Windows
Analysis Report
https://clients.dedicatedservicesusa.com
Overview
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64_ra
chrome.exe (PID: 2200 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed "about :blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) chrome.exe (PID: 6772 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2168 --fi eld-trial- handle=182 8,i,146217 6745893981 7887,99531 9547313938 8385,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
chrome.exe (PID: 6392 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" "htt ps://clien ts.dedicat edservices usa.com" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- cleanup
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-14T10:45:12.249886+0100 | 2058352 | 1 | Domain Observed Used for C2 Detected | 192.168.2.16 | 52414 | 1.1.1.1 | 53 | UDP |
2025-01-14T10:45:12.250084+0100 | 2058352 | 1 | Domain Observed Used for C2 Detected | 192.168.2.16 | 56751 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-14T10:45:12.857318+0100 | 2058353 | 1 | Domain Observed Used for C2 Detected | 192.168.2.16 | 49704 | 198.98.59.241 | 443 | TCP |
2025-01-14T10:45:12.875390+0100 | 2058353 | 1 | Domain Observed Used for C2 Detected | 192.168.2.16 | 49703 | 198.98.59.241 | 443 | TCP |
2025-01-14T10:46:08.477676+0100 | 2058353 | 1 | Domain Observed Used for C2 Detected | 192.168.2.16 | 49716 | 198.98.59.241 | 443 | TCP |
2025-01-14T10:46:08.487636+0100 | 2058353 | 1 | Domain Observed Used for C2 Detected | 192.168.2.16 | 49717 | 198.98.59.241 | 443 | TCP |
- • AV Detection
- • Phishing
- • Compliance
- • Networking
- • System Summary
- • Boot Survival
Click to jump to signature section
AV Detection |
---|
Source: | Avira URL Cloud: |
Source: | HTTP Parser: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Classification label: |
Source: | File created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 Registry Run Keys / Startup Folder | 1 Process Injection | 1 Masquerading | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Registry Run Keys / Startup Folder | 1 Process Injection | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
www.google.com | 216.58.206.36 | true | false | high | |
clients.dedicatedservicesusa.com | 198.98.59.241 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
1.1.1.1 | unknown | Australia | 13335 | CLOUDFLARENETUS | true | |
239.255.255.250 | unknown | Reserved | unknown | unknown | false | |
198.98.59.241 | clients.dedicatedservicesusa.com | United States | 53667 | PONYNETUS | true | |
74.125.71.84 | unknown | United States | 15169 | GOOGLEUS | false | |
172.217.18.3 | unknown | United States | 15169 | GOOGLEUS | false | |
142.250.185.110 | unknown | United States | 15169 | GOOGLEUS | false | |
142.250.186.100 | unknown | United States | 15169 | GOOGLEUS | false | |
142.250.185.227 | unknown | United States | 15169 | GOOGLEUS | false | |
216.58.206.36 | www.google.com | United States | 15169 | GOOGLEUS | false |
IP |
---|
192.168.2.16 |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1590601 |
Start date and time: | 2025-01-14 10:44:44 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Sample URL: | https://clients.dedicatedservicesusa.com |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 11 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | stream |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal56.win@16/6@6/58 |
- Exclude process from analysis
(whitelisted): svchost.exe - Excluded IPs from analysis (wh
itelisted): 142.250.185.227, 1 42.250.185.110, 74.125.71.84, 142.250.185.238, 172.217.18.11 0 - Excluded domains from analysis
(whitelisted): clients2.googl e.com, accounts.google.com, re director.gvt1.com, clientservi ces.googleapis.com, clients.l. google.com - Not all processes where analyz
ed, report is missing behavior information - VT rate limit hit for: https:
//clients.dedicatedservicesusa .com
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2673 |
Entropy (8bit): | 3.9811936506047774 |
Encrypted: | false |
SSDEEP: | |
MD5: | 1976322906EBCCBF402E48E94D7BD23F |
SHA1: | 4CF38F23DA284D9BBF78BCDB100689B279420967 |
SHA-256: | EB03DF287083951EE1A4526E894004EA41DDD4973A78746D66BCFE0FE3E564BD |
SHA-512: | E480F017412377B5AC0BCEE7A54E92765D66A3848384F3CD13112B22471841ABA614D604BC306D14A1EAF8969BF2B27C16EF89936C80E55E5EC88D91E8D45ABD |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2675 |
Entropy (8bit): | 3.997740238209752 |
Encrypted: | false |
SSDEEP: | |
MD5: | 2E7C666AB8D6C3CA4E5F47D79183066C |
SHA1: | 445EFFBDCC5F08D3B054BDEF7E954A0980E8B09F |
SHA-256: | 62E5E8D140BB367B99E5B75416267EE278B1857E2EF68F2DCCC8F14CC16EBF4F |
SHA-512: | 22E9FF601BF3EA3032DAF57C1A1ADD596B68E6B2A6B637B1B52DBAC5D9C58952E6523520FC6DEB5FC99CEB63F9045C72F34378D12046AC83B829E1FA6FEA0829 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2689 |
Entropy (8bit): | 4.009776758401374 |
Encrypted: | false |
SSDEEP: | |
MD5: | 80E35C62324EC4A04E2738EF4C323516 |
SHA1: | 13DB17B5AD72BF1143FDB3FDB281EC0F0E43AF7A |
SHA-256: | 4F30365DBE277EB0F2FB603DA904704A7C584DC227FFBC197F540F43BF3AF6EF |
SHA-512: | EE592BE48ED3BD11641A5F7445314F273F82515D03F5475601590C011B37FC979A080D75DD16488518BCC19B3BDE250E5923A0EB399D7A2DF105DE2A319990C5 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2677 |
Entropy (8bit): | 3.995130636830803 |
Encrypted: | false |
SSDEEP: | |
MD5: | E7110B4F854899A190E4C0862FBE4C7B |
SHA1: | ACE8EF83179B9236FDF403C9932DAEBDF147FB78 |
SHA-256: | 3049B18AA2AA26EDA68B2589DA22148EB6CE204291DCA78E3F3CD54F7D3388D9 |
SHA-512: | 2AEDDF736BAE45A69EC511A462913966AF9309121A950E03B240346F3CC16145ED8232B0765164227656084BDC96F7764CC32C15F656A77D5E87BE4EE3192944 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2677 |
Entropy (8bit): | 3.9839660742213643 |
Encrypted: | false |
SSDEEP: | |
MD5: | 98CCA532FA9C06C970513416A0DF4312 |
SHA1: | D7201508D049C4670D6F175A01B81161D0E40C76 |
SHA-256: | 1B8D0CAF2C27C71154DB06AAF0938DD31F930B52D60B058374F0E859CC724FF2 |
SHA-512: | 1A4275E0A87E4E67780BF365236F87A3135D8A2C06B113E27935924EE3D54C3A8F2CA57901B10256228326064605D87B5F03333B1F3B87A3B6164DDD3AA70803 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2679 |
Entropy (8bit): | 3.9957795255712725 |
Encrypted: | false |
SSDEEP: | |
MD5: | EA9E6FBC91A617A1D7E74A53635A9904 |
SHA1: | A962500286BB8D974772DE45465B0979E20E9D5B |
SHA-256: | 18F87E6C0F9E997B4730FBE440FDBCB7A78C8F1847052264EDDF4CF3837FCDB4 |
SHA-512: | 0C8D75188AD879A79B46D58BB24D22529FBBDA31CBF850C0372C309A3031FD4E17EA86F097C2D19C85DFEB8023CD58BA1DEDB29FEFEC67D9498FDDFCB8632145 |
Malicious: | false |
Reputation: | unknown |
Preview: |