Loading ...

Analysis Report https://ci4.googleusercontent.com/proxy/dnw8-WBC8SO5_pxgiJsOshUEOD-kUb5bD_cnFXKbr06QEGKZ7lbDubH6hs3c16v0-h4Ytu3nIXiD6c4vaxKMxggWSngAJTo26KMQKMvmS5g1g0ULzg=s0-d-e1-ft#https://NA3.docusign.net/Member/Images/email/logo-DS-116x33@2x.png

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:102808
Start date:11.01.2019
Start time:19:45:54
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 12m 44s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:https://ci4.googleusercontent.com/proxy/dnw8-WBC8SO5_pxgiJsOshUEOD-kUb5bD_cnFXKbr06QEGKZ7lbDubH6hs3c16v0-h4Ytu3nIXiD6c4vaxKMxggWSngAJTo26KMQKMvmS5g1g0ULzg=s0-d-e1-ft#https://NA3.docusign.net/Member/Images/email/logo-DS-116x33@2x.png
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:17
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean0.win@3/9@1/1
Cookbook Comments:
  • Adjust boot time
Warnings:
Show All
  • Max analysis timeout: 720s exceeded, the analysis took too long
  • Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe, ielowutil.exe, WerFault.exe, RuntimeBroker.exe, wermgr.exe, Microsoft.Photos.exe, conhost.exe, CompatTelRunner.exe, svchost.exe, ApplicationFrameHost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold00 - 100Report FP / FNfalseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsFile System Logical OffsetsCredential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData Encrypted1Standard Non-Application Layer Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol2

Signature Overview

Click to jump to signature section


Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: ci4.googleusercontent.com
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: clean0.win@3/9@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DF6FA03F6699F1B8E7.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2764 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2764 CREDAT:17410 /prefetch:2Jump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Ok
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Ok
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 process2 2 Behavior Graph ID: 102808 URL: https://ci4.googleusercontent.com/proxy/dnw8-WBC8SO5_pxgi... Startdate: 11/01/2019 Architecture: WINDOWS Score: 0 5 iexplore.exe 12 68 2->5         started        process3 7 iexplore.exe 27 5->7         started        dnsIp4 10 photos-ugc.l.googleusercontent.com 172.217.168.33, 443, 49781, 49782 GOOGLE-GoogleIncUS United States 7->10 12 ci4.googleusercontent.com 7->12

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
https://ci4.googleusercontent.com/proxy/dnw8-WBC8SO5_pxgiJsOshUEOD-kUb5bD_cnFXKbr06QEGKZ7lbDubH6hs3c16v0-h4Ytu3nIXiD6c4vaxKMxggWSngAJTo26KMQKMvmS5g1g0ULzg=s0-d-e1-ft#https://NA3.docusign.net/Member/Images/email/logo-DS-116x33@2x.png0%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.