Edit tour

Windows Analysis Report
https://login.365link.tech/RKiKvqBc

Overview

General Information

Sample URL:https://login.365link.tech/RKiKvqBc
Analysis ID:1579389
Infos:
Errors
  • URL not reachable

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

No high impact signatures.

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • chrome.exe (PID: 5768 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 1068 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=2380,i,1983232769246941206,14067363894061141486,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • chrome.exe (PID: 6528 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://login.365link.tech/RKiKvqBc" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: login.365link.tech
Source: global trafficDNS traffic detected: DNS query: google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: classification engineClassification label: unknown0.win@19/0@12/3
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=2380,i,1983232769246941206,14067363894061141486,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://login.365link.tech/RKiKvqBc"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=2380,i,1983232769246941206,14067363894061141486,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath Interception1
Process Injection
1
Process Injection
OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579389 URL: https://login.365link.tech/... Startdate: 22/12/2024 Architecture: WINDOWS Score: 0 14 login.365link.tech 2->14 16 fp2e7a.wpc.phicdn.net 2->16 18 fp2e7a.wpc.2be4.phicdn.net 2->18 6 chrome.exe 2->6         started        9 chrome.exe 2->9         started        process3 dnsIp4 20 192.168.2.4, 138, 443, 49287 unknown unknown 6->20 22 239.255.255.250 unknown Reserved 6->22 11 chrome.exe 6->11         started        process5 dnsIp6 24 www.google.com 142.250.181.132, 443, 49737 GOOGLEUS United States 11->24 26 login.365link.tech 11->26 28 google.com 11->28

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
google.com
142.250.181.110
truefalse
    high
    www.google.com
    142.250.181.132
    truefalse
      high
      fp2e7a.wpc.phicdn.net
      192.229.221.95
      truefalse
        high
        login.365link.tech
        unknown
        unknownfalse
          high
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          239.255.255.250
          unknownReserved
          unknownunknownfalse
          142.250.181.132
          www.google.comUnited States
          15169GOOGLEUSfalse
          IP
          192.168.2.4
          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1579389
          Start date and time:2024-12-22 02:29:58 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 1m 49s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:browseurl.jbs
          Sample URL:https://login.365link.tech/RKiKvqBc
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:5
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:UNKNOWN
          Classification:unknown0.win@19/0@12/3
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • URL browsing timeout or error
          • URL not reachable
          • Exclude process from analysis (whitelisted): SIHClient.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 142.250.181.99, 64.233.162.84, 172.217.19.206, 172.217.17.46, 217.20.58.99, 192.229.221.95, 23.195.62.26, 20.109.210.53
          • Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, redirector.gvt1.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com
          • Not all processes where analyzed, report is missing behavior information
          • VT rate limit hit for: https://login.365link.tech/RKiKvqBc
          No simulations
          No context
          No context
          No context
          No context
          No context
          No created / dropped files found
          No static file info

          Download Network PCAP: filteredfull

          • Total Packets: 25
          • 443 (HTTPS)
          • 80 (HTTP)
          • 53 (DNS)
          TimestampSource PortDest PortSource IPDest IP
          Dec 22, 2024 02:30:54.710158110 CET49675443192.168.2.4173.222.162.32
          Dec 22, 2024 02:30:57.662235975 CET49737443192.168.2.4142.250.181.132
          Dec 22, 2024 02:30:57.662290096 CET44349737142.250.181.132192.168.2.4
          Dec 22, 2024 02:30:57.662378073 CET49737443192.168.2.4142.250.181.132
          Dec 22, 2024 02:30:57.662575006 CET49737443192.168.2.4142.250.181.132
          Dec 22, 2024 02:30:57.662586927 CET44349737142.250.181.132192.168.2.4
          Dec 22, 2024 02:30:59.367364883 CET44349737142.250.181.132192.168.2.4
          Dec 22, 2024 02:30:59.367691994 CET49737443192.168.2.4142.250.181.132
          Dec 22, 2024 02:30:59.367724895 CET44349737142.250.181.132192.168.2.4
          Dec 22, 2024 02:30:59.369371891 CET44349737142.250.181.132192.168.2.4
          Dec 22, 2024 02:30:59.369436979 CET49737443192.168.2.4142.250.181.132
          Dec 22, 2024 02:30:59.370634079 CET49737443192.168.2.4142.250.181.132
          Dec 22, 2024 02:30:59.370724916 CET44349737142.250.181.132192.168.2.4
          Dec 22, 2024 02:30:59.413295984 CET49737443192.168.2.4142.250.181.132
          Dec 22, 2024 02:30:59.413307905 CET44349737142.250.181.132192.168.2.4
          Dec 22, 2024 02:30:59.463654041 CET49737443192.168.2.4142.250.181.132
          Dec 22, 2024 02:31:09.068582058 CET44349737142.250.181.132192.168.2.4
          Dec 22, 2024 02:31:09.068766117 CET44349737142.250.181.132192.168.2.4
          Dec 22, 2024 02:31:09.068823099 CET49737443192.168.2.4142.250.181.132
          Dec 22, 2024 02:31:09.962587118 CET49737443192.168.2.4142.250.181.132
          Dec 22, 2024 02:31:09.962629080 CET44349737142.250.181.132192.168.2.4
          Dec 22, 2024 02:31:12.551340103 CET4972380192.168.2.4199.232.214.172
          Dec 22, 2024 02:31:12.671278000 CET8049723199.232.214.172192.168.2.4
          Dec 22, 2024 02:31:12.671354055 CET4972380192.168.2.4199.232.214.172
          TimestampSource PortDest PortSource IPDest IP
          Dec 22, 2024 02:30:53.772829056 CET53565501.1.1.1192.168.2.4
          Dec 22, 2024 02:30:53.818074942 CET53528441.1.1.1192.168.2.4
          Dec 22, 2024 02:30:56.590430975 CET53623291.1.1.1192.168.2.4
          Dec 22, 2024 02:30:57.523925066 CET6277453192.168.2.41.1.1.1
          Dec 22, 2024 02:30:57.524061918 CET5600153192.168.2.41.1.1.1
          Dec 22, 2024 02:30:57.661180973 CET53627741.1.1.1192.168.2.4
          Dec 22, 2024 02:30:57.661205053 CET53560011.1.1.1192.168.2.4
          Dec 22, 2024 02:30:59.469263077 CET5500453192.168.2.41.1.1.1
          Dec 22, 2024 02:30:59.469379902 CET6422553192.168.2.41.1.1.1
          Dec 22, 2024 02:30:59.607199907 CET53550041.1.1.1192.168.2.4
          Dec 22, 2024 02:30:59.609407902 CET53642251.1.1.1192.168.2.4
          Dec 22, 2024 02:30:59.610141993 CET5838353192.168.2.41.1.1.1
          Dec 22, 2024 02:30:59.748470068 CET53583831.1.1.1192.168.2.4
          Dec 22, 2024 02:30:59.787375927 CET5486653192.168.2.48.8.8.8
          Dec 22, 2024 02:30:59.787667990 CET6005853192.168.2.41.1.1.1
          Dec 22, 2024 02:30:59.922293901 CET53548668.8.8.8192.168.2.4
          Dec 22, 2024 02:30:59.924387932 CET53600581.1.1.1192.168.2.4
          Dec 22, 2024 02:31:00.950171947 CET6333753192.168.2.41.1.1.1
          Dec 22, 2024 02:31:00.950867891 CET6301553192.168.2.41.1.1.1
          Dec 22, 2024 02:31:01.087498903 CET53633371.1.1.1192.168.2.4
          Dec 22, 2024 02:31:01.088433981 CET53630151.1.1.1192.168.2.4
          Dec 22, 2024 02:31:06.113672972 CET6269353192.168.2.41.1.1.1
          Dec 22, 2024 02:31:06.113908052 CET5913953192.168.2.41.1.1.1
          Dec 22, 2024 02:31:06.251143932 CET53591391.1.1.1192.168.2.4
          Dec 22, 2024 02:31:06.251169920 CET53626931.1.1.1192.168.2.4
          Dec 22, 2024 02:31:06.252077103 CET4928753192.168.2.41.1.1.1
          Dec 22, 2024 02:31:06.389748096 CET53492871.1.1.1192.168.2.4
          Dec 22, 2024 02:31:11.280455112 CET138138192.168.2.4192.168.2.255
          Dec 22, 2024 02:31:13.443308115 CET53637721.1.1.1192.168.2.4
          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Dec 22, 2024 02:30:57.523925066 CET192.168.2.41.1.1.10xd2cStandard query (0)www.google.comA (IP address)IN (0x0001)false
          Dec 22, 2024 02:30:57.524061918 CET192.168.2.41.1.1.10x820aStandard query (0)www.google.com65IN (0x0001)false
          Dec 22, 2024 02:30:59.469263077 CET192.168.2.41.1.1.10xeb64Standard query (0)login.365link.techA (IP address)IN (0x0001)false
          Dec 22, 2024 02:30:59.469379902 CET192.168.2.41.1.1.10x5a9fStandard query (0)login.365link.tech65IN (0x0001)false
          Dec 22, 2024 02:30:59.610141993 CET192.168.2.41.1.1.10xe860Standard query (0)login.365link.techA (IP address)IN (0x0001)false
          Dec 22, 2024 02:30:59.787375927 CET192.168.2.48.8.8.80xc86Standard query (0)google.comA (IP address)IN (0x0001)false
          Dec 22, 2024 02:30:59.787667990 CET192.168.2.41.1.1.10x5cdStandard query (0)google.comA (IP address)IN (0x0001)false
          Dec 22, 2024 02:31:00.950171947 CET192.168.2.41.1.1.10x1923Standard query (0)login.365link.techA (IP address)IN (0x0001)false
          Dec 22, 2024 02:31:00.950867891 CET192.168.2.41.1.1.10x4a40Standard query (0)login.365link.tech65IN (0x0001)false
          Dec 22, 2024 02:31:06.113672972 CET192.168.2.41.1.1.10x5128Standard query (0)login.365link.techA (IP address)IN (0x0001)false
          Dec 22, 2024 02:31:06.113908052 CET192.168.2.41.1.1.10xcdb1Standard query (0)login.365link.tech65IN (0x0001)false
          Dec 22, 2024 02:31:06.252077103 CET192.168.2.41.1.1.10x70f9Standard query (0)login.365link.techA (IP address)IN (0x0001)false
          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Dec 22, 2024 02:30:57.661180973 CET1.1.1.1192.168.2.40xd2cNo error (0)www.google.com142.250.181.132A (IP address)IN (0x0001)false
          Dec 22, 2024 02:30:57.661205053 CET1.1.1.1192.168.2.40x820aNo error (0)www.google.com65IN (0x0001)false
          Dec 22, 2024 02:30:59.607199907 CET1.1.1.1192.168.2.40xeb64Name error (3)login.365link.technonenoneA (IP address)IN (0x0001)false
          Dec 22, 2024 02:30:59.609407902 CET1.1.1.1192.168.2.40x5a9fName error (3)login.365link.technonenone65IN (0x0001)false
          Dec 22, 2024 02:30:59.748470068 CET1.1.1.1192.168.2.40xe860Name error (3)login.365link.technonenoneA (IP address)IN (0x0001)false
          Dec 22, 2024 02:30:59.922293901 CET8.8.8.8192.168.2.40xc86No error (0)google.com142.250.181.110A (IP address)IN (0x0001)false
          Dec 22, 2024 02:30:59.924387932 CET1.1.1.1192.168.2.40x5cdNo error (0)google.com172.217.17.46A (IP address)IN (0x0001)false
          Dec 22, 2024 02:31:01.087498903 CET1.1.1.1192.168.2.40x1923Name error (3)login.365link.technonenoneA (IP address)IN (0x0001)false
          Dec 22, 2024 02:31:01.088433981 CET1.1.1.1192.168.2.40x4a40Name error (3)login.365link.technonenone65IN (0x0001)false
          Dec 22, 2024 02:31:06.251143932 CET1.1.1.1192.168.2.40xcdb1Name error (3)login.365link.technonenone65IN (0x0001)false
          Dec 22, 2024 02:31:06.251169920 CET1.1.1.1192.168.2.40x5128Name error (3)login.365link.technonenoneA (IP address)IN (0x0001)false
          Dec 22, 2024 02:31:06.389748096 CET1.1.1.1192.168.2.40x70f9Name error (3)login.365link.technonenoneA (IP address)IN (0x0001)false
          Dec 22, 2024 02:31:13.977894068 CET1.1.1.1192.168.2.40xb61aNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
          Dec 22, 2024 02:31:13.977894068 CET1.1.1.1192.168.2.40xb61aNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
          05101520s020406080100

          Click to jump to process

          05101520s0.0020406080100MB

          Click to jump to process

          Target ID:0
          Start time:20:30:48
          Start date:21/12/2024
          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
          Imagebase:0x7ff76e190000
          File size:3'242'272 bytes
          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:false

          Target ID:2
          Start time:20:30:51
          Start date:21/12/2024
          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=2380,i,1983232769246941206,14067363894061141486,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
          Imagebase:0x7ff76e190000
          File size:3'242'272 bytes
          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:false

          Target ID:3
          Start time:20:30:58
          Start date:21/12/2024
          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://login.365link.tech/RKiKvqBc"
          Imagebase:0x7ff76e190000
          File size:3'242'272 bytes
          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true
          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

          No disassembly