Edit tour
Windows
Analysis Report
https://www.google.com/url?q=https://villemonteil-my.sharepoint.com/:b:/g/personal/jerome_lassince_villemonteilaquitaine_fr/ES2_j_QZ4phKlfTEI8NeZ1kBC_b5oFLt_ua02wACxZi9Zg&source=gmail&ust=1744104792241000&usg=AOvVaw0zD3X5FizCnSCzMz7NmTiR
Overview
General Information
| Sample URL: | https://www.google.com/url?q=https://villemonteil-my.sharepoint.com/:b:/g/personal/jerome_lassince_villemonteilaquitaine_fr/ES2_j_QZ4phKlfTEI8NeZ1kBC_b5oFLt_ua02wACxZi9Zg&source=gmail&ust=174410479224 |
| Analysis ID: | 1658557 |
| Infos: |  |
 | |
Detection
| Score: | 56 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
AI detected landing page (webpage, office document or email)
Changes security center settings (notifications, updates, antivirus, firewall)
Reads the Security eventlog
Reads the System eventlog
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected suspicious crossdomain redirect
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Classification
- System is w10x64_ra
chrome.exe (PID: 6904 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --s tart-maxim ized "abou t:blank" MD5: E81F54E6C1129887AEA47E7D092680BF) - chrome.exe (PID: 7120 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --no-pre-r ead-main-d ll --field -trial-han dle=1792,i ,176054135 0950700344 6,10973376 7281096285 48,262144 --disable- features=O ptimizatio nGuideMode lDownloadi ng,Optimiz ationHints ,Optimizat ionHintsFe tching,Opt imizationT argetPredi ction --va riations-s eed-versio n --mojo-p latform-ch annel-hand le=2220 /p refetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF) 
msiexec.exe (PID: 5128 cmdline: "C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Download s\Bluetrai tAgent382. msi" MD5: E5DA170027542E25EDE42FC54C929077)
- chrome.exe (PID: 6656 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" "htt ps://www.g oogle.com/ url?q=http s://villem onteil-my. sharepoint .com/:b:/g /personal/ jerome_las since_vill emonteilaq uitaine_fr /ES2_j_QZ4 phKlfTEI8N eZ1kBC_b5o FLt_ua02wA CxZi9Zg&so urce=gmail &ust=17441 0479224100 0&usg=AOvV aw0zD3X5Fi zCnSCzMz7N mTiR" MD5: E81F54E6C1129887AEA47E7D092680BF)
svchost.exe (PID: 684 cmdline: C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NgcSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 3088 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s NgcCtnrSv c MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 3508 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 5884 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- SgrmBroker.exe (PID: 4036 cmdline:
C:\Windows \system32\ SgrmBroker .exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
- svchost.exe (PID: 4796 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 6528 cmdline:
C:\Windows \system32\ svchost.ex e -k Unist ackSvcGrou p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 6504 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) 
MpCmdRun.exe (PID: 6364 cmdline: "C:\Progra m Files\Wi ndows Defe nder\mpcmd run.exe" - wdenable MD5: B3676839B2EE96983F9ED735CD044159) 
conhost.exe (PID: 2388 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- msiexec.exe (PID: 5112 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 3004 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 1C15DE8 13D6D0EB54 A1256BC8A6 05A1D MD5: 9D09DC1EDA745A5F87553048E57620CF) - msiexec.exe (PID: 1356 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 6642345 D2E10B4626 120239C7B3 2339E E Gl obal\MSI00 00 MD5: 9D09DC1EDA745A5F87553048E57620CF)
- Bluetrait MSP Agent.exe (PID: 940 cmdline:
"C:\Progra m Files (x 86)\Bluetr ait Agent\ Bluetrait MSP Agent. exe" MD5: 1999018A77A57B3DE1CEECEF2FD2E555)
- WmiApSrv.exe (PID: 4784 cmdline:
C:\Windows \system32\ wbem\WmiAp Srv.exe MD5: 9A48D32D7DBA794A40BF030DA500603B)
- cleanup
⊘No yara matches
| Source: | Author: vburov: | ||
⊘No Suricata rule has matched
- • Phishing
- • Compliance
- • Spreading
- • Software Vulnerabilities
- • Networking
- • Spam, unwanted Advertisements and Ransom Demands
- • System Summary
- • Persistence and Installation Behavior
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
Show All Signature Results
Phishing |   |
|---|
| Source: | Joe Sandbox AI: | ||
| Source: | Joe Sandbox AI: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | Memory has grown: | ||
| Source: | HTTP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||