Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
http://readermodeext.info

Overview

General Information

Sample URL:http://readermodeext.info
Analysis ID:1586749

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Creates files inside the system directory
Deletes files inside the Windows folder

Classification

  • System is w11x64_office
  • chrome.exe (PID: 1380 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 290DF23002E9B52249B5549F0C668A86)
    • chrome.exe (PID: 4836 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2156,i,5867893757064742665,16747209749079873557,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20241208-180523.718000 --mojo-platform-channel-handle=2168 /prefetch:11 MD5: 290DF23002E9B52249B5549F0C668A86)
  • chrome.exe (PID: 4172 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://readermodeext.info" MD5: 290DF23002E9B52249B5549F0C668A86)
  • cleanup
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: http://readermodeext.infoAvira URL Cloud: detection malicious, Label: malware
Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.24:60845 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.24:60846 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.24:60851 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.24:60853 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.24:60856 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.24:60857 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.24:60859 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.24:60860 version: TLS 1.2
Source: chrome.exeMemory has grown: Private usage: 16MB later: 35MB
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 51.137.3.145
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 51.137.3.145
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.99
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.99
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.99
Source: unknownTCP traffic detected without corresponding DNS query: 23.209.209.135
Source: unknownTCP traffic detected without corresponding DNS query: 23.209.209.135
Source: unknownTCP traffic detected without corresponding DNS query: 23.209.209.135
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.99
Source: unknownTCP traffic detected without corresponding DNS query: 23.209.209.135
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.22
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.22
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.22
Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.22
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.22
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.22
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.22
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.22
Source: global trafficHTTP traffic detected: GET /r/r1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cache-Control: max-age = 3600Connection: Keep-AliveAccept: */*If-Modified-Since: Mon, 12 Feb 2024 22:07:27 GMTIf-None-Match: "65ca969f-2cd"User-Agent: Microsoft-CryptoAPI/10.0Host: x1.c.lencr.org
Source: global trafficDNS traffic detected: DNS query: readermodeext.info
Source: global trafficDNS traffic detected: DNS query: google.com
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 60846 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60852 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60856 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60851
Source: unknownNetwork traffic detected: HTTP traffic on port 60861 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60834 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60832 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60837
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60859
Source: unknownNetwork traffic detected: HTTP traffic on port 60844 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60857
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60856
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60834
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60855
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60832
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60853
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60852
Source: unknownNetwork traffic detected: HTTP traffic on port 60851 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49673
Source: unknownNetwork traffic detected: HTTP traffic on port 60855 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60853 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60857 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60859 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60861
Source: unknownNetwork traffic detected: HTTP traffic on port 60860 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60860
Source: unknownNetwork traffic detected: HTTP traffic on port 60837 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60846
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60845
Source: unknownNetwork traffic detected: HTTP traffic on port 60845 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60844
Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.24:60845 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.24:60846 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.24:60851 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.24:60853 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.24:60856 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.24:60857 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.24:60859 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.24:60860 version: TLS 1.2
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir1380_1126768196
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir1380_1126768196
Source: classification engineClassification label: mal48.win@22/0@25/93
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2156,i,5867893757064742665,16747209749079873557,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20241208-180523.718000 --mojo-platform-channel-handle=2168 /prefetch:11
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://readermodeext.info"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2156,i,5867893757064742665,16747209749079873557,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20241208-180523.718000 --mojo-platform-channel-handle=2168 /prefetch:11
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: Window RecorderWindow detected: More than 3 window changes detected
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath Interception1
Process Injection
1
Masquerading
OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Extra Window Memory Injection
1
Process Injection
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
File Deletion
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Extra Window Memory Injection
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Ingress Tool Transfer
Traffic DuplicationData Destruction

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
http://readermodeext.info100%Avira URL Cloudmalware
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
google.com
172.217.168.78
truefalse
    high
    www.google.com
    142.250.181.228
    truefalse
      high
      readermodeext.info
      unknown
      unknownfalse
        high
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        64.233.166.84
        unknownUnited States
        15169GOOGLEUSfalse
        8.8.8.8
        unknownUnited States
        15169GOOGLEUSfalse
        142.250.186.67
        unknownUnited States
        15169GOOGLEUSfalse
        172.217.16.202
        unknownUnited States
        15169GOOGLEUSfalse
        1.1.1.1
        unknownAustralia
        13335CLOUDFLARENETUSfalse
        142.250.185.163
        unknownUnited States
        15169GOOGLEUSfalse
        142.250.181.228
        www.google.comUnited States
        15169GOOGLEUSfalse
        172.217.18.14
        unknownUnited States
        15169GOOGLEUSfalse
        142.250.185.238
        unknownUnited States
        15169GOOGLEUSfalse
        IP
        192.168.2.24
        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1586749
        Start date and time:2025-01-09 15:32:19 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsinteractivecookbook.jbs
        Sample URL:http://readermodeext.info
        Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
        Run name:Potential for more IOCs and behavior
        Number of analysed new started processes analysed:12
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        Analysis Mode:stream
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal48.win@22/0@25/93
        • Exclude process from analysis (whitelisted): svchost.exe
        • Excluded IPs from analysis (whitelisted): 104.18.38.233, 172.64.149.23
        • Excluded domains from analysis (whitelisted): crt.comodoca.com.cdn.cloudflare.net, crt.comodoca.com
        • Not all processes where analyzed, report is missing behavior information
        • VT rate limit hit for: http://readermodeext.info
        No created / dropped files found
        No static file info