Edit tour
Windows
Analysis Report
https://build-test.evil.com/system-multi.html
Overview
General Information
| Sample URL: | https://build-test.evil.com/system-multi.html |
| Analysis ID: | 1524316 |
| Tags: | ThreatConnect Tag 1ThreatConnect Tag 2 |
| Infos: | |
 | |
Errors
| |
Detection
| Score: | 0 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 40% |
Signatures
Program does not show much activity (idle)
Classification
- System is w7x64
chrome.exe (PID: 1332 cmdline: "C:\Progra m Files (x 86)\Google \Chrome\Ap plication\ chrome.exe " --start- maximized "about:bla nk" MD5: FFA2B8E17F645BCC20F0E0201FEF83ED) - chrome.exe (PID: 2412 cmdline:
"C:\Progra m Files (x 86)\Google \Chrome\Ap plication\ chrome.exe " --type=u tility --u tility-sub -type=netw ork.mojom. NetworkSer vice --lan g=en-US -- service-sa ndbox-type =none --mo jo-platfor m-channel- handle=143 2 --field- trial-hand le=1232,i, 1510925944 0372663659 ,137662807 2375319339 4,131072 - -disable-f eatures=Op timization GuideModel Downloadin g,Optimiza tionHints, Optimizati onHintsFet ching,Opti mizationTa rgetPredic tion /pref etch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
- chrome.exe (PID: 2400 cmdline:
"C:\Progra m Files (x 86)\Google \Chrome\Ap plication\ chrome.exe " "https:/ /build-tes t.evil.com /system-mu lti.html" MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Memory has grown: | ||
| Source: | Classification label: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | 1 Process Injection | 1 Process Injection | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Extra Window Memory Injection | 1 Extra Window Memory Injection | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 239.255.255.250 | unknown | Reserved | unknown | unknown | false | |
| 224.0.0.22 | unknown | Reserved | unknown | unknown | false |
| IP |
|---|
| 192.168.2.11 |
| 192.168.2.7 |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1524316 |
| Start date and time: | 2024-10-02 17:19:13 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 2m 6s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | browseurl.jbs |
| Sample URL: | https://build-test.evil.com/system-multi.html |
| Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
| Number of analysed new started processes analysed: | 3 |
| Number of new started drivers analysed: | 2 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | UNKNOWN |
| Classification: | unknown0.win@19/0@0/4 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- URL not reachable
- Exclude process from analysis (whitelisted): vga.dll
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtSetInformationFile calls found.
- VT rate limit hit for: https://build-test.evil.com/system-multi.html
⊘No simulations
⊘No created / dropped files found
⊘No static file info
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 11:20:10 |
| Start date: | 02/10/2024 |
| Path: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x13f100000 |
| File size: | 3'151'128 bytes |
| MD5 hash: | FFA2B8E17F645BCC20F0E0201FEF83ED |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
| Target ID: | 1 |
| Start time: | 11:20:11 |
| Start date: | 02/10/2024 |
| Path: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x13f100000 |
| File size: | 3'151'128 bytes |
| MD5 hash: | FFA2B8E17F645BCC20F0E0201FEF83ED |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
| Target ID: | 4 |
| Start time: | 11:20:14 |
| Start date: | 02/10/2024 |
| Path: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x13f100000 |
| File size: | 3'151'128 bytes |
| MD5 hash: | FFA2B8E17F645BCC20F0E0201FEF83ED |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
⊘No disassembly