Windows
Analysis Report
https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64_ra
chrome.exe (PID: 6976 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --s tart-maxim ized "abou t:blank" MD5: E81F54E6C1129887AEA47E7D092680BF) chrome.exe (PID: 6248 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --no-pre-r ead-main-d ll --field -trial-han dle=2044,i ,950045334 6925882003 ,261656295 2344092113 ,262144 -- disable-fe atures=Opt imizationG uideModelD ownloading ,Optimizat ionHints,O ptimizatio nHintsFetc hing,Optim izationTar getPredict ion --vari ations-see d-version --mojo-pla tform-chan nel-handle =1948 /pre fetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
chrome.exe (PID: 5064 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" "htt ps://acrob at.adobe.c om/id/urn: aaid:sc:EU :dd1dc65d- ce42-4138- a001-66d6a 6601091" MD5: E81F54E6C1129887AEA47E7D092680BF)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Tycoon2FA_1 | Yara detected Tycoon 2FA PaaS | Joe Security | ||
JoeSecurity_AntiDebugBrowser | Yara detected AntiDebug via timestamp check | Joe Security | ||
JoeSecurity_Tycoon2FA_1 | Yara detected Tycoon 2FA PaaS | Joe Security | ||
JoeSecurity_HangulCharacter | Yara detected Obfuscation Via HangulCharacter | Joe Security | ||
JoeSecurity_HangulCharacter | Yara detected Obfuscation Via HangulCharacter | Joe Security | ||
Click to see the 23 entries |
- • Phishing
- • Compliance
- • Software Vulnerabilities
- • System Summary
- • Malware Analysis System Evasion
- • Anti Debugging
Click to jump to signature section
Phishing |
---|
Source: | Joe Sandbox AI: | ||
Source: | Joe Sandbox AI: | ||
Source: | Joe Sandbox AI: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | OCR Text: | ||
Source: | OCR Text: | ||
Source: | OCR Text: | ||
Source: | OCR Text: |
Source: | HTTP Parser: |
Source: | HTTP Parser: |
Source: | HTTP Parser: |
Source: | HTTP Parser: |
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | Directory created: |
Source: | Memory has grown: |
Source: | File created: |
Source: | File deleted: |
Source: | Classification label: |
Source: | File created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Source: | Directory created: |
Malware Analysis System Evasion |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | 1 Scripting | Valid Accounts | Windows Management Instrumentation | 1 Scripting | 1 Process Injection | 12 Masquerading | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Extra Window Memory Injection | 1 Process Injection | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 File Deletion | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Extra Window Memory Injection | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true | unknown | ||
false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
23.223.209.71 | unknown | United States | 16625 | AKAMAI-ASUS | false | |
140.82.113.4 | unknown | United States | 36459 | GITHUBUS | false | |
199.232.89.138 | unknown | United States | 54113 | FASTLYUS | false | |
34.254.217.29 | unknown | United States | 16509 | AMAZON-02US | false | |
172.67.196.90 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
172.67.159.28 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
23.223.209.35 | unknown | United States | 16625 | AKAMAI-ASUS | false | |
3.233.129.217 | unknown | United States | 14618 | AMAZON-AESUS | false | |
172.64.155.61 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
172.67.196.11 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
142.251.40.131 | unknown | United States | 15169 | GOOGLEUS | false | |
34.252.184.159 | unknown | United States | 16509 | AMAZON-02US | false | |
18.164.124.11 | unknown | United States | 3 | MIT-GATEWAYSUS | false | |
23.223.209.5 | unknown | United States | 16625 | AKAMAI-ASUS | false | |
35.190.80.1 | unknown | United States | 15169 | GOOGLEUS | false | |
63.140.39.35 | unknown | United States | 4134 | CHINANET-BACKBONENo31Jin-rongStreetCN | false | |
99.83.173.21 | unknown | United States | 16509 | AMAZON-02US | false | |
142.250.65.170 | unknown | United States | 15169 | GOOGLEUS | false | |
104.16.3.189 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
1.1.1.1 | unknown | Australia | 13335 | CLOUDFLARENETUS | false | |
54.175.249.133 | unknown | United States | 14618 | AMAZON-AESUS | false | |
63.140.39.9 | unknown | United States | 4134 | CHINANET-BACKBONENo31Jin-rongStreetCN | false | |
54.228.247.11 | unknown | United States | 16509 | AMAZON-02US | false | |
142.251.32.110 | unknown | United States | 15169 | GOOGLEUS | false | |
67.202.29.163 | unknown | United States | 14618 | AMAZON-AESUS | false | |
3.87.180.44 | unknown | United States | 14618 | AMAZON-AESUS | false | |
52.73.181.51 | unknown | United States | 14618 | AMAZON-AESUS | false | |
18.213.11.84 | unknown | United States | 14618 | AMAZON-AESUS | false | |
104.26.0.100 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
3.236.206.94 | unknown | United States | 14618 | AMAZON-AESUS | false | |
3.232.122.107 | unknown | United States | 14618 | AMAZON-AESUS | false | |
13.35.93.57 | unknown | United States | 16509 | AMAZON-02US | false | |
13.225.63.26 | unknown | United States | 16509 | AMAZON-02US | false | |
13.35.93.13 | unknown | United States | 16509 | AMAZON-02US | false | |
104.18.94.41 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
79.125.71.5 | unknown | Ireland | 16509 | AMAZON-02US | false | |
104.21.92.165 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
23.51.56.185 | unknown | United States | 4788 | TMNET-AS-APTMNetInternetServiceProviderMY | false | |
104.21.33.57 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
63.140.39.130 | unknown | United States | 4134 | CHINANET-BACKBONENo31Jin-rongStreetCN | false | |
142.251.32.106 | unknown | United States | 15169 | GOOGLEUS | false | |
142.250.64.74 | unknown | United States | 15169 | GOOGLEUS | false | |
23.48.224.112 | unknown | United States | 20940 | AKAMAI-ASN1EU | false | |
23.44.201.201 | unknown | United States | 20940 | AKAMAI-ASN1EU | false | |
44.198.154.229 | unknown | United States | 14618 | AMAZON-AESUS | false | |
3.230.130.186 | unknown | United States | 14618 | AMAZON-AESUS | false | |
104.16.6.189 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
108.138.128.75 | unknown | United States | 16509 | AMAZON-02US | false | |
3.219.243.226 | unknown | United States | 14618 | AMAZON-AESUS | false | |
104.17.24.14 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
18.164.124.91 | unknown | United States | 3 | MIT-GATEWAYSUS | false | |
23.51.57.57 | unknown | United States | 4788 | TMNET-AS-APTMNetInternetServiceProviderMY | false | |
104.18.21.58 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
142.251.179.84 | unknown | United States | 15169 | GOOGLEUS | false | |
13.225.63.103 | unknown | United States | 16509 | AMAZON-02US | false | |
162.159.140.165 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
34.199.101.34 | unknown | United States | 14618 | AMAZON-AESUS | false | |
23.44.201.171 | unknown | United States | 20940 | AKAMAI-ASN1EU | false | |
142.250.81.228 | unknown | United States | 15169 | GOOGLEUS | false | |
151.101.2.137 | unknown | United States | 54113 | FASTLYUS | false | |
18.173.219.72 | unknown | United States | 3 | MIT-GATEWAYSUS | false | |
23.48.224.103 | unknown | United States | 20940 | AKAMAI-ASN1EU | false | |
13.249.91.73 | unknown | United States | 16509 | AMAZON-02US | false | |
23.48.224.105 | unknown | United States | 20940 | AKAMAI-ASN1EU | false | |
172.67.70.233 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
185.199.108.133 | unknown | Netherlands | 54113 | FASTLYUS | false | |
34.197.224.31 | unknown | United States | 14618 | AMAZON-AESUS | false | |
34.120.195.249 | unknown | United States | 15169 | GOOGLEUS | false |
IP |
---|
127.0.0.1 |
192.168.2.17 |
192.168.2.16 |
192.168.2.13 |
192.168.2.14 |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1649252 |
Start date and time: | 2025-03-26 15:59:00 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Sample URL: | https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091 |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 14 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | stream |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.phis.evad.win@25/0@0/460 |
- Exclude process from analysis
(whitelisted): svchost.exe - Excluded IPs from analysis (wh
itelisted): 142.251.32.110, 14 2.251.40.131, 142.251.179.84, 142.251.40.206, 23.48.224.112, 23.48.224.105, 23.44.201.201, 23.44.201.197, 23.44.201.171, 192.168.2.16, 79.125.71.5, 52 .213.110.235, 3.233.129.217, 5 2.22.41.97, 52.6.155.20, 3.219 .243.226, 13.225.63.26, 13.225 .63.7, 13.225.63.103, 13.225.6 3.53, 18.213.11.84, 50.16.47.1 76, 34.237.241.83, 54.224.241. 105, 34.199.101.34, 44.198.154 .229, 52.31.218.129, 34.252.18 4.159, 52.48.8.54, 54.228.247. 11, 34.246.54.182, 52.48.126.5 8, 3.232.122.107, 34.193.3.138 , 35.169.244.202, 44.214.7.0, 35.174.237.128, 3.209.175.155, 3.230.130.186, 34.197.224.31, 23.40.179.35, 23.40.179.19, 1 42.251.32.106, 142.251.35.170, 142.251.40.106, 142.251.40.13 8, 142.251.40.170, 142.250.64. 74, 142.250.64.106, 142.250.72 .106, 142.250.80.10, 142.250.8 0.42, 142.250.80.74, 142.250.8 0.106, 142.250.65.170, 142.250 .65.202, 142.250.65.234, 142.2 50.81.234, 23.9.183.29, 2.23.2 27.208, 172.64.155.61, 4.245.1 63.56, 63.140.39.130, 63.140.3 9.35 - Not all processes where analyz
ed, report is missing behavior information - VT rate limit hit for: https:
//acrobat.adobe.com/id/urn:aai d:sc:EU:dd1dc65d-ce42-4138-a00 1-66d6a6601091