleeping (likely an evasion)

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Drops PE files

PE file overlay found

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Creates files inside the system directory

Classification

Process Tree

System is w10x64

cmd.exe (PID: 1772 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://yoosee.co/PCdownload.html" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wget.exe (PID: 180 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://yoosee.co/PCdownload.html" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)

chrome.exe (PID: 5924 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\download\PCdownload.html MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7204 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1920,i,2006501308327448317,18294804143556970323,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7928 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5548 --field-trial-handle=1920,i,2006501308327448317,18294804143556970323,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "http://yoosee.co/pcdownload.html" > cmdline.out 2>&1

Source: C:\Windows\SysWOW64\wget.exe

Queries volume information: C:\Users\user\Desktop\download VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	Path Interception	1 Process Injection	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	11 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://yoosee.co/PCdownload.html	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Downloads\Unconfirmed 462738.crdownload	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://yoosee.co/PCdownload.htmlModel	wget.exe, 00000002.00000002.1649158590.0000000001050000.00000004.00000020.00020000.00000000.sdmp	false	high
http://yoosee.co/PCdownload.htmlpData	wget.exe, 00000002.00000002.1649158590.0000000001050000.00000004.00000020.00020000.00000000.sdmp	false	high
https://gw-fota-prod-1251981983.cos.ap-nanjing.myqcloud.com/gwellota/1000/1693817831722/yoosee-1.0.0	wget.exe, 00000002.00000002.1649158590.000000000105A000.00000004.00000020.00020000.00000000.sdmp, PCdownload.html.2.dr	false	high
http://nsis.sf.net/NSIS_ErrorError	Unconfirmed 462738.crdownload.3.dr	false	high
http://yoosee.co/PCdownload.htmli	wget.exe, 00000002.00000002.1649158590.0000000001055000.00000004.00000020.00020000.00000000.sdmp	false	high
http://yoosee.co/PCdownload.html	wget.exe, 00000002.00000002.1649158590.0000000001055000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr	false	high
http://yoosee.co/PCdownload.htmlMMM	wget.exe, 00000002.00000002.1649158590.0000000001055000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
172.217.14.109	unknown	United States	15169	GOOGLEUS	false
3.120.147.24	unknown	United States	16509	AMAZON-02US	false
142.250.176.3	unknown	United States	15169	GOOGLEUS	false
142.250.68.67	unknown	United States	15169	GOOGLEUS	false
142.250.68.46	unknown	United States	15169	GOOGLEUS	false
142.250.217.142	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
129.211.179.197	unknown	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
142.250.72.164	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4
192.168.2.5
192.168.2.102

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1323881
Start date and time:	2023-10-11 18:02:30 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	urldownload.jbs
Sample URL:	http://yoosee.co/PCdownload.html
Analysis system description:	Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean3.win@21/4@0/13
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: http://yoosee.co/PCdownload.html

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\Desktop\cmdline.out

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	498
Entropy (8bit):	4.943992489508822
Encrypted:	false
SSDEEP:	12:H0SvICTxSegFT1De5RhKk1DbfbKO4vCuGlvifbKOf:L9zGTxePgk1XbVHKbb
MD5:	0B7D03FFC8860432BF231372710D4E85
SHA1:	3E6F6EEE9E885BF2F019C5297B6AC29FB8CCA6E8
SHA-256:	108A8760836C84E2D6544972B09925D5955EBDB15F02AADD2644C999C738C424
SHA-512:	D314A3DCED09686FFA8F5F32F0B49E159870413927D344B533A6EBBB76F0D6312467778A15F108C54444D0771CF742DF024AADD31C652EC26A752C962DF32E5F
Malicious:	false
Reputation:	low
Preview:	--2023-10-11 18:03:17-- http://yoosee.co/PCdownload.html..Resolving yoosee.co (yoosee.co)... 3.120.147.24..Connecting to yoosee.co (yoosee.co)\|3.120.147.24\|:80... connected...HTTP request sent, awaiting response... 200 OK..Length: 402 [text/html]..Saving to: 'C:/Users/user/Desktop/download/PCdownload.html'.... 0K 100% 179K=0.002s....2023-10-11 18:03:18 (179 KB/s) - 'C:/Users/user/Desktop/download/PCdownload.html' saved [402/402]....

C:\Users\user\Desktop\download\PCdownload.html

Download File

Process:	C:\Windows\SysWOW64\wget.exe
File Type:	HTML document, ASCII text, with very long lines (401)
Category:	dropped
Size (bytes):	402
Entropy (8bit):	5.170441776034265
Encrypted:	false
SSDEEP:	6:haxVgYkCk3iMOMYRCkhdV/TXCeEaYVN0hB96L3+mYntKzIJ2iMAduxj5LZOS:haxV1kOMYRVLXH9YHT7+PtgIJnu3ZOS
MD5:	97DE1CDD6F71A2BCFB7B91574DDC8997
SHA1:	50394F1F79757559ABA217B4CF5CBDBD026E309C
SHA-256:	025ADACD63945E8ED4F088DA2F9791F8C7A18C031E63B81B82FB3853AD35FEF0
SHA-512:	38C4E653167A0BE2EEE540769C2DEFA0DFDCBA3933E0089FE3AE289B1E1F22CF488D33DF4881A8AB52A808FC36E7E9606BB5714DF92246A1EF9AD68C7B5A86FA
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><title>PC</title><meta name="description" content=""><meta name="keywords" content=""><link href="" rel="stylesheet"></head><body><script>window.location.href="https://gw-fota-prod-1251981983.cos.ap-nanjing.myqcloud.com/gwellota/1000/1693817831722/yoosee-1.0.0.7.exe"</script></body></html>.

C:\Users\user\Downloads\3cca2bdc-3739-4123-b3a1-1026ed0cfcc7.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16004
Entropy (8bit):	6.252339750561783
Encrypted:	false
SSDEEP:	384:7WshyLTNZNH1eJd0SIcBiSFxi7yhv4mi/yAzY2w2Q:7Ws2ZNc0ncBiSFxoyIO2Q
MD5:	AAD5865DC166DD9CBF10B82A88C798C7
SHA1:	83D6DE32BF2B2D2EB20DA110C772506026D136DF
SHA-256:	64643AD4BB15D379A68DDD34BA8CE8052B47130B9A9E59136CB7E90B8574CEE9
SHA-512:	037852F5FB5E6961F1177EAB49EDA49553BF2141205F78F5520F1FEDF97C8AE21C21BBCF684A7231BC7D83D91C2C6A9BEFE1B410FE6BC740E3DD5A4B0FF445BF
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L....Oa.................f...*.......4............@.......................................@.............................................h?...........................................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8............~..............@....ndata... ...............................rsrc...h?.......@..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Downloads\Unconfirmed 462738.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	105795406
Entropy (8bit):	7.999963421612878
Encrypted:	true
SSDEEP:	3145728:CvxJz+Qa3ljcYvjBiGqc/wKQC5DqG0hGDeBqxItB/Q:YJ2Rr9cNCJqG00DeUc4
MD5:	00C6520DC27E28199A0A62CE264B4668
SHA1:	E4DC70D294EC3C9D90331BB331570102D9E8149C
SHA-256:	7045A7E79B034FFEFF926B014D0873980D8CFF2DCFD5C820D422A55F2DFC6E5E
SHA-512:	E03D5799E90760B30F8C5C72FA5D1A09293B7758B82703B403392BB2164BDAE5596308CB30793526E2AF0EA1F8D4263B1DDAF9C1645982841608BA56B44C350B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L....Oa.................f...*.......4............@.......................................@.............................................h?...........................................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8............~..............@....ndata... ...............................rsrc...h?.......@..................@..@................................................................................................................................................................................................................................................................................................................................................

Static File Info

⊘No static file info

Network Behavior

⊘Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

Statistics

CPU Usage

• cmd.exe
• conhost.exe
• wget.exe
• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• cmd.exe
• conhost.exe
• wget.exe
• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

High Level Behavior Distribution

• File
• Network

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	18:03:17
Start date:	11/10/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://yoosee.co/PCdownload.html" > cmdline.out 2>&1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:03:17
Start date:	11/10/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:03:17
Start date:	11/10/2023
Path:	C:\Windows\SysWOW64\wget.exe
Wow64 process (32bit):	true
Commandline:	wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://yoosee.co/PCdownload.html"
Imagebase:	0x400000
File size:	3'895'184 bytes
MD5 hash:	3DADB6E2ECE9C4B3E1E322E617658B60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:03:20
Start date:	11/10/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\download\PCdownload.html
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	18:03:20
Start date:	11/10/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1920,i,2006501308327448317,18294804143556970323,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	18:03:23
Start date:	11/10/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5548 --field-trial-handle=1920,i,2006501308327448317,18294804143556970323,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Source: Unconfirmed 462738.crdownload.3.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wget.exe, 00000002.00000002.1649158590.0000000001055000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr	String found in binary or memory: http://yoosee.co/PCdownload.html
Source: wget.exe, 00000002.00000002.1649158590.0000000001055000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://yoosee.co/PCdownload.htmlMMM
Source: wget.exe, 00000002.00000002.1649158590.0000000001050000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://yoosee.co/PCdownload.htmlModel
Source: wget.exe, 00000002.00000002.1649158590.0000000001055000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://yoosee.co/PCdownload.htmli
Source: wget.exe, 00000002.00000002.1649158590.0000000001050000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://yoosee.co/PCdownload.htmlpData
Source: wget.exe, 00000002.00000002.1649158590.000000000105A000.00000004.00000020.00020000.00000000.sdmp, PCdownload.html.2.dr	String found in binary or memory: https://gw-fota-prod-1251981983.cos.ap-nanjing.myqcloud.com/gwellota/1000/1693817831722/yoosee-1.0.0

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://yoosee.co/PCdownload.html" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://yoosee.co/PCdownload.html"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\download\PCdownload.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1920,i,2006501308327448317,18294804143556970323,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5548 --field-trial-handle=1920,i,2006501308327448317,18294804143556970323,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://yoosee.co/PCdownload.html"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1920,i,2006501308327448317,18294804143556970323,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5548 --field-trial-handle=1920,i,2006501308327448317,18294804143556970323,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 462738.crdownload			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\3cca2bdc-3739-4123-b3a1-1026ed0cfcc7.tmp			Jump to dropped file

Source: wget.exe, 00000002.00000002.1649044025.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Unconfirmed 462738.crdownload.3.dr	Binary or memory string: EHGFs

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://yoosee.co/PCdownload.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\cmdline.out

C:\Users\user\Desktop\download\PCdownload.html

C:\Users\user\Downloads\3cca2bdc-3739-4123-b3a1-1026ed0cfcc7.tmp

C:\Users\user\Downloads\Unconfirmed 462738.crdownload

Static File Info

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exePID: 1772, Parent PID: 4020

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Section Activities

Sections loaded by Windows

Registry Activities

Key Monitored

Mutex Activities

Mutex Created

Process Activities

Process Created

Windows Analysis Report
http://yoosee.co/PCdownload.html