Play interactive tour

Edit tour

Analysis Report https://alltype.zyrosite.com/

Overview

General Information

Sample URL:	https://alltype.zyrosite.com/
Analysis ID:	401611
Infos:
Most interesting Screenshot:
Errors Sigma runtime error: Invalid condition: not true && true Rule: Using SettingSyncHost.exe as LOLBin Sigma runtime error: Invalid condition: true && ! filter Rule: System File Execution Location Anomaly Sigma runtime error: Invalid condition: ( false && ! false ) or Rule: Executable Used by PlugX in Uncommon Location Sigma syntax error: Rules are missing titles Sigma runtime error: Invalid condition: not false && false Rule: Using SettingSyncHost.exe as LOLBin Sigma runtime error: Invalid condition: false \|\| (selection_wevtutil_binary && selection_wevtutil_command) Rule: Suspicious Eventlog Clear or Configuration Using Wevtutil Sigma runtime error: Invalid condition: false && false or Rule: Suspicious WMI Execution Sigma runtime error: Invalid condition: true && true2 && false Rule: Formbook Process Creation

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Sigma detected: Mustang Panda Dropper

Queries the volume information (name, serial number etc) of a device

Sigma detected: MsiExec Web Install

Sigma detected: Suspicious Copy From or To System32

Classification

Startup

System is w10x64

cmd.exe (PID: 5836 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://alltype.zyrosite.com/' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wget.exe (PID: 5444 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://alltype.zyrosite.com/' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)

iexplore.exe (PID: 5376 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\index.html.svg MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 3864 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5376 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Mustang Panda Dropper

Show sources

Source: Process started

Author: Florian Roth, oscd.community: Data: Command: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://alltype.zyrosite.com/' , CommandLine: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://alltype.zyrosite.com/' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wget.exe, NewProcessName: C:\Windows\SysWOW64\wget.exe, OriginalFileName: C:\Windows\SysWOW64\wget.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://alltype.zyrosite.com/' > cmdline.out 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5836, ProcessCommandLine: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://alltype.zyrosite.com/' , ProcessId: 5444

Sigma detected: MsiExec Web Install

Show sources

Source: Process started

Author: Florian Roth: Data: Command: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://alltype.zyrosite.com/' , CommandLine: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://alltype.zyrosite.com/' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wget.exe, NewProcessName: C:\Windows\SysWOW64\wget.exe, OriginalFileName: C:\Windows\SysWOW64\wget.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://alltype.zyrosite.com/' > cmdline.out 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5836, ProcessCommandLine: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://alltype.zyrosite.com/' , ProcessId: 5444

Sigma detected: Suspicious Copy From or To System32

Show sources

Source: Process started

Author: Florian Roth, Markus Neis: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://alltype.zyrosite.com/' > cmdline.out 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5836, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 5976

Sigma detected: Data Compressed - Powershell

Show sources

Source: Event Logs

Author: Timur Zinniatullin, oscd.community: Data: EventID: 4104, Source: Microsoft-Windows-PowerShell, data 0: 1, data 1: 1, data 2: # Copyright 2008, Microsoft Corporation. All rights reserved. #Common utility functions Import-LocalizedData -BindingVariable localizationString -FileName CL_LocalizationData # Function to get user troubleshooting history function Get-UserTSHistoryPath { return "${env:localappdata}\diagnostics" } # Function to get admin troubleshooting history function Get-AdminTSHistoryPath { return "${env:localappdata}\elevateddiagnostics" } # Function to get user report folder path function Get-UserReportPath { return "${env:localappdata}\Microsoft\Windows\WER\ReportQueue" } # Function to get system report folder path function Get-MachineReportPath { return "${env:AllUsersProfile}\Microsoft\Windows\WER\ReportQueue" } # Function to get threshold to check whether a folder is old function Get-ThresholdForCheckOlderFile { [int]$threshold = -1 return $threshold } # Function to get threshold for deleting WER folder function Get-ThresholdForFileDeleting() { [string]$registryEntryPath = "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting" [string]$registryEntryName = "PurgeThreshholdValueInKB" [double]$defaultValue = 10.0 return Get-RegistryValue $registryEntryPath $registryEntryName $defaultValue } # Function to get the size of a directory in kb function Get-FolderSize([string]$folder = $(throw "No folder is specified")) { if([String]::IsNullOrEmpty($folder) -or (-not(Test-Path $folder))) { return 0 } if(-not $Global:DirectoryObject) { $Global:DirectoryObject = New-Object -comobject "Scripting.FileSystemObject" } return ($Global:DirectoryObject.GetFolder($folder).Size) / 1kb } # Function to delete a folder function Delete-Folder([string]$folder = $(throw "No folder is specified")) { if([String]::IsNullOrEmpty($folder) -or (-not(Test-Path $folder))) { return } Remove-Item -literalPath $folder -Recurse -Force } # Function to delete old folders function Delete-OldFolders($folder=$(throw "No folder is specified")) { if(($folder -eq $null) -or (-not(Test-Path $folder))) { return } [int]$threshold = Get-ThresholdForCheckOlderFile $folders = Get-ChildItem -LiteralPath ($folder.FullName) -Force | Where-Object {$_.PSIsContainer} if($folders -ne $null) { foreach($folder in $folders) { if((($folder.CreationTime).CompareTo((Get-Date).AddMonths($threshold))) -lt 0) { Delete-Folder ($folder.FullName) } else { Delete-OldFolders (Get-Item ($folder.FullName)) } } } } # Function to get registry value function Get-RegistryValue([string]$registryEntryPath = $(throw "No registry entry path is specified"), [string]$registryEntryName = $(throw "No registry entry name is specified"), [double]$defaultValue = 0.0) { [double]$registryEntryValue = $defaultValue $registryEntry = Get-ItemProperty -Path $registryEntryPath -Name $registryEntryName if($registryEntry -ne $null) { $registryEntryValue = $registryEntry.$registryEntryName } return $registryEntryValue } # Function to get the

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: https://alltype.zyrosite.com/

SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Antivirus detection for URL or domain

Show sources

Source: https://kenauthentics.com/wp-admin/info-llc

Avira URL Cloud: Label: phishing

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2f3d93f3,0x01d73e36</date><accdate>0x2f3d93f3,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2f3d93f3,0x01d73e36</date><accdate>0x2f3ff641,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2f471d4f,0x01d73e36</date><accdate>0x2f471d4f,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2f471d4f,0x01d73e36</date><accdate>0x2f471d4f,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2f497fcb,0x01d73e36</date><accdate>0x2f497fcb,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2f497fcb,0x01d73e36</date><accdate>0x2f497fcb,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: alltype.zyrosite.com

Source: wget.exe, 00000002.00000003.208935915.0000000002D78000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: wget.exe, 00000002.00000003.208935915.0000000002D78000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: wget.exe, 00000002.00000002.209609111.0000000002D38000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000002.209609111.0000000002D38000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000002.00000003.208935915.0000000002D78000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: wget.exe, 00000002.00000003.208935915.0000000002D78000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com
Source: wget.exe, 00000002.00000002.209609111.0000000002D38000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.comer
Source: wget.exe, 00000002.00000003.208935915.0000000002D78000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com
Source: wget.exe, 00000002.00000003.208935915.0000000002D78000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: msapplication.xml.5.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.5.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.5.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.5.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.5.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.5.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.5.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.5.dr	String found in binary or memory: http://www.youtube.com/
Source: wget.exe, 00000002.00000002.209207599.00000000013D5000.00000004.00000040.sdmp, cmdline.out.2.dr	String found in binary or memory: https://alltype.zyrosite.com/
Source: wget.exe, 00000002.00000003.208904968.0000000002D76000.00000004.00000001.sdmp	String found in binary or memory: https://alltype.zyrosite.com/2
Source: wget.exe, 00000002.00000002.209203234.00000000013D0000.00000004.00000040.sdmp	String found in binary or memory: https://alltype.zyrosite.com/a
Source: wget.exe, 00000002.00000002.209207599.00000000013D5000.00000004.00000040.sdmp	String found in binary or memory: https://alltype.zyrosite.com/l
Source: wget.exe, 00000002.00000002.209203234.00000000013D0000.00000004.00000040.sdmp	String found in binary or memory: https://alltype.zyrosite.com/m
Source: wget.exe, 00000002.00000002.209203234.00000000013D0000.00000004.00000040.sdmp	String found in binary or memory: https://alltype.zyrosite.com/te
Source: wget.exe, 00000002.00000002.209203234.00000000013D0000.00000004.00000040.sdmp	String found in binary or memory: https://alltype.zyrosite.com/~
Source: wget.exe, 00000002.00000003.208935915.0000000002D78000.00000004.00000001.sdmp, wget.exe, 00000002.00000002.209628740.0000000002D6E000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.208904968.0000000002D76000.00000004.00000001.sdmp	String found in binary or memory: https://assets.zyrosite.com/YanW3xklKwsK4PbW/Screen-Shot-at-PM-m6LKoR80anup2vvl.png
Source: wget.exe, 00000002.00000003.208935915.0000000002D78000.00000004.00000001.sdmp, wget.exe, 00000002.00000002.209628740.0000000002D6E000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.208904968.0000000002D76000.00000004.00000001.sdmp	String found in binary or memory: https://kenauthentics.com/wp-admin/info-llc
Source: wget.exe, 00000002.00000003.208935915.0000000002D78000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: wget.exe, 00000002.00000003.208935915.0000000002D78000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: wget.exe, 00000002.00000002.209628740.0000000002D6E000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.208904968.0000000002D76000.00000004.00000001.sdmp, wget.exe, 00000002.00000002.209636283.0000000002D76000.00000004.00000001.sdmp, index.html.2.dr	String found in binary or memory: https://userapp.zyrosite.com/v134/js/chunk-vendors.6ed82305.js
Source: wget.exe, 00000002.00000002.209628740.0000000002D6E000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.208904968.0000000002D76000.00000004.00000001.sdmp, wget.exe, 00000002.00000002.209636283.0000000002D76000.00000004.00000001.sdmp, index.html.2.dr	String found in binary or memory: https://userapp.zyrosite.com/v134/js/index.00a0e774.js

System Summary:

Source: classification engine

Classification label: mal60.win@7/16@1/0

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5976:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF062587B1FCD9BD23.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://alltype.zyrosite.com/' > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://alltype.zyrosite.com/'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\index.html.svg
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5376 CREDAT:17410 /prefetch:2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://alltype.zyrosite.com/'	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5376 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Queries volume information: C:\Users\user\Desktop\download VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Application Layer Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	System Information Discovery12	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Remote System Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://alltype.zyrosite.com/	0%	Virustotal		Browse
https://alltype.zyrosite.com/	0%	Avira URL Cloud	safe
https://alltype.zyrosite.com/	100%	SlashNext	Fake Login Page type: Phishing & Social Engineering

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
https://assets.zyrosite.com/YanW3xklKwsK4PbW/Screen-Shot-at-PM-m6LKoR80anup2vvl.png	0%	Avira URL Cloud	safe
https://alltype.zyrosite.com/~	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://kenauthentics.com/wp-admin/info-llc	100%	Avira URL Cloud	phishing
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://alltype.zyrosite.com/a	0%	Avira URL Cloud	safe
https://alltype.zyrosite.com/te	0%	Avira URL Cloud	safe
https://userapp.zyrosite.com/v134/js/index.00a0e774.js	0%	Avira URL Cloud	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
https://alltype.zyrosite.com/m	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com	0%	URL Reputation	safe
http://ocsp.sectigo.com	0%	URL Reputation	safe
http://ocsp.sectigo.com	0%	URL Reputation	safe
https://alltype.zyrosite.com/l	0%	Avira URL Cloud	safe
https://alltype.zyrosite.com/2	0%	Avira URL Cloud	safe
https://userapp.zyrosite.com/v134/js/chunk-vendors.6ed82305.js	0%	Avira URL Cloud	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
alltype.zyrosite.com	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	wget.exe, 00000002.00000003.208935915.0000000002D78000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://assets.zyrosite.com/YanW3xklKwsK4PbW/Screen-Shot-at-PM-m6LKoR80anup2vvl.png	wget.exe, 00000002.00000003.208935915.0000000002D78000.00000004.00000001.sdmp, wget.exe, 00000002.00000002.209628740.0000000002D6E000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.208904968.0000000002D76000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nytimes.com/	msapplication.xml3.5.dr	false		high
https://alltype.zyrosite.com/~	wget.exe, 00000002.00000002.209203234.00000000013D0000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	wget.exe, 00000002.00000003.208935915.0000000002D78000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://kenauthentics.com/wp-admin/info-llc	wget.exe, 00000002.00000003.208935915.0000000002D78000.00000004.00000001.sdmp, wget.exe, 00000002.00000002.209628740.0000000002D6E000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.208904968.0000000002D76000.00000004.00000001.sdmp	true	Avira URL Cloud: phishing	unknown
http://ocsp.sectigo.com0	wget.exe, 00000002.00000003.208935915.0000000002D78000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://alltype.zyrosite.com/a	wget.exe, 00000002.00000002.209203234.00000000013D0000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown
https://alltype.zyrosite.com/te	wget.exe, 00000002.00000002.209203234.00000000013D0000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown
http://www.youtube.com/	msapplication.xml7.5.dr	false		high
https://userapp.zyrosite.com/v134/js/index.00a0e774.js	wget.exe, 00000002.00000002.209628740.0000000002D6E000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.208904968.0000000002D76000.00000004.00000001.sdmp, wget.exe, 00000002.00000002.209636283.0000000002D76000.00000004.00000001.sdmp, index.html.2.dr	false	Avira URL Cloud: safe	unknown
http://www.wikipedia.com/	msapplication.xml6.5.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.5.dr	false		high
https://alltype.zyrosite.com/	wget.exe, 00000002.00000002.209207599.00000000013D5000.00000004.00000040.sdmp, cmdline.out.2.dr	true		unknown
http://www.live.com/	msapplication.xml2.5.dr	false		high
https://alltype.zyrosite.com/m	wget.exe, 00000002.00000002.209203234.00000000013D0000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com	wget.exe, 00000002.00000003.208935915.0000000002D78000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://alltype.zyrosite.com/l	wget.exe, 00000002.00000002.209207599.00000000013D5000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown
https://alltype.zyrosite.com/2	wget.exe, 00000002.00000003.208904968.0000000002D76000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://userapp.zyrosite.com/v134/js/chunk-vendors.6ed82305.js	wget.exe, 00000002.00000002.209628740.0000000002D6E000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.208904968.0000000002D76000.00000004.00000001.sdmp, wget.exe, 00000002.00000002.209636283.0000000002D76000.00000004.00000001.sdmp, index.html.2.dr	false	Avira URL Cloud: safe	unknown
http://www.reddit.com/	msapplication.xml4.5.dr	false		high
http://www.twitter.com/	msapplication.xml5.5.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	401611
Start date:	30.04.2021
Start time:	19:59:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	urldownload.jbs
Sample URL:	https://alltype.zyrosite.com/
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.win@7/16@1/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Excluded IPs from analysis (whitelisted): 168.61.161.212, 92.122.145.220, 104.18.2.169, 104.18.3.169, 88.221.62.148, 104.43.139.144, 23.57.80.111, 20.82.210.154, 152.199.19.161, 13.107.4.50, 92.122.213.247, 92.122.213.194, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, Edge-Prod-FRAr4b.env.au.au-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, skypedataprdcolcus16.cloudapp.net, afdap.au.au-msedge.net, ris.api.iris.microsoft.com, au.au-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, au.c-0001.c-msedge.net, zyrosite.com.cdn.cloudflare.net, cs9.wpc.v0cdn.net Report size getting too big, too many NtQueryValueKey calls found.
Errors:	Sigma runtime error: Invalid condition: not true && true Rule: Using SettingSyncHost.exe as LOLBin Sigma runtime error: Invalid condition: true && ! filter Rule: System File Execution Location Anomaly Sigma runtime error: Invalid condition: ( false && ! false ) or Rule: Executable Used by PlugX in Uncommon Location Sigma syntax error: Rules are missing titles Sigma runtime error: Invalid condition: not false && false Rule: Using SettingSyncHost.exe as LOLBin Sigma runtime error: Invalid condition: false \|\| (selection_wevtutil_binary && selection_wevtutil_command) Rule: Suspicious Eventlog Clear or Configuration Using Wevtutil Sigma runtime error: Invalid condition: false && false or Rule: Suspicious WMI Execution Sigma runtime error: Invalid condition: true && true2 && false Rule: Formbook Process Creation

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{552F3B9B-AA29-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	24152
Entropy (8bit):	1.765955257959082
Encrypted:	false
SSDEEP:	48:IwzGcprOGwpLuOxG/ap8uOxGIpcuOV1GvnZpvuOVoGvHZp9uOVYgGoInqpvuOVY9:rJZmZT12TzWT0tTHfTmqtTlEALWTU4n
MD5:	C74FC610EB2FD7A64ACB872CC2F3D791
SHA1:	679AF03B96A3CC1FF6C8D39B0D7946D24DF1D503
SHA-256:	F97F27A622AFB23DE8AFB0BC5AA449868A644A5C6F1C9CA235F4D443CA48C57D
SHA-512:	87885414A91778B4E8760398893E0D4A3EE262E32D968F15BB35727F9CD24CAE278B1FB261D60F36A04DD2FB545044D4CBD9BFB45B970F5303609AA2016678C2
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{552F3B9D-AA29-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	24156
Entropy (8bit):	1.7256376423953488
Encrypted:	false
SSDEEP:	48:IwOGcprrGwpaNG4pY5/GzHpTa5UTGIpJ5TGSlXpc5pvGVp85/RG54p95PtGupL1V:rSZlQvyEJaa77l2cWpB7PF1yNg
MD5:	DBC8BF154593B9843F95368F648C4742
SHA1:	75D6397EFBCBDAA89A03A9174A83D23CBEE05EE4
SHA-256:	A9749BED73AAA4B874D87C72C74F35DF9344BBE4AA5C13E2C4BAF7633E44E77B
SHA-512:	4B2C6A47B76D069B6877EE161EB6D6AB2260936C5D2E9A2447AD6D889F470571849FBF032C261BA27F540AD8DD824BBFD3A92274B31B9142A31E04B2CAABDBC2
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.104951977926415
Encrypted:	false
SSDEEP:	12:TMHdNMNxOECJuhJuYnWimI002EtM3MHdNMNxOECJuhJuYnWimI00ObVbkEtMb:2d6NxOESZHKd6NxOESZ76b
MD5:	4D3C4449D7B392DA879E28599B518AB8
SHA1:	A1685B16E7354A4679630554905C277E906B0913
SHA-256:	4B289918F2442461AFDDD596AC26BC664517A77D19E81751F49F66022881C2F1
SHA-512:	AF889C6D926F42E634413EE6D205006253E04ECD200D33317FDCF7EB935E38F2A89524251E9E1FA63A6227980E31AF8E24F0F8B3467E8E2313D55C83559E1B69
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2f471d4f,0x01d73e36</date><accdate>0x2f471d4f,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2f471d4f,0x01d73e36</date><accdate>0x2f471d4f,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.132441346906563
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kdzvzxnWimI002EtM3MHdNMNxe2kdzrnWimI00Obkak6EtMb:2d6NxrUzvzxSZHKd6NxrUzrSZ7Aa7b
MD5:	51DD1E293488C856FF95BC926FF50BF5
SHA1:	2AF2E6D1EDE8D18D73D7A6928389981DF2867EF7
SHA-256:	A564F66F240ACCCA9DCCAD31D7B1C1512167773828B0E9174432B0EC1318FDDA
SHA-512:	3DEA6BFF9F69EAF8F5810A5D90088E343C076622C1672C51F56C5270F9728B498FD4FE0CD861678901A3331384C1DEDFF647B983E3BF6D3E95B33B3EAD5751D7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x2f38cf29,0x01d73e36</date><accdate>0x2f38cf29,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x2f38cf29,0x01d73e36</date><accdate>0x2f3b319c,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.1235783322544375
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLCJuhJuYnWimI002EtM3MHdNMNxvLCJuhJuYnWimI00ObmZEtMb:2d6NxvdSZHKd6NxvdSZ7mb
MD5:	2AA5D308F958B4CD52BE81C0AB3CB4D2
SHA1:	AC06A601CDBDED8C1BF49F6C7E0153E5F70D0447
SHA-256:	058A8F22C8DCE224A51E57CD69757FD690B0F38ED4BAA9E2F32A57D8F423EAE6
SHA-512:	3C82803BCACE027E45C67BA14BD492ED39E9594DBBFE17CE2AC617E5EBBD297695C366E4F92B843B50405360C6703164D8B808699CC1B4917D461BB68E67EC8F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x2f471d4f,0x01d73e36</date><accdate>0x2f471d4f,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x2f471d4f,0x01d73e36</date><accdate>0x2f471d4f,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.138881722560008
Encrypted:	false
SSDEEP:	12:TMHdNMNxiJRTnWimI002EtM3MHdNMNxiJRTnWimI00Obd5EtMb:2d6NxkSZHKd6NxkSZ7Jjb
MD5:	0675EBB43602BC5B7E354DAAE5549238
SHA1:	378B63B2102540B3980AFFB5B3BEAE9354352EEF
SHA-256:	765A610ECFB7A70961F8EA11E49602E22982BA8F04728F50F9475F63346899FA
SHA-512:	EFE302B194053BBEE38A2D2DFF5ADF63AA82DD2CF66C4CF833BB6D1D9126ECB839BDB390AF83C7CB37F5CD1DF48DC08CC36C1C1BA02BBF4BD7457BA3AF430A44
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x2f4258a1,0x01d73e36</date><accdate>0x2f4258a1,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x2f4258a1,0x01d73e36</date><accdate>0x2f4258a1,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.15329234886351
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwbnWimI002EtM3MHdNMNxhGwbnWimI00Ob8K075EtMb:2d6NxQ2SZHKd6NxQ2SZ7YKajb
MD5:	372EDF1F40424F0259DDB67222FA61C6
SHA1:	F83C7B3E8F110DCFF909BC762E368DCECB81D687
SHA-256:	C56D26C9ECE74752974B0EF8D7FDBB4ABF449704CFBACBFCE6AD5568CF862CC5
SHA-512:	82E01DD3BF86E8410EA1D5D6995397DF2D1A08825AD81448FE590FF8E0586ECA6B34738930AF5C6644C6C4664E68F0E7A0796FB9532B7FC4E940BAB24165033A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2f497fcb,0x01d73e36</date><accdate>0x2f497fcb,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2f497fcb,0x01d73e36</date><accdate>0x2f497fcb,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.121754965620374
Encrypted:	false
SSDEEP:	12:TMHdNMNx0npOYnWimI002EtM3MHdNMNx0nphJuYnWimI00ObxEtMb:2d6Nx0hSZHKd6Nx0lSZ7nb
MD5:	8D88674001CDED41D186F72A9DE607EA
SHA1:	E2A23EA684B5D0E1A9BE637DFDD32FE92370D3B4
SHA-256:	20241F40389D1B11BE3FB1431BEF08D8C95ED0AB5F333C161FF9A581AA5B883F
SHA-512:	86F3CDBD52B43CE756874F63DE03BB40BBB3FB4755823BC26C01BAB0C8073DFC33A374EC91E0D9548E873049A64A0EEAD7861166255B343B6CBCD5B715BE2D9A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x2f44bb06,0x01d73e36</date><accdate>0x2f44bb06,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x2f44bb06,0x01d73e36</date><accdate>0x2f471d4f,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.163151499829456
Encrypted:	false
SSDEEP:	12:TMHdNMNxxJRTnWimI002EtM3MHdNMNxxJRTnWimI00Ob6Kq5EtMb:2d6NxdSZHKd6NxdSZ7ob
MD5:	A0FB115481B7A3047C2A467F1949A60C
SHA1:	B5590F59C9AB35618C5FDA9A7752377DD36FE6F9
SHA-256:	B11B362BF92AA5859B1B6AA37B024CB38DFAFB2459F7E1E6ACB8656549E3E45F
SHA-512:	62FD0F68CC66D92FA228B43576519F975DC4F9B600D243C09D6EBCAC46B016C300BEFD5079C0DB57D277B99184396A8AA9F8AC86174D652D69A66624CA649923
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x2f4258a1,0x01d73e36</date><accdate>0x2f4258a1,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x2f4258a1,0x01d73e36</date><accdate>0x2f4258a1,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.115650878698292
Encrypted:	false
SSDEEP:	12:TMHdNMNxctmvmFnWimI002EtM3MHdNMNxctmMnWimI00ObVEtMb:2d6NxYoOSZHKd6NxYNSZ7Db
MD5:	A3905A73A6B1648EBB6920365C5E572A
SHA1:	5FEE23492BC71B9D24BAA6189ED69FF46661A387
SHA-256:	5D9C93AF1B6FDFA226E6458DF01BC7BD554641285F7DF7736D68DD296A3EF463
SHA-512:	FA52ECB1FDC3635ABC027B4F226429287FCFF449C6898DCFE7EC7F483A6F75D67D33789EC0E110BE0D5714175B1A1EABAB6144646D6950CBED73A06B4A53F691
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2f3d93f3,0x01d73e36</date><accdate>0x2f3d93f3,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2f3d93f3,0x01d73e36</date><accdate>0x2f3ff641,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.1013552085090454
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnxnWimI002EtM3MHdNMNxfnxnWimI00Obe5EtMb:2d6NxZSZHKd6NxZSZ7ijb
MD5:	250199E585E9E320AD72D493AE59EDD1
SHA1:	25A190D33ED265786D2671271EDF56E0CBB29171
SHA-256:	AA5D8D59CC8BB9CF4CA4FB139D1AAC517D6CF9BB6C4D33912B91ADBF01CEA08F
SHA-512:	3A1B02AB52EA552E8F41F5E54AE337BD85D38FA47C589F92766A86AC37CFA68349E4A6159112F52F2BFD70EC8A989EC181331C538F19247BF5CD80E5DC566876
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x2f3ff641,0x01d73e36</date><accdate>0x2f3ff641,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x2f3ff641,0x01d73e36</date><accdate>0x2f3ff641,0x01d73e36</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Temp\~DF062587B1FCD9BD23.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12965
Entropy (8bit):	0.4212875375513667
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9louOrF9louOR9lWuO1hBYb9a:kBqoIuO6uOEuO1HYb9a
MD5:	F21AFCEE151CCD9FC452E0DCCADD92AB
SHA1:	3EE53F7BCFC8FE6CE65F12BFFA33D09B9EFFD520
SHA-256:	FFB44239D04770814C24626AB0365E1E6C1D291871D5985CE93BDBD4512DAD12
SHA-512:	03445384F0998D8622C8CDF3EEC7BF82A9D9BFBCECE3DAA2997D27E70A76FDE3F45709DCFF3D614F039631B3CDF3FCF9A18E120A0B79496C299C04CE1E9BCA79
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF7D639E644E59743F.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	34773
Entropy (8bit):	0.4704501113181009
Encrypted:	false
SSDEEP:	48:kBqoxKo5756a5Za5r5+5A5a5E5PX5PJ1c7A7:kBqoxKoVcavaVA+UOVD1r
MD5:	D5CD24EA001E5FF5C779E9458C7A7018
SHA1:	0624AA9DBCAE5E894CC2F66181EF49DBD4963503
SHA-256:	82A819021B509A0993325FD84880B1D332281E4210DF89B6BAA8C6BB04002C7A
SHA-512:	809514FCA5DAF38AA006C96AC776D11B53FED9B67B7A3DA64C347A57F78E6E131449EFCEFCBC83AA40F824F010FB3E4BDA19E1B0E05EB42AB72E3AAA709C3A47
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\cmdline.out Download File
Process:	C:\Windows\SysWOW64\wget.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	614
Entropy (8bit):	4.86991424827981
Encrypted:	false
SSDEEP:	12:H9C7mZ7lyH39j+yH3lT1De5RhKkk1DbBKjVovXwJjBTjiBKjVJ:06Z7l2I2NxePgJ1pWVZpREWVJ
MD5:	EEE9B7FA8C93217F824BDD21D1D473DF
SHA1:	B068EA91728C318252E84C0C013035E5154A6207
SHA-256:	E52721F31B956014F13B66355021032A4C54A2C3BE871A63916A0D7C1ABC2B55
SHA-512:	69E468834F1068AFA08067AFAD970C9ED8BAC60837D517CDFCFA27DC6CCD82F2C9645A057BC72A7689144BEE4F4C942CA9EE6F5BC5042EBA4322CD955FEEA08F
Malicious:	false
Reputation:	low
Preview:	--2021-04-30 20:00:04-- https://alltype.zyrosite.com/..Resolving alltype.zyrosite.com (alltype.zyrosite.com)... 104.18.2.169, 104.18.3.169..Connecting to alltype.zyrosite.com (alltype.zyrosite.com)\|104.18.2.169\|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: unspecified [text/html]..Saving to: 'C:/Users/user/Desktop/download/index.html'.... 0K .......... .......... .......... .......... .......... 182K.. 50K .......... .......... .......... .......... ... 709K=0.3s....2021-04-30 20:00:05 (277 KB/s) - 'C:/Users/user/Desktop/download/index.html' saved [95232]....

C:\Users\user\Desktop\download\.wget-hsts Download File
Process:	C:\Windows\SysWOW64\wget.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	179
Entropy (8bit):	5.1673967927631725
Encrypted:	false
SSDEEP:	3:SY2FyFARLlbwFAM9CxnOLVFzDwIVhyyJxWQ5RdkA8dybAQQ6GVV8kVgv:SYeRLlbA0noH9VhyyJQQ5oA8UkQQTVlU
MD5:	CB1824D48685DA1664AC87C8CA18CA3E
SHA1:	2A5A1B09A787FB3AF11F56513AF13EFED9AB6B99
SHA-256:	41BACBEED875AD7803A36BC051D89AC10ED596BBA072859760F2837591E45F89
SHA-512:	241A7DCE9C25C23DF9FF96F923B16DD948FC8688F26F2B0DF47BE1D1E05E2AEBDC4656380A2FC44466B3E545272D9B70B8AB8BC4CFE351D782D83FBE070FC2A9
Malicious:	false
Reputation:	low
Preview:	# HSTS 1.0 Known Hosts database for GNU Wget...# Edit at your own risk...# <hostname>.<port>.<incl. subdomains>.<created>.<max-age>..alltype.zyrosite.com.0.1.1619838005.63072000..

C:\Users\user\Desktop\download\index.html Download File
Process:	C:\Windows\SysWOW64\wget.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.221961410858148
Encrypted:	false
SSDEEP:	1536:pGbGZDAeq4DO6buQuSuGbGze4ICCeUaS+ICCv61GJed+r2MdfHUEANCu:fDAeq4DO6bud9Cu
MD5:	4E389142A9663FB54F5D7BC64B9C8123
SHA1:	542E90D04949541A0EC038D71B325B00EDEAFE30
SHA-256:	172F3D3D7429E341AB633598F6E75FD495220BFB9DB5E9273FA3D152AFC81BC6
SHA-512:	07EAE511CB6D99F7AECAA58970925C44B1E10F52A530ACA1E8684EA0A1FD5CB3836A51F2A2DFAA8A8934726F0939AA5660E7B4743F06676B09E89A1CDC3AA2DE
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html><html lang="en"><head><script src="/cdn-cgi/apps/head/a2ff1ftsK3yTu21p1BeEN2BZsnA.js"></script><link href="https://fonts.googleapis.com/css?family=Roboto:700\|Lato:400&display=swap" rel="stylesheet" media="print" onload="if(!window._isAppPrerendering)this.removeAttribute("media");"><link href="https://fonts.googleapis.com/css?family=Roboto:700\|Lato:400&display=swap" rel="preload" as="style"><link href="https://fonts.gstatic.com" rel="preconnect" crossorigin="true"><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="generator" content="Zyro.com Website Builder"><script src="/cdn-cgi/apps/head/a2ff1ftsK3yTu21p1BeEN2BZsnA.js"></script><link href="https://userapp.zyrosite.com/v134/js/chunk-vendors.6ed82305.js" rel="preload" as="script"><link href="https://userapp.zyrosite.com/v134/js/index.00a0e774.js" rel="preload" as="script"><style type="text/css">*,:afte

Static File Info

No static file info

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 30, 2021 19:59:55.719552994 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 30, 2021 19:59:55.772861958 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 30, 2021 19:59:56.642065048 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 30, 2021 19:59:56.692630053 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 30, 2021 19:59:57.559258938 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 30, 2021 19:59:57.607999086 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 30, 2021 19:59:57.873559952 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 30, 2021 19:59:57.938271046 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 30, 2021 19:59:58.463943005 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 30, 2021 19:59:58.517735958 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 30, 2021 19:59:59.352809906 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 30, 2021 19:59:59.401539087 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:00.471375942 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:00.520176888 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:01.755145073 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:01.803831100 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:02.716509104 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:02.766179085 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:03.701437950 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:03.755577087 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:04.924017906 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:04.972800016 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:05.515747070 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:05.594532013 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:06.611249924 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:06.665512085 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:07.579889059 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:07.632570982 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:08.351243019 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:08.412189960 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:08.679445982 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:08.728271008 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:10.801151991 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:10.850893021 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:12.015181065 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:12.067832947 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:12.899367094 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:12.950416088 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:13.839142084 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:13.887830019 CEST	53	50540	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:32.060535908 CEST	54366	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:32.119796038 CEST	53	54366	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:34.149715900 CEST	53034	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:34.202223063 CEST	53	53034	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:38.357847929 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:38.409507990 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:45.355668068 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:45.407288074 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:47.716106892 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:47.772605896 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:48.093070030 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:48.144063950 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:49.091542959 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:49.140547037 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:49.732523918 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:49.785572052 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:50.108005047 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:50.159593105 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:51.242132902 CEST	50713	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:51.318945885 CEST	53	50713	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:52.107085943 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:52.155811071 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:53.748234987 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:53.799925089 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:56.122982025 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:56.171622038 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 30, 2021 20:00:58.883512974 CEST	56132	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:00:58.945782900 CEST	53	56132	8.8.8.8	192.168.2.3
Apr 30, 2021 20:01:12.983165979 CEST	58987	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:01:13.046703100 CEST	53	58987	8.8.8.8	192.168.2.3
Apr 30, 2021 20:01:15.563376904 CEST	56579	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:01:15.641674995 CEST	53	56579	8.8.8.8	192.168.2.3
Apr 30, 2021 20:01:44.121939898 CEST	60633	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:01:44.170622110 CEST	53	60633	8.8.8.8	192.168.2.3
Apr 30, 2021 20:01:46.137655973 CEST	61292	53	192.168.2.3	8.8.8.8
Apr 30, 2021 20:01:46.202858925 CEST	53	61292	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 30, 2021 20:00:05.515747070 CEST	192.168.2.3	8.8.8.8	0xc1e0	Standard query (0)	alltype.zyrosite.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 30, 2021 20:00:05.594532013 CEST	8.8.8.8	192.168.2.3	0xc1e0	No error (0)	alltype.zyrosite.com	zyrosite.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

• cmd.exe
• conhost.exe
• wget.exe
• iexplore.exe
• iexplore.exe

Click to jump to process

Memory Usage

• cmd.exe
• conhost.exe
• wget.exe
• iexplore.exe
• iexplore.exe

Click to jump to process

High Level Behavior Distribution

• File
• Network

Click to dive into process behavior distribution

Behavior

• cmd.exe
• conhost.exe
• wget.exe
• iexplore.exe
• iexplore.exe

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 5836 Parent PID: 992

Function Logs

General

Start time:	20:00:01
Start date:	30/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://alltype.zyrosite.com/' > cmdline.out 2>&1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Start time:	20:00:02
Start date:	30/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Start time:	20:00:04
Start date:	30/04/2021
Path:	C:\Windows\SysWOW64\wget.exe
Wow64 process (32bit):	true
Commandline:	wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://alltype.zyrosite.com/'
Imagebase:	0x400000
File size:	3895184 bytes
MD5 hash:	3DADB6E2ECE9C4B3E1E322E617658B60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Start time:	20:00:06
Start date:	30/04/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\index.html.svg
Imagebase:	0x7ff7a7000000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Start time:	20:00:07
Start date:	30/04/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5376 CREDAT:17410 /prefetch:2
Imagebase:	0xd30000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://alltype.zyrosite.com/

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exe PID: 5836 Parent PID: 992

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Section Activities

Sections loaded by Windows

Process Activities

Process Created

Process Queried

Process Information Set

Process Terminated

Thread Activities

Thread Execution Resumed

Thread Information Set