Loading ...

Analysis Report http://x.co/6ncbx

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:102807
Start date:11.01.2019
Start time:19:45:53
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 30s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:http://x.co/6ncbx
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean2.win@4/75@11/5
Cookbook Comments:
  • Adjust boot time
  • Browsing link: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/
  • Browsing link: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/#
  • Browsing link: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/of365.php
  • Browsing link: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/aodc.php
  • Browsing link: https://my.hostclear.com/exclusive/search-engine-submission
  • Browsing link: https://my.hostclear.com/add-ons/dedicated-ip
  • Browsing link: https://my.hostclear.com/add-ons/site-lock
  • Browsing link: https://my.hostclear.com/add-ons/spam-block
  • Browsing link: https://my.hostclear.com/exclusive/ssl-certificate
  • Browsing link: https://my.hostclear.com/exclusive/site-directory
  • Browsing link: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/otdc.php
Warnings:
Show All
  • Exclude process from analysis (whitelisted): ielowutil.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe
  • Report size getting too big, too many NtDeviceIoControlFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold20 - 100Report FP / FNfalseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold30 - 5true
ConfidenceConfidence


Classification

Analysis Advice

All HTTP servers contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsFile System Logical OffsetsCredential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Non-Application Layer Protocol3
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol3

Signature Overview

Click to jump to signature section


Phishing:

barindex
HTML body contains low number of good linksShow sources
Source: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/aodc.phpHTTP Parser: Number of links: 0
Source: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/otdc.phpHTTP Parser: Number of links: 0
HTML title does not match URLShow sources
Source: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/aodc.phpHTTP Parser: Title: Gmail does not match URL
Source: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/otdc.phpHTTP Parser: Title: Docusign does not match URL
Invalid T&C link foundShow sources
Source: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/aodc.phpHTTP Parser: Invalid link: Help
Source: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/aodc.phpHTTP Parser: Invalid link: Privacy
Source: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/aodc.phpHTTP Parser: Invalid link: Terms
Suspicious form URL foundShow sources
Source: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/otdc.phpHTTP Parser: Form action: otp.php
Source: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/otdc.phpHTTP Parser: Form action: ofp.php
META author tag missingShow sources
Source: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/aodc.phpHTTP Parser: No <meta name="author".. found
Source: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/otdc.phpHTTP Parser: No <meta name="author".. found
META copyright tag missingShow sources
Source: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/aodc.phpHTTP Parser: No <meta name="copyright".. found
Source: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e637c474a8963d02dba969/otdc.phpHTTP Parser: No <meta name="copyright".. found

Networking:

barindex
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)Show sources
Source: global trafficTCP traffic: 192.168.2.6:49810 -> 45.40.140.1:80
Source: global trafficTCP traffic: 192.168.2.6:49813 -> 96.127.138.18:443
Source: global trafficTCP traffic: 192.168.2.6:49819 -> 31.220.17.26:80
Source: global trafficTCP traffic: 192.168.2.6:49827 -> 107.178.244.42:443
Source: global trafficTCP traffic: 192.168.2.6:49839 -> 162.247.242.18:443
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /6ncbx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: x.coConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/sampledata/hack-run.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: shopget24.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: YAHOO.util.Dom.get("optionselect_domainrootselect_radio").checked = true; equals www.yahoo.com (Yahoo)
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: YAHOO.util.Event.on("optionselect_domainrootselect_radio","click", function () { updatedir_fromdomain(); }); equals www.yahoo.com (Yahoo)
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: YAHOO.util.Event.on("optionselect_domainselect", "change", function() { equals www.yahoo.com (Yahoo)
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: YAHOO.util.Event.on(optionselect_ids, "click", function() { save_optionselect_form(); }); equals www.yahoo.com (Yahoo)
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: YAHOO.util.Event.onDOMReady(init_extended_stats); equals www.yahoo.com (Yahoo)
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: YAHOO.util.Event.onDOMReady(init_optionselect); equals www.yahoo.com (Yahoo)
Source: bootstrap[1].css.2.drString found in binary or memory: * Copyright 2011-2014 Twitter, Inc. equals www.twitter.com (Twitter)
Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8e45d948,0x01d4aa29</date><accdate>0x8e45d948,0x01d4aa29</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8e45d948,0x01d4aa29</date><accdate>0x8e4a4087,0x01d4aa29</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8e62277b,0x01d4aa29</date><accdate>0x8e62277b,0x01d4aa29</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8e62277b,0x01d4aa29</date><accdate>0x8e64a618,0x01d4aa29</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8e6bc30b,0x01d4aa29</date><accdate>0x8e6bc30b,0x01d4aa29</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8e6bc30b,0x01d4aa29</date><accdate>0x8e6e1a9a,0x01d4aa29</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: ~DF6B2826D64AFAFEE9.TMP.1.drString found in binary or memory: Facebook.urlx equals www.facebook.com (Facebook)
Source: ~DF6B2826D64AFAFEE9.TMP.1.drString found in binary or memory: Twitter.urlxu % equals www.twitter.com (Twitter)
Source: ~DF6B2826D64AFAFEE9.TMP.1.drString found in binary or memory: Youtube.url equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: x.co
Urls found in memory or binary dataShow sources
Source: bootstrap[1].css.2.drString found in binary or memory: http://getbootstrap.com)
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: http://shopget24.com/images/sampledata/hack-run.png
Source: ijz7aqs[1].css.2.drString found in binary or memory: http://typekit.com/eulas/00000000000000000001522c
Source: ijz7aqs[1].css.2.drString found in binary or memory: http://typekit.com/eulas/00000000000000000001522d
Source: ijz7aqs[1].css.2.drString found in binary or memory: http://typekit.com/eulas/000000000000000000015231
Source: ijz7aqs[1].css.2.drString found in binary or memory: http://typekit.com/eulas/000000000000000000015232
Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.drString found in binary or memory: http://www.youtube.com/
Source: bootstrap[1].css.2.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: https://my.hostclear.com/add-ons/dedicated-ip
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: https://my.hostclear.com/add-ons/ecommerce
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: https://my.hostclear.com/add-ons/site-lock
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: https://my.hostclear.com/add-ons/spam-block
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: https://my.hostclear.com/additional-domains
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: https://my.hostclear.com/domains
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: https://my.hostclear.com/exclusive/just-cloud
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: https://my.hostclear.com/exclusive/pc-backup
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: https://my.hostclear.com/exclusive/search-engine-submission
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: https://my.hostclear.com/exclusive/second-site
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: https://my.hostclear.com/exclusive/site-directory
Source: 77572d46e4e637c474a8963d02dba969[1].htm0.2.drString found in binary or memory: https://my.hostclear.com/exclusive/ssl-certificate
Source: ijz7aqs[1].css.2.drString found in binary or memory: https://p.typekit.net/p.css?s=1&k=ijz7aqs&ht=tk&f=15701.15703.15705.15708&a=2637880&app=typekit&e=cs
Source: {B40C4C02-161C-11E9-AADE-9CC1A2A860C6}.dat.1.drString found in binary or memory: https://tecnomarketbogocom/m/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e
Source: {B40C4C02-161C-11E9-AADE-9CC1A2A860C6}.dat.1.drString found in binary or memory: https://tecnomarketbogoota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e
Source: newsign2[1].htm.2.drString found in binary or memory: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/
Source: ~DF6B2826D64AFAFEE9.TMP.1.dr, 77572d46e4e637c474a8963d02dba969[1].htm.2.drString found in binary or memory: https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4
Source: ijz7aqs[1].css.2.drString found in binary or memory: https://use.typekit.net/af/180254/00000000000000000001522c/27/a?primer=7cdcb44be4a7db8877ffa5c0007b8
Source: ijz7aqs[1].css.2.drString found in binary or memory: https://use.typekit.net/af/180254/00000000000000000001522c/27/d?primer=7cdcb44be4a7db8877ffa5c0007b8
Source: ijz7aqs[1].css.2.drString found in binary or memory: https://use.typekit.net/af/180254/00000000000000000001522c/27/l?primer=7cdcb44be4a7db8877ffa5c0007b8
Source: ijz7aqs[1].css.2.drString found in binary or memory: https://use.typekit.net/af/220823/000000000000000000015231/27/a?primer=7cdcb44be4a7db8877ffa5c0007b8
Source: ijz7aqs[1].css.2.drString found in binary or memory: https://use.typekit.net/af/220823/000000000000000000015231/27/d?primer=7cdcb44be4a7db8877ffa5c0007b8
Source: ijz7aqs[1].css.2.drString found in binary or memory: https://use.typekit.net/af/220823/000000000000000000015231/27/l?primer=7cdcb44be4a7db8877ffa5c0007b8
Source: ijz7aqs[1].css.2.drString found in binary or memory: https://use.typekit.net/af/6c7e72/000000000000000000015232/27/a?primer=7cdcb44be4a7db8877ffa5c0007b8
Source: ijz7aqs[1].css.2.drString found in binary or memory: https://use.typekit.net/af/6c7e72/000000000000000000015232/27/d?primer=7cdcb44be4a7db8877ffa5c0007b8
Source: ijz7aqs[1].css.2.drString found in binary or memory: https://use.typekit.net/af/6c7e72/000000000000000000015232/27/l?primer=7cdcb44be4a7db8877ffa5c0007b8
Source: ijz7aqs[1].css.2.drString found in binary or memory: https://use.typekit.net/af/bdde80/00000000000000000001522d/27/a?primer=7cdcb44be4a7db8877ffa5c0007b8
Source: ijz7aqs[1].css.2.drString found in binary or memory: https://use.typekit.net/af/bdde80/00000000000000000001522d/27/d?primer=7cdcb44be4a7db8877ffa5c0007b8
Source: ijz7aqs[1].css.2.drString found in binary or memory: https://use.typekit.net/af/bdde80/00000000000000000001522d/27/l?primer=7cdcb44be4a7db8877ffa5c0007b8
Source: R0LNNDCT.htm.2.drString found in binary or memory: https://use.typekit.net/ijz7aqs.css
Source: {B40C4C02-161C-11E9-AADE-9CC1A2A860C6}.dat.1.drString found in binary or memory: https://www.hostclear.
Source: {B40C4C02-161C-11E9-AADE-9CC1A2A860C6}.dat.1.drString found in binary or memory: https://www.hostclear.com/
Source: ~DF6B2826D64AFAFEE9.TMP.1.drString found in binary or memory: https://www.hostclear.com/m/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e6
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: clean2.win@4/75@11/5
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\CRAIGH~1\AppData\Local\Temp\~DF5AC82D429006A07B.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4012 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4012 CREDAT:17410 /prefetch:2Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries a list of all running processesShow sources
Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformationJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 process2 2 Behavior Graph ID: 102807 URL: http://x.co/6ncbx Startdate: 11/01/2019 Architecture: WINDOWS Score: 2 5 iexplore.exe 3 88 2->5         started        7 svchost.exe 4 2->7         started        process3 9 iexplore.exe 1 94 5->9         started        dnsIp4 12 tecnomarketbogota.com 96.127.138.18, 443, 49813, 49814 SINGLEHOP-LLC-SingleHopIncUS United States 9->12 14 bam.nr-data.net 162.247.242.18, 443, 49839, 49840 NEWRELIC-AS-1-NewRelicUS United States 9->14 16 8 other IPs or domains 9->16

Simulations

Behavior and APIs

TimeTypeDescription
19:47:00API Interceptor1x Sleep call for process: svchost.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
login.hostclear.com0%virustotalBrowse
www.hostclear.com0%virustotalBrowse
tecnomarketbogota.com0%virustotalBrowse
my.hostclear.com0%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://tecnomarketbogoota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e0%Avira URL Cloudsafe
https://www.hostclear.com/0%virustotalBrowse
https://www.hostclear.com/0%Avira URL Cloudsafe
https://my.hostclear.com/exclusive/just-cloud0%Avira URL Cloudsafe
https://my.hostclear.com/exclusive/search-engine-submission0%virustotalBrowse
https://my.hostclear.com/exclusive/search-engine-submission0%Avira URL Cloudsafe
https://my.hostclear.com/exclusive/site-directory0%Avira URL Cloudsafe
http://shopget24.com/images/sampledata/hack-run.png0%virustotalBrowse
http://shopget24.com/images/sampledata/hack-run.png0%Avira URL Cloudsafe
https://my.hostclear.com/add-ons/dedicated-ip0%virustotalBrowse
https://my.hostclear.com/add-ons/dedicated-ip0%Avira URL Cloudsafe
https://my.hostclear.com/add-ons/site-lock0%Avira URL Cloudsafe
https://www.hostclear.com/m/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e60%Avira URL Cloudsafe
https://my.hostclear.com/exclusive/pc-backup0%virustotalBrowse
https://my.hostclear.com/exclusive/pc-backup0%Avira URL Cloudsafe
https://my.hostclear.com/exclusive/ssl-certificate0%Avira URL Cloudsafe
https://my.hostclear.com/domains0%virustotalBrowse
https://my.hostclear.com/domains0%Avira URL Cloudsafe
https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e40%Avira URL Cloudsafe
https://my.hostclear.com/add-ons/ecommerce0%virustotalBrowse
https://my.hostclear.com/add-ons/ecommerce0%Avira URL Cloudsafe
https://my.hostclear.com/add-ons/spam-block0%virustotalBrowse
https://my.hostclear.com/add-ons/spam-block0%Avira URL Cloudsafe
https://tecnomarketbogocom/m/images/www.integratedprotection.com.documentsecure/newsign2/77572d46e4e0%Avira URL Cloudsafe
https://my.hostclear.com/additional-domains0%Avira URL Cloudsafe
https://my.hostclear.com/exclusive/second-site0%Avira URL Cloudsafe
https://tecnomarketbogota.com/images/www.integratedprotection.com.documentsecure/newsign2/0%Avira URL Cloudsafe
https://www.hostclear.0%Avira URL Cloudsafe
http://x.co/6ncbx0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.