Edit tour

Windows Analysis Report
denuncia-6spnpo.PDF.htm

Overview

General Information

Sample Name:	denuncia-6spnpo.PDF.htm
Analysis ID:	847988
MD5:	4edc2fc519c18f558872b1c84d944324
SHA1:	88500d84c10f9877733457e5c6c3214431c329db
SHA256:	c0d57b8f1c9372c0080ac228dd263e6b46bc9e30282c7dd9dbc786c73046797a

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Phishing site detected (based on favicon image match)

Detected javascript redirector / loader

HTML file submission containing password form

Tries to load missing DLLs

None HTTPS page querying sensitive user data (password, username or email)

HTML body contains password input but no form action

Queries disk information (often used to detect virtual machines)

HTML body contains low number of good links

HTML title does not match URL

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 4876 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\denuncia-6spnpo.PDF.htm MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

chrome.exe (PID: 6392 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1784,i,10997758110031017525,4536014936166963696,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

MicrosoftEdgeCP.exe (PID: 7512 cmdline: "C:\Windows\System32\MicrosoftEdgeCP.exe" -ServerName:Windows.Internal.WebRuntime.ContentProcessServer MD5: 0E954887FC791F668CE388F89BC3D6C6)

MicrosoftEdgeCP.exe (PID: 1892 cmdline: "C:\Windows\System32\MicrosoftEdgeCP.exe" -ServerName:Windows.Internal.WebRuntime.ContentProcessServer MD5: 0E954887FC791F668CE388F89BC3D6C6)

MicrosoftEdgeCP.exe (PID: 6640 cmdline: "C:\Windows\System32\MicrosoftEdgeCP.exe" -ServerName:Windows.Internal.WebRuntime.ContentProcessServer MD5: 0E954887FC791F668CE388F89BC3D6C6)

MicrosoftEdgeCP.exe (PID: 6136 cmdline: "C:\Windows\System32\MicrosoftEdgeCP.exe" -ServerName:Windows.Internal.WebRuntime.ContentProcessServer MD5: 0E954887FC791F668CE388F89BC3D6C6)

MicrosoftEdge.exe (PID: 4564 cmdline: "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca MD5: 0A2F0E7A50086F41E73434226E41DD6D)

MicrosoftEdgeSH.exe (PID: 7300 cmdline: C:\Windows\system32\MicrosoftEdgeSH.exe SCODEF:4564 CREDAT:9730 APH:1000000000000002 JITHOST /prefetch:2 MD5: 5AC4AA9129F88EDE6B7A72EFC56C9058)

MicrosoftEdgeCP.exe (PID: 7380 cmdline: "C:\Windows\System32\MicrosoftEdgeCP.exe" -ServerName:Windows.Internal.WebRuntime.ContentProcessServer MD5: 0E954887FC791F668CE388F89BC3D6C6)

MicrosoftEdgeCP.exe (PID: 3228 cmdline: "C:\Windows\System32\MicrosoftEdgeCP.exe" -ServerName:Windows.Internal.WebRuntime.ContentProcessServer MD5: 0E954887FC791F668CE388F89BC3D6C6)

MicrosoftEdgeCP.exe (PID: 7932 cmdline: "C:\Windows\System32\MicrosoftEdgeCP.exe" -ServerName:Windows.Internal.WebRuntime.ContentProcessServer MD5: 0E954887FC791F668CE388F89BC3D6C6)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Phishing site detected (based on favicon image match)

Source: file:///C:/Users/user/Desktop/denuncia-6spnpo.PDF.htm

Matcher: Template: microsoft matched with high similarity

Detected javascript redirector / loader

Source: denuncia-6spnpo.PDF.htm

HTTP Parser: Low number of body elements: 1

Source: file:///C:/Users/user/Desktop/denuncia-6spnpo.PDF.htm

HTTP Parser: Has password / email / username input fields

Source: file:///C:/Users/user/Desktop/denuncia-6spnpo.PDF.htm

HTTP Parser: <input type="password" .../> found but no <form action="...

Source: file:///C:/Users/user/Desktop/denuncia-6spnpo.PDF.htm

HTTP Parser: Number of links: 0

Source: file:///C:/Users/user/Desktop/denuncia-6spnpo.PDF.htm

HTTP Parser: Title: Isciii.es does not match URL

Source: file:///C:/Users/user/Desktop/denuncia-6spnpo.PDF.htm

HTTP Parser: <input type="password" .../> found

Source: file:///C:/Users/user/Desktop/denuncia-6spnpo.PDF.htm	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/denuncia-6spnpo.PDF.htm	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/denuncia-6spnpo.PDF.htm	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/denuncia-6spnpo.PDF.htm	HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 104.102.40.139:443 -> 192.168.2.3:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.40.139:443 -> 192.168.2.3:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.253.33.203:443 -> 192.168.2.3:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.253.33.203:443 -> 192.168.2.3:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.3:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.3:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.3:49786 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 5MB later: 29MB

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.102.40.139
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203

Source: unknown

DNS traffic detected: queries for: clients2.google.com

Source: unknown	HTTPS traffic detected: 104.102.40.139:443 -> 192.168.2.3:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.40.139:443 -> 192.168.2.3:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.253.33.203:443 -> 192.168.2.3:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.253.33.203:443 -> 192.168.2.3:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.3:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.3:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.3:49786 version: TLS 1.2

Source: C:\Windows\System32\MicrosoftEdgeCP.exe	Section loaded: icuuc.dll
Source: C:\Windows\System32\MicrosoftEdgeCP.exe	Section loaded: icuin.dll
Source: C:\Windows\System32\MicrosoftEdgeCP.exe	Section loaded: icuuc.dll
Source: C:\Windows\System32\MicrosoftEdgeCP.exe	Section loaded: icuin.dll
Source: C:\Windows\System32\MicrosoftEdgeCP.exe	Section loaded: icuuc.dll
Source: C:\Windows\System32\MicrosoftEdgeCP.exe	Section loaded: icuin.dll

Source: C:\Windows\System32\MicrosoftEdgeCP.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\denuncia-6spnpo.PDF.htm
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1784,i,10997758110031017525,4536014936166963696,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1784,i,10997758110031017525,4536014936166963696,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\MicrosoftEdgeCP.exe "C:\Windows\System32\MicrosoftEdgeCP.exe" -ServerName:Windows.Internal.WebRuntime.ContentProcessServer
Source: unknown	Process created: C:\Windows\System32\MicrosoftEdgeCP.exe "C:\Windows\System32\MicrosoftEdgeCP.exe" -ServerName:Windows.Internal.WebRuntime.ContentProcessServer
Source: unknown	Process created: C:\Windows\System32\MicrosoftEdgeCP.exe "C:\Windows\System32\MicrosoftEdgeCP.exe" -ServerName:Windows.Internal.WebRuntime.ContentProcessServer
Source: unknown	Process created: C:\Windows\System32\MicrosoftEdgeCP.exe "C:\Windows\System32\MicrosoftEdgeCP.exe" -ServerName:Windows.Internal.WebRuntime.ContentProcessServer
Source: unknown	Process created: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
Source: unknown	Process created: C:\Windows\System32\MicrosoftEdgeSH.exe C:\Windows\system32\MicrosoftEdgeSH.exe SCODEF:4564 CREDAT:9730 APH:1000000000000002 JITHOST /prefetch:2
Source: unknown	Process created: C:\Windows\System32\MicrosoftEdgeCP.exe "C:\Windows\System32\MicrosoftEdgeCP.exe" -ServerName:Windows.Internal.WebRuntime.ContentProcessServer
Source: unknown	Process created: C:\Windows\System32\MicrosoftEdgeCP.exe "C:\Windows\System32\MicrosoftEdgeCP.exe" -ServerName:Windows.Internal.WebRuntime.ContentProcessServer
Source: unknown	Process created: C:\Windows\System32\MicrosoftEdgeCP.exe "C:\Windows\System32\MicrosoftEdgeCP.exe" -ServerName:Windows.Internal.WebRuntime.ContentProcessServer

Source: C:\Windows\System32\MicrosoftEdgeCP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\Feedback

Source: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

File created: C:\Users\user\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Temp\~DF4799CE5C01AB4489.TMP

Source: classification engine

Classification label: mal56.phis.winHTM@29/13@6/168

Source: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

File opened: PhysicalDrive22

Stealing of Sensitive Information

HTML file submission containing password form

Source: file:///C:/Users/user/Desktop/denuncia-6spnpo.PDF.htm

HTTP Parser: file:///C:/Users/user/Desktop/denuncia-6spnpo.PDF.htm

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Extra Window Memory Injection	1 Process Injection	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Extra Window Memory Injection	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
denuncia-6spnpo.PDF.htm	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
onedrivefiles.kz	1%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
onedrivefiles.kz	176.124.192.245	true	false	1%, Virustotal, Browse	unknown
accounts.google.com	142.250.185.77	true	false		high
cdn.tailwindcss.com	104.26.9.91	true	false		high
www.google.com	142.250.185.100	true	false		high
clients.l.google.com	142.250.185.142	true	false		high
clients2.google.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/denuncia-6spnpo.PDF.htm	true		low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.77	accounts.google.com	United States	15169	GOOGLEUS	false
34.104.35.123	unknown	United States	15169	GOOGLEUS	false
216.58.212.164	unknown	United States	15169	GOOGLEUS	false
131.253.33.203	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
176.124.192.245	onedrivefiles.kz	Russian Federation	59652	GULFSTREAMUA	false
142.250.186.106	unknown	United States	15169	GOOGLEUS	false
52.109.32.24	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.217.23.99	unknown	United States	15169	GOOGLEUS	false
52.109.8.45	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.185.142	clients.l.google.com	United States	15169	GOOGLEUS	false
104.26.9.91	cdn.tailwindcss.com	United States	13335	CLOUDFLARENETUS	false
192.229.221.95	unknown	United States	15133	EDGECASTUS	false
104.102.40.139	unknown	United States	16625	AKAMAI-ASUS	false
204.79.197.203	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	847988
Start date and time:	2023-04-17 11:08:13 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	1
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample file name:	denuncia-6spnpo.PDF.htm
Detection:	MAL
Classification:	mal56.phis.winHTM@29/13@6/168
Cookbook Comments:	Found application associated with file extension: .htm

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SgrmBroker.exe, usocoreworker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.106, 172.217.23.99, 34.104.35.123
Excluded domains from analysis (whitelisted): edgedl.me.gvt1.com, login.live.com, ajax.googleapis.com, clientservices.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Created / dropped Files

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\3VYMUXWA\dhp[1].htm

Download File

Process:	C:\Windows\System32\MicrosoftEdgeCP.exe
File Type:	HTML document, ASCII text, with very long lines (46998), with CRLF line terminators
Category:	dropped
Size (bytes):	62819
Entropy (8bit):	5.37052619772988
Encrypted:	false
SSDEEP:
MD5:	13E9EF3792A3FC3A69A7577C8CD5C9AE
SHA1:	D2E085D54B4D745C28313FC09B2F14FAA9391BC7
SHA-256:	1C2072D4B5D7E2BD28524939D428F707F553056D19E77BA42C5184EDA7403295
SHA-512:	A33217D2AA6B56E9DDBB822C3698AFCD560B584F39C5CC8D9359BF8917AB4AE45578F835F4916811BEDE1681992BC03907CA5E7EAA53914ECF3A9DFC134FD06E
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html>..<html lang="de-ch" dir="ltr" manifest="/bundles/v1/edge/latest/manifest.appcache?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&ishostisolationenforced=0&targetexperience=default">..<head data-info="f:msnallexpusers,prg-sp-liveapi,muidflt48cf,muidflt59cf,muidflt258cf,moneyedge1cf,onetrustpoplive,prg-cm-csopsp,prg-1sw-dksm-c,prg-1sw-tsupads-t,prg-1sw-tpr1dtchng,prg-1sw-tpsnhtlap,prg-1sw-trvlsupads,prg-cg-ad-c,prg-1sw-tpdstr-t,prg-1sw-refprg1,prg-1sw-sdtravoff,prg-1sw-curnctl,prg-1sw-stkscroll,prg-1sw-idxctl,prg-1sw-ccunam,traffic-tskb-rdmc-cf,prg-1sw-tskb-rdmc-cf,prg-1sw-vdegc,prg-adspeek,prg-cm-csopfi,btrecrow1,1s-winauthservice,prg-pr2-fwscrv2-t,prg-pr2-fwscrv2,prg-hdr-control,traffic-tskb-p2-rdmc-oc,prg-p2-hinc-oa-oc,prg-p2-misc-pr,prg-p2-rhzd-pr,btie-latency,prg-ias,1s-fcrypt,routewindring0t,prg-crsl-hp-feb-v31,prg-wpo-hp-crsl-feb-v31,prg-ctr-pnpc,prg-pr2-tmplc,prg-pr2-pvhold,prg-upsaip-w1-t,prg-upsaip-r-t,prg-wx-anmpr,7b83c716,prg-wx-sbn-vm,1s-rpssecauth

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\FQM6Q1IH\dhp[1].htm

Download File

Process:	C:\Windows\System32\MicrosoftEdgeCP.exe
File Type:	HTML document, ASCII text, with very long lines (46998), with CRLF line terminators
Category:	dropped
Size (bytes):	63669
Entropy (8bit):	5.372897403263284
Encrypted:	false
SSDEEP:
MD5:	555AEF8F6CFDC42FBE27464A5A8CF9DB
SHA1:	BBCBF326FE5BE718C1F8D13DA1295C1119257BB9
SHA-256:	80781AE5AE3ABEEBA319456F851BD2DAB3AFFC31F20BC3C689EE58E689121A46
SHA-512:	A3776AFF76B5ED04250A4FC6CE50C6C86924A915C1682877331B13C44EC4BB8343A4431D26FCED07925E2B5401649E1400361D4138F85441772355965B0069B2
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html>..<html lang="de-ch" dir="ltr" manifest="/bundles/v1/edge/latest/manifest.appcache?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&ishostisolationenforced=0&targetexperience=default&backgroundpreload=1">..<head data-info="f:msnallexpusers,prg-sp-liveapi,muidflt48cf,muidflt59cf,muidflt258cf,moneyedge1cf,prg-rrwc-c-new,onetrustpoplive,prg-cm-csopsp,prg-1sw-esprt-c-genre,prg-1sw-dksm-c,prg-1sw-tsupads-t,prg-1sw-tpr1dtchng,prg-1sw-tpsnhtlap,prg-1sw-trvlsupads,prg-cg-ad-c,prg-1sw-tpdstr-t,prg-1sw-refprg1,prg-1sw-sdtravoff,prg-1sw-curnctl,prg-1sw-stkscroll,prg-1sw-idxctl,prg-1sw-ccunam,traffic-tskb-rdmc-cf,prg-1sw-tskb-rdmc-cf,prg-1sw-vdegc,prg-adspeek,prg-cm-csopfi,btrecrow1,1s-winauthservice,prg-pr2-fwscrv2-t,prg-pr2-fwscrv2,prg-hdr-control,traffic-tskb-p2-rdmc-oc,prg-p2-hinc-oa-oc,prg-p2-misc-pr,prg-p2-rhzd-pr,btie-latency,btie-aspectu2a-t3,prg-ias,1s-fcrypt,prg-wtch-blv3dmk1,routewindring0t,prg-crsl-hp-feb-v31,prg-wpo-hp-crsl-feb-v31,prg-ctr-pnpc,prg-pr2-tsupads-

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

Download File

Process:	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
File Type:	data
Category:	dropped
Size (bytes):	524288
Entropy (8bit):	0.024438989515347138
Encrypted:	false
SSDEEP:
MD5:	307C23FAEEF774A3DBA8B9C77D143661
SHA1:	5006F0135703E55BDD58F23C0E649CBDBAE95F93
SHA-256:	F1A35BC528FFC6D762EA5253C5B4399D1A8475120E7D640F471D7E76236BF41F
SHA-512:	061D70F83266529E6E449A94A4D1CBA653C8BE23E0C3A27EB9F49E05CB723C07B8FBE1C88314BF3C4E6C2D9E19C72EC403DE947D183AA48ED22CA085AEBF0D07
Malicious:	false
Reputation:	low
Preview:	(B.m........... .....{k......y..............w.5.....y..................C:\Users\user\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\..............................................................................................................C:\Users\user\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\...................................................................................................... ...,..........................................................4.K.#......... F._...............h...............E.h0.....y..................C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.a.c.k.a.g.e.s.\.m.i.c.r.o.s.o.f.t...m.i.c.r.o.s.o.f.t.e.d.g.e._.8.w.e.k.y.b.3.d.8.b.b.w.e.\.A.C.\.M.i.c.r.o.s.o.f.t.E.d.g.e.\.U.s.e.r.\.D.e.f.a.u.l.t.\.D.a.t.a.S.t.o.r.e.\.D.a.t.a.\.n.o.u.s.e.r.1.\.1.2

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

Download File

Process:	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x41cd169a, page size 8192, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	2097152
Entropy (8bit):	0.05415709771812246
Encrypted:	false
SSDEEP:
MD5:	00891E6F4DEA99BBC929B37500131DAB
SHA1:	4135F12FA092F07FE4E9FDB707099B26FEF91A17
SHA-256:	23D0EF41BE2F892B2BD9723C875FC90495825B427E24B5C49628AFB290048DCE
SHA-512:	9D3AEB64F20F8F91EF7167E8F7CA47445ECCB6F100594913091C131CF58DB70B445C4221E735FDE18779B0E88F7FB98BF14267E5B190B8107190451392B26DEA
Malicious:	false
Reputation:	low
Preview:	A...... ...............E.h0.....y...........................................y..h...........................w.5.....y....................U..........{...........................................................................G........... ...................................................................................................... ............{k......................................................................................................................................................................................................................{'.h.............d......{'K................9".......{..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

Download File

Process:	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.06126980930851943
Encrypted:	false
SSDEEP:
MD5:	980A6DCC4A1E2729C0490FA066796BB0
SHA1:	2B7D629CD54611070FB75EBD5AB9C3788191CE4D
SHA-256:	2105CCFA89D5FB9A7AE60EE366A8568F6B87FD317D9F72C56E5359C1A8222968
SHA-512:	A1349D548499317CE473E8B148E328FED3BEB5C547620642D9BFC4C0447FB649B8E33EBAA0A42A5F44A27865F17D451133DFC06217A19E178BE185F2240BE66D
Malicious:	false
Reputation:	low
Preview:	.0..........................................y.......{.......................{..................{..................9".......{..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{0B3EA938-C898-45C0-8619-91C801244A83}.dat

Download File

Process:	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	2.2154208797739767
Encrypted:	false
SSDEEP:
MD5:	C8A7CFD496835A3965452E7959C0A3DE
SHA1:	A356C9192E8B4F0F4A70EBFBCA5AB20F19E386E6
SHA-256:	869F88383CE696C6C121FC825643412273AD1ADE814FC9C85656E1FE844C6C9C
SHA-512:	FFF5AFF1CA55A6E0D5636BF77E631525F858CD0FF2F7EFE0EA88D1D0C6A4FE4CC07D2488808356C0BD762E52B650384B89554AF1AD2354BC215E85BCD061B935
Malicious:	false
Reputation:	low
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................pO..q................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t.......................................................................................................`.......O._.T.S.w.f.W.P.#.T.g.M.v.E.W.2.x.a.o.3.4.l.m.7.r.w.=.=.........:.......................................

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{74369027-3B7F-4126-B5AA-74D2316EA525}.dat

Download File

Process:	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	modified
Size (bytes):	5120
Entropy (8bit):	2.017804666657911
Encrypted:	false
SSDEEP:
MD5:	11B8ED26F40209CDC427CBA03475308D
SHA1:	2C4166F850CA666687618F8A94AE426EB7FEC85A
SHA-256:	6EDEB19F12D86E5B3DF0A07ADCDBC8F13EC86780E6E0CC3A781E4A6E3FBCFBBC
SHA-512:	0B38977DDF5F2F4CB6561B988D8A2EB79CB5C12FD73C25329E128B1BD9B9310BECBE83275D975A0F22A85564D0BB8DC16D72C27D06F0DEEE521FAB90C723518F
Malicious:	false
Reputation:	low
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................pO..q................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{E9491C15-C221-4795-A36E-2286F7B4F24D}.dat

Download File

Process:	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	2.253359620099615
Encrypted:	false
SSDEEP:
MD5:	98BF40D9CCE1CE2CD81D8A329F98E13B
SHA1:	444154A6B6763C5BBABC1BC0D3B17F9DEDDBB266
SHA-256:	E57E5FC3D000727D1AF6125327C4917E42BFA3A5452524BF01126DD7ACA0ACC7
SHA-512:	CEF2F5252FF8A1D608AAC7BF99305A926F63CFF5B3C0AA5339E7E04A826728BF365F0FC12B083071B30B1DB375CA7EAE9E5E4B0AA8176138529E9984E7C11A64
Malicious:	false
Reputation:	low
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................`..p.q................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................\.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF2EBCFB0AD590E629.TMP

Download File

Process:	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.18316032768667379
Encrypted:	false
SSDEEP:
MD5:	6A3A78B68D0130FCF0CD235321CBF1CD
SHA1:	016B5D0E23A601080E5F498C3728A37055464D70
SHA-256:	70B4849FB9B4F5E8119373D72FAA478739F94BC5CAAFE7240B8ADCFAEFF92749
SHA-512:	805A0D8FBCC2C93C89DF685CD6737DD7711E0F07101A3D908C67C4302553E3D4DD99CF77CCA01A28FA443E8256474B1E1D19994EB34F897F3D1FDCC8C7F4426A
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF4799CE5C01AB4489.TMP

Download File

Process:	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08980559528584987
Encrypted:	false
SSDEEP:
MD5:	7FDAB13569960932C8D1679211DA044A
SHA1:	593C5A252DED43138733D9523A4D66AA62CA4CCD
SHA-256:	1DFE880AA25CC2665B2E5A9A41C74AE5F9ECDE285A174AFEBA0425DAF0BA4981
SHA-512:	0A04FA3385AECBF91D7FD1A7CB50E1C9B3ADC7A31545A0415ACCF4B01CF6FE9F6491C7B3308A2B3AC9A5E7CA5F275F2DFD08A976DE5D6F3CBDF174A669E480ED
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFB7506E9FD361B0CE.TMP

Download File

Process:	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.20355202296848754
Encrypted:	false
SSDEEP:
MD5:	C3F79A9DF4F54A37C8055BFBA0AC5907
SHA1:	F6C14FC5361467473135BF21E5BB28ABAAFADA2F
SHA-256:	F8FA1768FB05251201A77155B82E2C71559C56D75BAA852197FAB5EA68A77CC8
SHA-512:	7FBBCC6E0F0168FE517FAE3507E62B51F3D75B35F5239707F748396F894D43BECD3F49A56C080729CC278DE2A781D6C62D01A71399F5BB10AEE4C0CA6B95BEFB
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

File Type:	data
Category:	dropped
Size (bytes):	576
Entropy (8bit):	5.060946394820425
Encrypted:	false
SSDEEP:
MD5:	8C03F83499C51F665094C40E34C9B86E
SHA1:	88744E193821ACD64426F28A4474A02966F3BD53
SHA-256:	FB5D689D196A4182A50CD014A6F8CF4B1F7DFD70A43C96503778C4DCE04E607F
SHA-512:	727750E13B4591CAC159B84612B3B5C052332486A5A8B693ED45657427CF130C3B455E89A24050E32C82268F16AD552CD77636E5CC55E39E5AC2822ACE1E5FE5
Malicious:	false
Reputation:	low
Preview:	.6...AAAAAAA...AAAAA...A.A.A/ALAAAAAAAAAAAbA5AtA.!.AGA.A.bbA.A`A.].A%A.A...A AHA...AVA.A.n.AKA.A6d.A.A.A6.A~AEA...6.A.A..Ab.A...A...A...An.LA..bA...A..bA..#A..bA5..A...6#.qA.^tA..&A.5.6..A..bA..A...6`.~A.G.6N..A..bA2..A...A6#.A.-.A.#.A...A.#cA...6#.A.bA..A...An..A...A..A..bA..A. bA..A.tbA.SAA.AbA.S.A.6.AF..A.L.A`..A...AN.A...A..(A.}.A...A.1.A...A..A...A...AV..A..AQ.yA._.AE.MA...A\|.A...AU..A...6...A...6...A.?.6...A.H.A..A.9bAK.XA...A...A...A..DA..A...A.%bAZ.A.;b.q..A.#b...7A...Aw..A68.AAA.AtA.6..............................................D............

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (3389), with no line terminators
Entropy (8bit):	6.030427379856597
TrID:	HyperText Markup Language (15015/1) 20.56% HyperText Markup Language (12001/1) 16.44% HyperText Markup Language (12001/1) 16.44% HyperText Markup Language (11501/1) 15.75% HyperText Markup Language (11501/1) 15.75%
File name:	denuncia-6spnpo.PDF.htm
File size:	3389
MD5:	4edc2fc519c18f558872b1c84d944324
SHA1:	88500d84c10f9877733457e5c6c3214431c329db
SHA256:	c0d57b8f1c9372c0080ac228dd263e6b46bc9e30282c7dd9dbc786c73046797a
SHA512:	892f11570c67e61fe45bf0ea843fd6a64cd1ea83fbbaebf8090e56b067292956b5ef3db379303010d898db985c6a90d93db779f39e5336192c8ad47ff234e50c
SSDEEP:	48:TmUqaXxpBYpUZCww7EYXtcAoiVYvDttoOK2o20s0whSLhZnHN9vS4hxmvSBK:TmilCJEwBzVYrttosr0s8thS4hx8SBK
TLSH:	89610BFB3F21564E90E3C6E07C49702E2F4E99AF74424534F0B521DE0BA8B3C84E614A
File Content Preview:	<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>Denuncia Agencia Tributaria</title><link rel="shortcut icon" href=

File Icon


Icon Hash:	78d0a8cccc88c460

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report denuncia-6spnpo.PDF.htm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Malware Analysis System Evasion

Stealing of Sensitive Information

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\3VYMUXWA\dhp[1].htm

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\FQM6Q1IH\dhp[1].htm

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{0B3EA938-C898-45C0-8619-91C801244A83}.dat

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{74369027-3B7F-4126-B5AA-74D2316EA525}.dat

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{E9491C15-C221-4795-A36E-2286F7B4F24D}.dat

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF2EBCFB0AD590E629.TMP

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF4799CE5C01AB4489.TMP

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFB7506E9FD361B0CE.TMP

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Static File Info

General

File Icon

Windows Analysis Report
denuncia-6spnpo.PDF.htm