Create Interactive Tour

Analysis Report http://x1.c.lencr.org

Overview

General Information

Sample URL:	http://x1.c.lencr.org
Analysis ID:	429640
Infos:
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

No high impact signatures.

Classification

Process Tree

System is w10x64

iexplore.exe (PID: 4952 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5960 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4952 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

rundll32.exe (PID: 5696 cmdline: 'C:\Windows\system32\rundll32.exe' cryptext.dll,CryptExtOpenCRL C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\3CU7BMMY.crl MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• Compliance
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown

DNS traffic detected: queries for: x1.c.lencr.org

Source: classification engine

Classification label: clean0.win@5/9@1/0

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFFFCD0047E857744A.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' cryptext.dll,CryptExtOpenCRL C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\3CU7BMMY.crl

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4952 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' cryptext.dll,CryptExtOpenCRL C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\3CU7BMMY.crl
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4952 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' cryptext.dll,CryptExtOpenCRL C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\3CU7BMMY.crl	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: C:\Windows\System32\rundll32.exe

File opened: C:\Windows\system32\msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Application Layer Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rundll321	LSASS Memory	System Information Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://x1.c.lencr.org	1%	Virustotal		Browse
http://x1.c.lencr.org	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
x1.c.lencr.org	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
0	1%	Virustotal		Browse

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
x1.c.lencr.org	unknown	unknown	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
0	false	1%, Virustotal, Browse	low

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	429640
Start date:	04.06.2021
Start time:	13:04:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://x1.c.lencr.org
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@5/9@1/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 52.255.188.83, 88.221.62.148, 104.83.124.33, 13.64.90.137, 20.82.209.183, 152.199.19.161, 184.30.24.56, 20.54.26.129, 2.20.142.209, 2.20.142.210, 51.103.5.159, 20.82.210.154, 92.122.213.247, 92.122.213.194 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, e8652.dscx.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, cs9.wpc.v0cdn.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{26AC90E3-C570-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	32344
Entropy (8bit):	1.800484429044522
Encrypted:	false
SSDEEP:	192:rZZmZWt2W3iWW3hXtW3hGlfW3hGKYlMW3h+SKEW3h+JKZRRW3K+JKI2:rPCbOEv8Cofv
MD5:	32E397FE817A2E15817E19B1A40041F6
SHA1:	B2272E19E6A5C90446134EAB13886E82CD7F3227
SHA-256:	16053A9726321E3A3C87158219B5929462FD769CEE49919914375002193F5223
SHA-512:	1959261B5B75A1BEEBAF39452358D759A8072DAF8FE5D841F228E9461E16F0A5B07709BF2D0083EB5A257F8AA6E266366B7E8216EA24CF0D6C3EFEE9F8A117B3
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{26AC90E5-C570-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5984498284903168
Encrypted:	false
SSDEEP:	48:IwxGcprsGwpaEG4pQ8GrapbSuZGQpBHtQGHHpcHjEaTGUpQH5EGcpm:rHZEQ066BSmj92l6Gg
MD5:	93DC201D50275740AB18494CFF05AEEE
SHA1:	59F27D24CE9D09A672549ACF40AAECAE1D05A8D5
SHA-256:	AF5DCE7993B920877C1AD25BB0FAB63D3F829AB297B03B6B1648E7D87ECB88B7
SHA-512:	95B116429F6A53F7EC4ED0142BE9A7F47F28545957AEDC719ADB1BCC87B3E2B9C2C024EA2E5112126A5557976F5219CCEBE354D8A74AEC7CD518849113EE4468
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\3CU7BMMY.crl.gmw4vvf.partial Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	717
Entropy (8bit):	7.5500038683560025
Encrypted:	false
SSDEEP:	12:mmScL8DlumR9TCNp5gtIBV9YSHfWsYxkcTX9QZEgvbn+x35l:YSSpOXgtIRdlpRqh5l
MD5:	0675C0D0DA9A6EAC284A10C2DDDA636A
SHA1:	6C7856EF6BE6B6FCE283423CF9D48E7D101D7FA7
SHA-256:	7852903B2B3BD59C816AA0A74272A4C51BAE13F38BB72A67F3FD04B50D061B50
SHA-512:	09A3F652BD943A7CC3DEF436C9FE769BF5C30499B78D63598FC2FC23FA15932A08D545354129FC346133EFBDA456EDFE8D4A10BAB5A50ABE7D132C2228815232
Malicious:	false
Reputation:	low
Preview:	0...0.....0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X1..200904000000Z..210804000000Z./0-0...U.#..0...y.Y.{....s.....X..n0...U......d0....H...............V.).....I.#U..%..M..;w...H'w...u..,.b..(XZ..kc....$...Rx....@...m..U.vl.7......Dr..`.P7o...7.r`..G-.X.8.z....Q00..av..J~.Z(P.....3c(.(.e........2.1.z5.0I.....a.+mAuHP..dq1.zJ...1..A...N.h...<. ..L.6.........f0vS..G...Tc.P.D..;..aj....dqI....b.?..P.....?...6..L.c.D.M...g...W....M-.tb.....}.....;...DP}..}0..n.6.?..O.F....,...f`..._..C..R#........ l..+..x.....ueIdW.^.s.F&.....]:...X#H5....V..a.s.I.JM.u...^ii......T..M.,...1......$..f\|......2W...$.B...BS.....<.8~.:X..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\3CU7BMMY.crl.gmw4vvf.partial:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	low
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\3CU7BMMY.crl:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:W:W
MD5:	ECCBC87E4B5CE2FE28308FD9F2A7BAF3
SHA1:	77DE68DAECD823BABBB58EDB1C8E14D7106E83BB
SHA-256:	4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
SHA-512:	3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB
Malicious:	false
Reputation:	low
Preview:	3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\3CU7BMMY.crl Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	717
Entropy (8bit):	7.5500038683560025
Encrypted:	false
SSDEEP:	12:mmScL8DlumR9TCNp5gtIBV9YSHfWsYxkcTX9QZEgvbn+x35l:YSSpOXgtIRdlpRqh5l
MD5:	0675C0D0DA9A6EAC284A10C2DDDA636A
SHA1:	6C7856EF6BE6B6FCE283423CF9D48E7D101D7FA7
SHA-256:	7852903B2B3BD59C816AA0A74272A4C51BAE13F38BB72A67F3FD04B50D061B50
SHA-512:	09A3F652BD943A7CC3DEF436C9FE769BF5C30499B78D63598FC2FC23FA15932A08D545354129FC346133EFBDA456EDFE8D4A10BAB5A50ABE7D132C2228815232
Malicious:	false
Reputation:	low
Preview:	0...0.....0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X1..200904000000Z..210804000000Z./0-0...U.#..0...y.Y.{....s.....X..n0...U......d0....H...............V.).....I.#U..%..M..;w...H'w...u..,.b..(XZ..kc....$...Rx....@...m..U.vl.7......Dr..`.P7o...7.r`..G-.X.8.z....Q00..av..J~.Z(P.....3c(.(.e........2.1.z5.0I.....a.+mAuHP..dq1.zJ...1..A...N.h...<. ..L.6.........f0vS..G...Tc.P.D..;..aj....dqI....b.?..P.....?...6..L.c.D.M...g...W....M-.tb.....}.....;...DP}..}0..n.6.?..O.F....,...f`..._..C..R#........ l..+..x.....ueIdW.^.s.F&.....]:...X#H5....V..a.s.I.JM.u...^ii......T..M.,...1......$..f\|......2W...$.B...BS.....<.8~.:X..

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.48547855515619
Encrypted:	false
SSDEEP:	3:oVXUbVIQokFqmW8JOGXnEbVIQokFZun:o9UatHqEax
MD5:	C50702F92F75A279579C6B8BB85DF683
SHA1:	F2C59C693F5A77D3ABA77CB86ED8B3C739E62722
SHA-256:	296A9ACC5B506EE93C0EA788259CC638723CFC3F53A4FE5D2520CB59F356629C
SHA-512:	3CCF6C29418B2BA3A8908384C321573F3A05431728590EB8B7ABABFD81E85F69FABA5FB0CE4DB24E7A6D2B05ACDB410796E14E433A91996C51A0E78AB949E8BC
Malicious:	false
Reputation:	low
Preview:	[2021/06/04 13:05:05.953] Latest deploy version: ..[2021/06/04 13:05:05.953] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF41CAFBE8E3B31200.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29989
Entropy (8bit):	0.3297953902484431
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwHf9lwHf9l2H5/9l2H1:kBqoxKAuvScS+HYHeH5+HYH5y
MD5:	5DDF5800729BEF3BDE1D3B855AC42E23
SHA1:	B9E4A23D4FBFA11D271BCFBC99487833D4B81F33
SHA-256:	B5B7594C3835E758DBAE9D71630F0EA4ADEC33682BB8C876FC73DC66FC884A97
SHA-512:	3AD495F67333BEDB3C9B25F7ABE15C8FD0414892B3FB50993B0CAE746DE68AE9D5BF2924BF05CA535B8ABE242ADE29BC6CECD419D878FA918FBC451079827A65
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFFFCD0047E857744A.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12981
Entropy (8bit):	0.4435532782451861
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loWDF9loWJ9lWW3hGNKhGF2AGFY42:kBqoIWSWMW3hGNKhGFpGFY42
MD5:	B2ABAB819E52B98B04FCE95543B875B3
SHA1:	ECF2166A110BE96452695092C485E1D0CAEC74CB
SHA-256:	1D7D59835D752E94452677E72084D3A3199658107E37021829619A948A75CE2B
SHA-512:	CFF08FED5DBA461562A10C4195152E5E9151AADCBCF4C837692396DA49CE97A47498CB43B0D894BA8463D3C18974D89EF05BAE1ECF7A2B1F546C7369EF0BCDC7
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 4, 2021 13:04:58.934874058 CEST	57544	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:04:58.981369972 CEST	53	57544	8.8.8.8	192.168.2.3
Jun 4, 2021 13:04:59.804775953 CEST	55984	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:04:59.845891953 CEST	53	55984	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:00.564064026 CEST	64185	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:00.612735987 CEST	53	64185	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:01.446341038 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:01.487591028 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:02.460266113 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:02.509963989 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:03.375058889 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:03.426282883 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:04.238626003 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:04.285214901 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:05.074487925 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:05.121105909 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:05.393686056 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:05.448673964 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:06.142679930 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:06.187639952 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:06.541949034 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:06.599395037 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:07.125974894 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:07.172610044 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:08.191068888 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:08.235320091 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:09.112215996 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:09.160649061 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:10.001703978 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:10.043493986 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:11.325351954 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:11.366616964 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:12.557410955 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:12.603969097 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:13.340256929 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:13.381968021 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:14.586381912 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:14.632975101 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:33.345276117 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:33.393876076 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:35.397185087 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:35.445262909 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:36.442636967 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:36.483839035 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:37.482152939 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:37.488512993 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:37.529743910 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:37.559961081 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:39.535610914 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:39.582370996 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:43.582819939 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:43.625346899 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:50.401597977 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:50.448559999 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:54.280436993 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:54.317101002 CEST	58987	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:54.327233076 CEST	53	56132	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:54.363590002 CEST	53	58987	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:54.425321102 CEST	56579	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:54.477155924 CEST	53	56579	8.8.8.8	192.168.2.3
Jun 4, 2021 13:05:57.697782040 CEST	60633	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:05:57.744522095 CEST	53	60633	8.8.8.8	192.168.2.3
Jun 4, 2021 13:06:04.906177998 CEST	61292	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:06:04.957854986 CEST	53	61292	8.8.8.8	192.168.2.3
Jun 4, 2021 13:06:34.813488960 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:06:34.860147953 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 4, 2021 13:06:35.271883011 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:06:35.337892056 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 4, 2021 13:06:58.606637955 CEST	61946	53	192.168.2.3	8.8.8.8
Jun 4, 2021 13:06:58.654375076 CEST	53	61946	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 4, 2021 13:05:06.541949034 CEST	192.168.2.3	8.8.8.8	0x906f	Standard query (0)	x1.c.lencr.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 4, 2021 13:05:06.599395037 CEST	8.8.8.8	192.168.2.3	0x906f	No error (0)	x1.c.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

• iexplore.exe
• iexplore.exe
• rundll32.exe

Click to jump to process

Memory Usage

• iexplore.exe
• iexplore.exe
• rundll32.exe

Click to jump to process

Behavior

• iexplore.exe
• iexplore.exe
• rundll32.exe

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 4952 Parent PID: 792

Function Logs

General

Start time:	13:05:04
Start date:	04/06/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff613580000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: iexplore.exe PID: 5960 Parent PID: 4952

Function Logs

General

Start time:	13:05:05
Start date:	04/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4952 CREDAT:17410 /prefetch:2
Imagebase:	0x12c0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: rundll32.exe PID: 5696 Parent PID: 4952

Function Logs

General

Start time:	13:05:28
Start date:	04/06/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' cryptext.dll,CryptExtOpenCRL C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\3CU7BMMY.crl
Imagebase:	0x7ff7e6040000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report http://x1.c.lencr.org

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 4952 Parent PID: 792

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Directory Queried

Other File Operations

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Created

Key Value Created

Key Value Modified

Key Value Deleted

Key Monitored

Mutex Activities