Edit tour

Windows Analysis Report
https://usafx.app.box.com/folder/285371704111?tc=collab-folder-invite-treatment-b

Overview

General Information

Sample URL:	https://usafx.app.box.com/folder/285371704111?tc=collab-folder-invite-treatment-b
Analysis ID:	1514202

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Detected non-DNS traffic on DNS port

Found iframes

HTML body contains low number of good links

HTML page contains hidden javascript code

HTML title does not match URL

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6968 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://usafx.app.box.com/folder/285371704111?tc=collab-folder-invite-treatment-b MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7156 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1932,i,17791287942870288189,15700523817819444516,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Joe Sandbox Signatures

• Phishing
• Compliance
• Networking
• System Summary
• Boot Survival

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://usaauth.okta.com/signin/refresh-auth-state/00dERxhWiAyiKxAqadGoAhaCyaHah26AMyDPbiwxif	HTTP Parser: Iframe src: https://login.okta.com/discovery/iframe.html
Source: https://usaauth.okta.com/	HTTP Parser: Iframe src: https://login.okta.com/discovery/iframe.html
Source: https://usaauth.okta.com/	HTTP Parser: Iframe src: https://login.okta.com/discovery/iframe.html
Source: https://usaauth.okta.com/signin/verify/piv	HTTP Parser: Iframe src: https://login.okta.com/discovery/iframe.html

Source: https://usaauth.okta.com/signin/refresh-auth-state/00dERxhWiAyiKxAqadGoAhaCyaHah26AMyDPbiwxif	HTTP Parser: Number of links: 1
Source: https://usaauth.okta.com/signin/verify/piv	HTTP Parser: Number of links: 1

Source: https://sso.services.box.net/sp/startSSO.ping?PartnerIdpId=exk8gx9b55OIXSPeT296&TargetResource=https%3A%2F%2Fusafx.account.box.com%2Fsso%2Fping_federate%3Ffrom%3Dbox%26redirect_url%3D%252Ffolder%252F285371704111%253Ftc%253Dcollab-folder-invite-treatment-b

HTTP Parser: Base64 decoded: <samlp:AuthnRequest Version="2.0" ID="whF_-0l3VYH.exB-t6FtOZA2y9r" IssueInstant="2024-09-19T21:44:13.720Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">box.net</saml:Issuer><samlp:NameI...

Source: https://usafx.account.box.com/login?redirect_url=%2Ffolder%2F285371704111%3Ftc%3Dcollab-folder-invite-treatment-b

HTTP Parser: Title: Box | Login does not match URL

Source: https://usaauth.okta.com/

HTTP Parser: <input type="password" .../> found

Source: https://sso.services.box.net/sp/startSSO.ping?PartnerIdpId=exk8gx9b55OIXSPeT296&TargetResource=https%3A%2F%2Fusafx.account.box.com%2Fsso%2Fping_federate%3Ffrom%3Dbox%26redirect_url%3D%252Ffolder%252F285371704111%253Ftc%253Dcollab-folder-invite-treatment-b	HTTP Parser: No favicon
Source: https://usaauth.okta.com/	HTTP Parser: No favicon

Source: https://usafx.account.box.com/login?redirect_url=%2Ffolder%2F285371704111%3Ftc%3Dcollab-folder-invite-treatment-b	HTTP Parser: No <meta name="author".. found
Source: https://usafx.account.box.com/login?redirect_url=%2Ffolder%2F285371704111%3Ftc%3Dcollab-folder-invite-treatment-b	HTTP Parser: No <meta name="author".. found
Source: https://usaauth.okta.com/signin/refresh-auth-state/00dERxhWiAyiKxAqadGoAhaCyaHah26AMyDPbiwxif	HTTP Parser: No <meta name="author".. found
Source: https://usaauth.okta.com/	HTTP Parser: No <meta name="author".. found
Source: https://usaauth.okta.com/	HTTP Parser: No <meta name="author".. found
Source: https://usaauth.okta.com/signin/verify/piv	HTTP Parser: No <meta name="author".. found

Source: https://usafx.account.box.com/login?redirect_url=%2Ffolder%2F285371704111%3Ftc%3Dcollab-folder-invite-treatment-b	HTTP Parser: No <meta name="copyright".. found
Source: https://usafx.account.box.com/login?redirect_url=%2Ffolder%2F285371704111%3Ftc%3Dcollab-folder-invite-treatment-b	HTTP Parser: No <meta name="copyright".. found
Source: https://usaauth.okta.com/signin/refresh-auth-state/00dERxhWiAyiKxAqadGoAhaCyaHah26AMyDPbiwxif	HTTP Parser: No <meta name="copyright".. found
Source: https://usaauth.okta.com/	HTTP Parser: No <meta name="copyright".. found
Source: https://usaauth.okta.com/	HTTP Parser: No <meta name="copyright".. found
Source: https://usaauth.okta.com/signin/verify/piv	HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:55147 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:55187 version: TLS 1.2

Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:55145 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: usafx.app.box.com
Source: global traffic	DNS traffic detected: DNS query: usafx.account.box.com
Source: global traffic	DNS traffic detected: DNS query: cdn01.boxcdn.net
Source: global traffic	DNS traffic detected: DNS query: assets.adobedtm.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: sanalytics.box.com
Source: global traffic	DNS traffic detected: DNS query: sso.services.box.net
Source: global traffic	DNS traffic detected: DNS query: usaauth.okta.com
Source: global traffic	DNS traffic detected: DNS query: ok5static.oktacdn.com
Source: global traffic	DNS traffic detected: DNS query: login.okta.com
Source: global traffic	DNS traffic detected: DNS query: usaauth.mtls.okta.com

Source: unknown	Network traffic detected: HTTP traffic on port 55172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55157 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55154 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 55181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55160 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55151 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 55148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55156 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55159 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55147 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55147
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55148
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55149
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55155
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55156
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55150
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55151
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55152
Source: unknown	Network traffic detected: HTTP traffic on port 55167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55150 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55157
Source: unknown	Network traffic detected: HTTP traffic on port 55171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55158
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55159
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55165
Source: unknown	Network traffic detected: HTTP traffic on port 55185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55166
Source: unknown	Network traffic detected: HTTP traffic on port 55164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55160
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55163
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55149 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55155 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55169
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55178
Source: unknown	Network traffic detected: HTTP traffic on port 55158 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55170
Source: unknown	Network traffic detected: HTTP traffic on port 55180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55179
Source: unknown	Network traffic detected: HTTP traffic on port 55152 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55187
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55182
Source: unknown	Network traffic detected: HTTP traffic on port 55183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55185
Source: unknown	Network traffic detected: HTTP traffic on port 55166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55180
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:55147 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:55187 version: TLS 1.2

Source: classification engine

Classification label: clean3.win@21/6@40/166

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://usafx.app.box.com/folder/285371704111?tc=collab-folder-invite-treatment-b
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1932,i,17791287942870288189,15700523817819444516,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1932,i,17791287942870288189,15700523817819444516,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Drive-by Compromise	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Source	Detection	Scanner	Label	Link
https://usafx.app.box.com/folder/285371704111?tc=collab-folder-invite-treatment-b	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
box.com.ssl.sc.omtrdc.net	63.140.62.27	true	false	unknown
usafx.account.box.com	74.112.186.157	true	false	unknown
ok5-crtr-tls12-fips-nlb-e78e087fd7cec627.elb.us-west-2.amazonaws.com	34.223.206.6	true	false	unknown
d2v3fh9ekgeobe.cloudfront.net	18.66.147.97	true	false	unknown
usafx.app.box.com	74.112.186.157	true	false	unknown
sso.services.box.net	74.112.186.157	true	false	unknown
www.google.com	142.250.186.68	true	false	unknown
ok5-crtr-mtls-45dfa7c69d45a9e5.elb.us-west-2.amazonaws.com	34.223.206.1	true	false	unknown
d37qf8t9pe6csu.cloudfront.net	52.85.49.57	true	false	unknown
ok5static.oktacdn.com	unknown	unknown	false	unknown
usaauth.okta.com	unknown	unknown	false	unknown
assets.adobedtm.com	unknown	unknown	false	unknown
sanalytics.box.com	unknown	unknown	false	unknown
cdn01.boxcdn.net	unknown	unknown	false	unknown
usaauth.mtls.okta.com	unknown	unknown	false	unknown
login.okta.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://usafx.account.box.com/login?redirect_url=%2Ffolder%2F285371704111%3Ftc%3Dcollab-folder-invite-treatment-b	false	unknown
https://usaauth.okta.com/	false	unknown
https://usaauth.okta.com/signin/refresh-auth-state/00dERxhWiAyiKxAqadGoAhaCyaHah26AMyDPbiwxif	false	unknown
https://usaauth.okta.com/signin/verify/piv	false	unknown
https://sso.services.box.net/sp/startSSO.ping?PartnerIdpId=exk8gx9b55OIXSPeT296&TargetResource=https%3A%2F%2Fusafx.account.box.com%2Fsso%2Fping_federate%3Ffrom%3Dbox%26redirect_url%3D%252Ffolder%252F285371704111%253Ftc%253Dcollab-folder-invite-treatment-b	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
74.112.186.157	usafx.account.box.com	United States	33011	BOXNETUS	false
142.250.186.68	www.google.com	United States	15169	GOOGLEUS	false
34.223.206.4	unknown	United States	16509	AMAZON-02US	false
104.16.144.15	unknown	United States	13335	CLOUDFLARENETUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
34.104.35.123	unknown	United States	15169	GOOGLEUS	false
108.177.15.84	unknown	United States	15169	GOOGLEUS	false
18.66.147.97	d2v3fh9ekgeobe.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
216.58.206.74	unknown	United States	15169	GOOGLEUS	false
34.223.206.0	unknown	United States	16509	AMAZON-02US	false
216.58.212.142	unknown	United States	15169	GOOGLEUS	false
34.223.206.1	ok5-crtr-mtls-45dfa7c69d45a9e5.elb.us-west-2.amazonaws.com	United States	16509	AMAZON-02US	false
108.138.7.85	unknown	United States	16509	AMAZON-02US	false
184.28.89.29	unknown	United States	16625	AKAMAI-ASUS	false
13.227.219.113	unknown	United States	16509	AMAZON-02US	false
172.217.18.3	unknown	United States	15169	GOOGLEUS	false
63.140.62.27	box.com.ssl.sc.omtrdc.net	United States	15224	OMNITUREUS	false
34.223.206.6	ok5-crtr-tls12-fips-nlb-e78e087fd7cec627.elb.us-west-2.amazonaws.com	United States	16509	AMAZON-02US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
52.85.49.57	d37qf8t9pe6csu.cloudfront.net	United States	16509	AMAZON-02US	false
142.250.185.131	unknown	United States	15169	GOOGLEUS	false
142.250.184.206	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1514202
Start date and time:	2024-09-19 23:43:24 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://usafx.app.box.com/folder/285371704111?tc=collab-folder-invite-treatment-b
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean3.win@21/6@40/166

Warnings

Exclude process from analysis (whitelisted): SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.18.3, 142.250.184.206, 108.177.15.84, 34.104.35.123, 104.16.144.15, 104.16.145.15, 184.28.89.29
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, e7808.dscg.akamaiedge.net, cn-assets.adobedtm.com.edgekey.net, clientservices.googleapis.com, clients.l.google.com, cdn01.boxcdn.net.cdn.cloudflare.net
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://usafx.app.box.com/folder/285371704111?tc=collab-folder-invite-treatment-b

LLM Input / Output

Input	Output
URL: https://usafx.account.box.com/login?redirect_url=%2Ffolder%2F285371704111%3Ftc%3Dcollab-folder-invite-treatment-b Model: jbxai	{ "brand":["USAfx"], "contains_trigger_text":true, "prominent_button_name":"Continue", "text_input_field_labels":["unknown"], "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false}

URL: https://usaauth.okta.com/signin/refresh-auth-state/00dERxhWiAyiKxAqadGoAhaCyaHah26AMyDPbiwxif Model: jbxai	{ "brand":["USAfx", "Okta"], "contains_trigger_text":false, "prominent_button_name":"unknown", "text_input_field_labels":["unknown"], "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false}

URL: https://usaauth.okta.com/ Model: jbxai	{ "brand":["USAfx", "USAauth"], "contains_trigger_text":true, "prominent_button_name":"Sign In", "text_input_field_labels":["Email Address", "Password"], "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false}

URL: https://usaauth.okta.com/ Model: jbxai	{ "phishing_score":1, "brands":["USA.gov"], "sub_domain":"usaauth", "legit_domain":"okta", "partial_domain_match":false, "brand_matches_associated_domain":true, "reasons":"The domain 'okta.com' is a legitimate domain associated with the brand 'Okta', which is a well-known identity and access management company. The subdomain 'usaauth' is also related to authentication, which aligns with the identified brand 'USA.gov'. The design and content of the webpage are consistent with a legitimate login page for a government information system. There are no suspicious elements in the URL or the webpage that would indicate a phishing attempt.", "subdomain_check":{ "riskscore":2, "reasons":["The subdomain 'usaauth' is specific to the brand 'USA.gov' and appears to be an authentication portal, which is a common practice for government agencies.", "Okta is a well-known and reputable identity management platform, which reduces the likelihood of phishing.", "The domain 'okta.com' is a legitimate and trusted domain, and the use of a subdomain for a specific brand is a common configuration for Okta customers.", "There is no obvious indication of phishing or malicious intent in the URL or subdomain structure."]} , "brand_matches":[false], "url_match":false}

URL: https://usaauth.okta.com/ Model: jbxai	{ "brand":["USAauth"], "contains_trigger_text":true, "prominent_button_name":"Sign In", "text_input_field_labels":["Email Address", "Password"], "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false}

URL: https://usaauth.okta.com/signin/verify/piv Model: jbxai	{ "brand":["USAfx", "USAauth"], "contains_trigger_text":false, "prominent_button_name":"unknown", "text_input_field_labels":["unknown"], "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false}

URL: https://usaauth.okta.com/ Model: jbxai	{ "phishing_score":1, "brands":["USAauth", "Okta"], "sub_domain":"usaauth", "legit_domain":"okta", "partial_domain_match":false, "brand_matches_associated_domain":true, "reasons":"The domain name 'usaauth.okta.com' fully matches the legitimate domain name associated with the identified brand 'Okta'. The brand 'Okta' is commonly associated with the given domain and the subdomain 'usaauth' is likely a legitimate subdomain for authentication purposes.", "subdomain_check":{ "riskscore":2, "reasons":["The subdomain 'usaauth' is a reasonable and legitimate subdomain for the brand 'USAauth'.", "Okta is a well-known and reputable identity and access management platform, which reduces the likelihood of phishing.", "The domain 'okta.com' is a trusted domain, and the subdomain 'usaauth' is likely a custom domain setup for the USAauth brand.", "No obvious typos or suspicious characters are present in the subdomain or domain."]} , "brand_matches":[true, false], "url_match":false}

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Sep 19 20:43:59 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9909289064426616
Encrypted:	false
SSDEEP:
MD5:	52F7B788DBF64C1BD2A7E00D0D7782E3
SHA1:	FFD7FE7945EF307F0630EFC93904BBD0E7ED088A
SHA-256:	EA514DB2D10544539BCFA91E0B702D5F1F87EC1452340ADCF6C1A66DD4861A48
SHA-512:	6AEBC40DF013B95CF35823BB9E6B23DC66D45D4CBF6693A3014A26CEC580260597EAA4FB29B47E4560FF4095BE3ACB00B327431846A4441F71B1E165C30D3153
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....U......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I3Ys.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V3Y}.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V3Y}.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V3Y}............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V3Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........<.5......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Sep 19 20:43:59 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.006238136914072
Encrypted:	false
SSDEEP:
MD5:	267AF6D0566D904D4EA0069E4F7401EC
SHA1:	2934FB8DC9E0582505D41C8433949B459BE867C1
SHA-256:	EBF90FEAD396B63E6ECE1D8DA8E6316D825857282FC86D509A6BA82F84CD0312
SHA-512:	CD9716A1CE01799F39F6ADA4F822D25F989743956FDC8E76A0AA2050A3B741A6CFC92544D1BD59D8C25237891444F04E56E42F02150C9F33CA3B8CBDA805C3E9
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,...._.......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I3Ys.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V3Y}.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V3Y}.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V3Y}............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V3Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........<.5......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.0117309175012705
Encrypted:	false
SSDEEP:
MD5:	0B42DDD4AEFFF3EEA3C8EB6E5A7E4EC0
SHA1:	2C1CFAB36AB5D567FD33D5883EF2C06F901DDD87
SHA-256:	077D44B6B2442FC209F2EE99C300934D61E90DDFEA7F752530F86A98C25F46ED
SHA-512:	A2320A12BAFEA4D4896E3F48659B0E418A80AA59E1FF126F2EBA9DDBD4E7B769A7EED2C2C04C565992EB1555EC863AC08076C15F54309115FA5B9CD20A3C37F4
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I3Ys.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V3Y}.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V3Y}.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V3Y}............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........<.5......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Sep 19 20:43:59 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.000626718073241
Encrypted:	false
SSDEEP:
MD5:	5DFFFEB09495C45719B76BE77E6BB703
SHA1:	DC26DB0991728ABFA26F280A6EF7CADCBC8A5FC1
SHA-256:	B34E5F3A4E597B87E5967577FF65E96DFB76314CA12BFA8AEB45E67637B2F889
SHA-512:	402FEBAC8BDC9BCDD2F31BEDB7912C1298A4C6D18536E2F1D0490D12067647245AC6923490551BFF9A4469E4BCB3BB455742B556AAB9DEB14CE24BC1BE22DB92
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....GG......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I3Ys.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V3Y}.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V3Y}.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V3Y}............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V3Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........<.5......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Sep 19 20:43:59 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.991565894925302
Encrypted:	false
SSDEEP:
MD5:	90D6E8F60B9F7EC49AA080858F6C371C
SHA1:	ED182704C27FFC21BF40C1B1728662B5C14DB4BD
SHA-256:	F02778F903B6A0385DEF1A53192C3FD3EE88DAE4C78C322A7E80A10C2316F953
SHA-512:	629ACB7460D7D778A38DD0A935ED878BEE682BC77B2277241D94026B0F2F6B967138E584D5A9F6AB1F8C4ABD27851DB94A20AB057CFE81F8D3BFF6627335C8AE
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....#.......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I3Ys.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V3Y}.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V3Y}.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V3Y}............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V3Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........<.5......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Sep 19 20:43:58 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.000333158348078
Encrypted:	false
SSDEEP:
MD5:	F6F261BC6A998405CAEAD664A5ADD129
SHA1:	C7D9EE29AF2FB44CE78D2E44E14C6C873332A3C4
SHA-256:	350FF6BFC02790AEED693368BFD83364D248091E8D73C37931D35EB40C5ECAAE
SHA-512:	B7AC43EE50E8DAA41A776EE1852AADF84A533A262A800B417FC299E1A127AEACD07D754D28A785159CFFCDE84F419F5149EDBABE93C3C7A3D82181F3F683CA09
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....=\......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I3Ys.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V3Y}.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V3Y}.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V3Y}............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V3Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........<.5......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Static File Info

⊘No static file info

Description:	Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token .
Tactics:	Initial Access
Data Sources:	Application Log: Application Log Content, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Process: Process Creation
Platforms:	Linux, macOS, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://usafx.app.box.com/folder/285371704111?tc=collab-folder-invite-treatment-b

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Static File Info

Windows Analysis Report
https://usafx.app.box.com/folder/285371704111?tc=collab-folder-invite-treatment-b