Loading ...

Analysis Report https://www.regonline.co.uk/re= gister/invoice.aspx?EventId=3D2559843&AttendeeId=3Dp7rJQASi772JhirDFd7GHg= =3D=3D&EventSessionId=3D&IsBackEnd=3D0&userID=3D654744

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:118343
Start date:22.03.2019
Start time:08:14:40
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 42s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:https://www.regonline.co.uk/re= gister/invoice.aspx?EventId=3D2559843&AttendeeId=3Dp7rJQASi772JhirDFd7GHg= =3D=3D&EventSessionId=3D&IsBackEnd=3D0&userID=3D654744
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
Analysis stop reason:Timeout
Detection:SUS
Classification:sus20.troj.win@3/176@25/19
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Browsing link: https://www.regonline.co.uk/page-not-found#top
  • Browsing link: https://www.regonline.co.uk/
  • Browsing link: https://www.regonline.co.uk/page-not-found#
  • Browsing link: https://www.regonline.co.uk/features/
  • Browsing link: https://www.regonline.co.uk/pricing/
  • Browsing link: https://www.regonline.co.uk/contact/
  • Browsing link: https://www.regonline.co.uk/get-started/
  • Browsing link: https://regonline.com/manager/login.aspx
  • Browsing link: https://www.regonline.co.uk/features/event-badge-maker.shtml
  • Browsing link: https://www.regonline.co.uk/features/event-surveys.shtml
  • Browsing link: https://www.regonline.co.uk/features/event-website.shtml
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, conhost.exe, CompatTelRunner.exe
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold200 - 100Report FP / FNfalsesuspicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsFile System Logical OffsetsCredential DumpingSystem Network Configuration Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Non-Application Layer Protocol3
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol3

Signature Overview

Click to jump to signature section


Phishing:

barindex
META author tag missingShow sources
Source: https://www.regonline.com/manager/login.aspx?HTTP Parser: No <meta name="author".. found
META copyright tag missingShow sources
Source: https://www.regonline.com/manager/login.aspx?HTTP Parser: No <meta name="copyright".. found

Networking:

barindex
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /?domain=en-GB HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.regonline.com
Found strings which match to known social media urlsShow sources
Source: multiple-cid-capture-min-marketo[1].js.2.drString found in binary or memory: lsrc="70100000000SYFlAAO"; // referral Yahoo equals www.yahoo.com (Yahoo)
Source: multiple-cid-capture-min-marketo[1].js.2.drString found in binary or memory: lsrc="70100000000SYG0AAO"; // referral facebook equals www.facebook.com (Facebook)
Source: multiple-cid-capture-min-marketo[1].js.2.drString found in binary or memory: lsrc="70100000000SYG1AAO"; // referral twitter equals www.twitter.com (Twitter)
Source: multiple-cid-capture-min-marketo[1].js.2.drString found in binary or memory: lsrc="70100000000SYG2AAO"; // referral linkedin equals www.linkedin.com (Linkedin)
Source: multiple-cid-capture-min-marketo[1].js.2.drString found in binary or memory: lsrc="70100000000SYG7AAO"; // referral youtube equals www.youtube.com (Youtube)
Source: contact[1].htm.2.drString found in binary or memory: <li><a href="https://twitter.com/cvent" title="Twitter" target="_blank"> equals www.twitter.com (Twitter)
Source: contact[1].htm.2.drString found in binary or memory: <li><a href="https://www.facebook.com/Cvent/" title="Facebook" target="_blank"> equals www.facebook.com (Facebook)
Source: contact[1].htm.2.drString found in binary or memory: <li><a href="https://www.linkedin.com/company/18125/" title="Linkedin" target="_blank"> equals www.linkedin.com (Linkedin)
Source: contact[1].htm.2.drString found in binary or memory: <li><a href="https://www.youtube.com/user/CventVideo" title="Youtube" target="_blank"> equals www.youtube.com (Youtube)
Source: multiple-cid-capture-min-marketo[1].js.2.drString found in binary or memory: var sRefUrl = document.referrer,//'//youtube.in/l.php?u=' equals www.youtube.com (Youtube)
Source: marketo-framework[1].js.2.drString found in binary or memory: $("span.sociallink").text('Enable you to post to Twitter, YouTube and Flickr'); equals www.twitter.com (Twitter)
Source: marketo-framework[1].js.2.drString found in binary or memory: $("span.sociallink").text('Enable you to post to Twitter, YouTube and Flickr'); equals www.youtube.com (Youtube)
Source: marketo-framework[1].js.2.drString found in binary or memory: $("span.sociallink").text('Enable you to post to Twitter, YouTube and Flickr'); equals www.twitter.com (Twitter)
Source: marketo-framework[1].js.2.drString found in binary or memory: $("span.sociallink").text('Enable you to post to Twitter, YouTube and Flickr'); equals www.youtube.com (Youtube)
Source: features[1].htm.2.drString found in binary or memory: <p>Create a buzz around your event using <a href="/features/social-media-marketing.shtml" title="Social Media Marketing">social promotion tools</a> to harness the power of Facebook, Twitter, Snapchat, Instagram, and LinkedIn.</p> equals www.facebook.com (Facebook)
Source: features[1].htm.2.drString found in binary or memory: <p>Create a buzz around your event using <a href="/features/social-media-marketing.shtml" title="Social Media Marketing">social promotion tools</a> to harness the power of Facebook, Twitter, Snapchat, Instagram, and LinkedIn.</p> equals www.linkedin.com (Linkedin)
Source: features[1].htm.2.drString found in binary or memory: <p>Create a buzz around your event using <a href="/features/social-media-marketing.shtml" title="Social Media Marketing">social promotion tools</a> to harness the power of Facebook, Twitter, Snapchat, Instagram, and LinkedIn.</p> equals www.twitter.com (Twitter)
Source: vendors-widget-77434b91247fedf16e98[1].js.2.drString found in binary or memory: * Copyright (c) Facebook, Inc. and its affiliates. equals www.facebook.com (Facebook)
Source: bootstrap.min[1].js0.2.drString found in binary or memory: * Copyright 2011-2015 Twitter, Inc. equals www.twitter.com (Twitter)
Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x282fe5da,0x01d4e0c2</date><accdate>0x282fe5da,0x01d4e0c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x282fe5da,0x01d4e0c2</date><accdate>0x28314366,0x01d4e0c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x283a3fe3,0x01d4e0c2</date><accdate>0x283a3fe3,0x01d4e0c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x283a3fe3,0x01d4e0c2</date><accdate>0x283a3fe3,0x01d4e0c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x28417a00,0x01d4e0c2</date><accdate>0x28417a00,0x01d4e0c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x28417a00,0x01d4e0c2</date><accdate>0x2843d8c2,0x01d4e0c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.regonline.co.uk
Urls found in memory or binary dataShow sources
Source: vendors-widget-77434b91247fedf16e98[1].js.2.drString found in binary or memory: http://allyoucanleet.com/
Source: GetStartedWidget[1].js.2.drString found in binary or memory: http://api.local.regonline.com
Source: jquery-migrate-1.2.1[1].js.2.drString found in binary or memory: http://bugs.jquery.com/ticket/13335
Source: jquery.maskedinput.min[1].js.2.drString found in binary or memory: http://digitalbush.com/projects/masked-input-plugin/#license)
Source: snh_manager_master_min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI
Source: snh_manager_master_min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Mouse
Source: snh_manager_master_min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Widget
Source: bootstrap.min[1].js0.2.drString found in binary or memory: http://getbootstrap.com)
Source: vendors-widget-77434b91247fedf16e98[1].js.2.drString found in binary or memory: http://jedwatson.github.io/classnames
Source: snh_manager_master_min[1].js.2.drString found in binary or memory: http://jquery.org/license
Source: jquery-ui.min[1].js.2.drString found in binary or memory: http://jqueryui.com
Source: snh_manager_master_min[1].js.2.drString found in binary or memory: http://jqueryui.com/about)
Source: contact[1].htm.2.drString found in binary or memory: http://lanyon.com/Assets/General/MSA_April2017.aspx
Source: modernizr[1].js.2.drString found in binary or memory: http://modernizr.com/download/#-fontface-backgroundsize-borderimage-borderradius-boxshadow-flexbox-f
Source: modernizr-2.8.3.min[1].js.2.drString found in binary or memory: http://modernizr.com/download/#-fontface-backgroundsize-borderimage-borderradius-boxshadow-flexbox-h
Source: jquery.alphanum[1].js.2.drString found in binary or memory: http://simonwillison.net/2006/Jan/20/escape/
Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
Source: style[1].css0.2.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: features[1].htm.2.drString found in binary or memory: http://www.crowdcompass.com/
Source: login[1].htm.2.drString found in binary or memory: http://www.cvent.com/en/company/
Source: contact[1].htm.2.drString found in binary or memory: http://www.cvent.com/en/event-management-software/
Source: features[1].htm.2.drString found in binary or memory: http://www.cvent.com/en/event-management-software/passkey.shtml
Source: contact[1].htm.2.drString found in binary or memory: http://www.cvent.com/en/mobile-event-apps
Source: contact[1].htm.2.drString found in binary or memory: http://www.cvent.com/en/strategic-meetings-management/
Source: contact[1].htm.2.drString found in binary or memory: http://www.cvent.com/en/web-survey-software/
Source: contact[1].htm.2.drString found in binary or memory: http://www.cvent.com/rfp/
Source: GetStartedWidget[1].js.2.drString found in binary or memory: http://www.ex-parrot.com/~pdw/Mail-RFC822-Address.html
Source: ga[1].js.2.drString found in binary or memory: http://www.google-analytics.com
Source: msapplication.xml1.1.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.drString found in binary or memory: http://www.live.com/
Source: ScriptResource[3].js.2.drString found in binary or memory: http://www.mozilla.org/newlayout/xml/parsererror.xml
Source: msapplication.xml3.1.drString found in binary or memory: http://www.nytimes.com/
Source: s-code-contents-a0fe70168a36364dc12284364f463394c1957874[1].js.2.drString found in binary or memory: http://www.omniture.com
Source: msapplication.xml4.1.drString found in binary or memory: http://www.reddit.com/
Source: 783JQLDN.htm.2.drString found in binary or memory: http://www.regonline.com/
Source: login[1].htm.2.drString found in binary or memory: http://www.regonline.com/NewUserTraining2018
Source: contact[1].htm.2.drString found in binary or memory: http://www.regonline.com/contact/
Source: features[1].htm.2.drString found in binary or memory: http://www.regonline.com/features/
Source: event-badge-maker[1].htm.2.drString found in binary or memory: http://www.regonline.com/features/event-badge-maker.shtml
Source: event-surveys[1].htm.2.drString found in binary or memory: http://www.regonline.com/features/event-surveys.shtml
Source: event-website[1].htm.2.drString found in binary or memory: http://www.regonline.com/features/event-website.shtml
Source: get-started[1].htm.2.drString found in binary or memory: http://www.regonline.com/sign-up/
Source: msapplication.xml5.1.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.drString found in binary or memory: http://www.youtube.com/
Source: contact[1].htm.2.drString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js
Source: contact[1].htm.2.drString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.3/jquery-ui.min.js
Source: analytics[1].js.2.drString found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId
Source: GetStartedWidget[1].js.2.drString found in binary or memory: https://api.regonline.com
Source: index[1].htm.2.drString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/3.0.3/normalize.min.css
Source: GetStartedWidget[1].js.2.drString found in binary or memory: https://code.jquery.com/jquery-2.2.0.min.js
Source: contact[1].htm.2.drString found in binary or memory: https://code.jquery.com/jquery-migrate-1.2.1.js
Source: vendors-widget-77434b91247fedf16e98[1].js.2.drString found in binary or memory: https://d10.github.io/
Source: users[1].json.2.drString found in binary or memory: https://driftt.imgix.net/https%3A%2F%2Fdriftt.imgix.net%2Fhttps%253A%252F%252Fs3.amazonaws.com%252Fc
Source: users[1].json.2.drString found in binary or memory: https://driftt.imgix.net/https%3A%2F%2Ffile2.api.drift.com%2Fdrift-prod-file-uploads%2F37a6%252F37a6
Source: widget-57ca747c1a78b5baa820[1].css.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Lato);
Source: widget-57ca747c1a78b5baa820[1].css.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: widget-57ca747c1a78b5baa820[1].css.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Overpass);
Source: widget-57ca747c1a78b5baa820[1].css.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto
Source: widget-57ca747c1a78b5baa820[1].css.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto);
Source: css[5].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/lato/v14/S6uyw4BMUTPHjx4wWA.woff)
Source: css[4].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v15/mem8YaGs126MiZpBA-UFVZ0d.woff)
Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/overpass/v3/qFdH35WCmI96Ajtm81GlU90.woff)
Source: css[2].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff)
Source: css[3].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/robotoslab/v8/BngMUXZYTXPIvIBgJJSb6ufN5qM.woff)
Source: style[1].css0.2.drString found in binary or memory: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css
Source: jquery-migrate-1.2.1[1].js.2.drString found in binary or memory: https://github.com/jquery/jquery-migrate
Source: jquery.validate.min[1].js.2.drString found in binary or memory: https://github.com/jzaefferer/jquery-validation
Source: style[1].css0.2.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: marketo-framework[1].js.2.drString found in binary or memory: https://ipinfo.io?token=
Source: marketo-framework[1].js.2.drString found in binary or memory: https://joincvent.webex.com/joincvent/m.php?AT=JM&MK=
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://js.driftt.com/deploy/assets/index.html
Source: contact[1].htm.2.drString found in binary or memory: https://js.driftt.com/include/
Source: vendors-widget-77434b91247fedf16e98[1].js.2.drString found in binary or memory: https://mths.be/mit
Source: vendors-widget-77434b91247fedf16e98[1].js.2.drString found in binary or memory: https://mths.be/platform
Source: login[1].htm.2.drString found in binary or memory: https://prd-static.regonline.com/styles/snh/nexus_resources/js/html5.js
Source: GetStartedWidget[1].js.2.drString found in binary or memory: https://qa-api.regonline.com
Source: vendors-widget-77434b91247fedf16e98[1].js.2.drString found in binary or memory: https://raw.githubusercontent.com/stefanpenner/es6-promise/master/LICENSE
Source: contact[1].htm.2.drString found in binary or memory: https://regonline.com/manager/login.aspx
Source: login[1].htm.2.drString found in binary or memory: https://rol.lanyonassets.com/snh_manager_master_min.js?v=636881230869218764
Source: login[1].htm.2.drString found in binary or memory: https://rol.lanyonassets.com/snh_master_01_min.css?v=636881230869218764
Source: login[1].htm.2.drString found in binary or memory: https://rol.lanyonassets.com/styles/manager/manager_master_sessionless_min.css?v=636881230869218764
Source: ga[1].js.2.drString found in binary or memory: https://ssl.google-analytics.com
Source: ga[1].js.2.drString found in binary or memory: https://ssl.google-analytics.com/j/__utm.gif
Source: analytics[1].js.2.drString found in binary or memory: https://stats.g.doubleclick.net/j/collect
Source: ga[1].js.2.drString found in binary or memory: https://stats.g.doubleclick.net/j/collect?
Source: analytics[1].js.2.drString found in binary or memory: https://stats.g.doubleclick.net/r/collect?t=dc&aip=1&_r=3&
Source: GetStartedWidget[1].js.2.drString found in binary or memory: https://stg-api.regonline.com
Source: contact[1].htm.2.drString found in binary or memory: https://twitter.com/cvent
Source: GetStartedWidget[1].js.2.dr, get-started[1].htm.2.drString found in binary or memory: https://widgets.regonline.com
Source: get-started[1].htm.2.drString found in binary or memory: https://widgets.regonline.com/GetStarted/GetStartedWidget.js
Source: multiple-cid-capture-min-marketo[1].js.2.drString found in binary or memory: https://www.cvent.com/en/privacy-policy
Source: analytics[1].js.2.drString found in binary or memory: https://www.google-analytics.com/analytics
Source: analytics[1].js.2.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=
Source: analytics[1].js.2.drString found in binary or memory: https://www.google-analytics.com/u/d
Source: analytics[1].js.2.drString found in binary or memory: https://www.google.%/ads/ga-audiences
Source: ga[1].js.2.drString found in binary or memory: https://www.google.%/ads/ga-audiences?
Source: ga[1].js.2.dr, analytics[1].js.2.drString found in binary or memory: https://www.google.com/analytics/web/inpage/pub/inpage.js?
Source: login[1].htm.2.drString found in binary or memory: https://www.lanyon.com/privacy-policy.shtml&#39;
Source: login[1].htm.2.drString found in binary or memory: https://www.lanyon.com/privacy-policy.shtml&quot;
Source: contact[1].htm.2.drString found in binary or memory: https://www.linkedin.com/company/18125/
Source: {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.
Source: {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.co.Root
Source: imagestore.dat.2.drString found in binary or memory: https://www.regonline.co.uk/assets/favicon/favicon.ico
Source: imagestore.dat.2.drString found in binary or memory: https://www.regonline.co.uk/assets/favicon/favicon.ico~
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/contact/
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/contact/RContact
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/contact/ound#
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/contact/ound#User
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/features/
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/features/8Product
Source: ~DF10DD8A0DE8364E57.TMP.1.dr, {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.co.uk/features/event-badge-maker.shtml
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/features/event-surveys.shtml
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/features/event-surveys.shtmlRCustom
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/features/event-surveys.shtmlml
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/features/event-website.shtml
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/features/event-website.shtmlRCreate
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/features/event-website.shtmlml
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/features/ound#
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/features/ound#l
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/get-started/
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/get-started/#
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/get-started/NSign
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-found
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-found#
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-found#op
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-found#top
Source: {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-foundFPaRoot
Source: {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-foundFPaco.uk/contact/ound#Root
Source: {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-foundFPaco.uk/features/event-badge-makerx.html
Source: {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-foundFPaco.uk/features/event-surveys.shtx.html
Source: {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-foundFPaco.uk/features/event-website.shtx.html
Source: {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-foundFPaco.uk/features/ound#Root
Source: {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-foundFPaco.uk/get-started/Root
Source: {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-foundFPaco.uk/page-not-found#Root
Source: {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-foundFPaco.uk/page-not-found#topRoot
Source: {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-foundFPaco.uk/pricing/ound#Root
Source: {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-foundFPacom/?domain=en-GBnd#topRoot
Source: {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-foundFPacom/manager/login.aspx?Root
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-foundFPage
Source: {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-foundRoot
Source: ~DF10DD8A0DE8364E57.TMP.1.dr, {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.co.uk/page-not-foundv
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/pricing/
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/pricing/:RegOnline
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/pricing/ound#
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.co.uk/pricing/ound#j
Source: GetStartedWidget[1].js.2.dr, get-started[1].htm.2.dr, 783JQLDN.htm.2.drString found in binary or memory: https://www.regonline.com
Source: 783JQLDN.htm.2.drString found in binary or memory: https://www.regonline.com/
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.com/?domain=en-GB
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.com/?domain=en-GBnd#top
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.com/?domain=en-GBrRegOnline
Source: login[1].htm.2.drString found in binary or memory: https://www.regonline.com/ActiveStatic/Common_LocalResource_min.css?v=636881230869218764
Source: login[1].htm.2.drString found in binary or memory: https://www.regonline.com/GetStarted.aspx?domain=en-us
Source: imagestore.dat.2.drString found in binary or memory: https://www.regonline.com/assets/favicon/favicon.ico
Source: imagestore.dat.2.drString found in binary or memory: https://www.regonline.com/assets/favicon/favicon.ico~
Source: contact[1].htm.2.drString found in binary or memory: https://www.regonline.com/contact/
Source: imagestore.dat.2.drString found in binary or memory: https://www.regonline.com/favicon.ico
Source: features[1].htm.2.drString found in binary or memory: https://www.regonline.com/features/
Source: event-badge-maker[1].htm.2.drString found in binary or memory: https://www.regonline.com/features/event-badge-maker.shtml
Source: event-surveys[1].htm.2.drString found in binary or memory: https://www.regonline.com/features/event-surveys.shtml
Source: event-website[1].htm.2.drString found in binary or memory: https://www.regonline.com/features/event-website.shtml
Source: pricing[1].htm.2.drString found in binary or memory: https://www.regonline.com/get-started/
Source: ~DF10DD8A0DE8364E57.TMP.1.drString found in binary or memory: https://www.regonline.com/manager/login.aspx?
Source: pricing[1].htm.2.drString found in binary or memory: https://www.regonline.com/pricing/
Source: get-started[1].htm.2.drString found in binary or memory: https://www.regonline.com/sign-up/
Source: login[1].htm.2.drString found in binary or memory: https://www.regonline.com/terms/
Source: {51197017-4CB5-11E9-AAD9-C25F135D3C65}.dat.1.drString found in binary or memory: https://www.regonline.p
Source: contact[1].htm.2.drString found in binary or memory: https://www.youtube.com/user/CventVideo
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
Source: unknownNetwork traffic detected: HTTP traffic on port 49877 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49877
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: sus20.troj.win@3/176@25/19
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFFBD309310A934321.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3480 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3480 CREDAT:17410 /prefetch:2Jump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Accept
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Accept
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Accept
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Accept
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 118343 URL: https://www.regonline.co.uk/re= gister/invoice.aspx?Event... Startdate: 22/03/2019 Architecture: WINDOWS Score: 20 12 www.regonline.co.uk 2->12 14 prod-international-1248391988.us-east-1.elb.amazonaws.com 2->14 22 May check the online IP address of the machine 2->22 7 iexplore.exe 6 87 2->7         started        signatures3 process4 process5 9 iexplore.exe 5 211 7->9         started        dnsIp6 16 www.regonline.co.uk 9->16 18 rol.lanyonassets.com 9->18 20 33 other IPs or domains 9->20

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
www.regonline.co.uk0%virustotalBrowse
rol.lanyonassets.com0%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://www.regonline.co.uk/features/event-website.shtmlRCreate0%Avira URL Cloudsafe
https://www.regonline.co.uk/get-started/#0%Avira URL Cloudsafe
https://rol.lanyonassets.com/snh_manager_master_min.js?v=6368812308692187640%Avira URL Cloudsafe
https://www.regonline.co.uk/page-not-foundFPaco.uk/features/ound#Root0%Avira URL Cloudsafe
https://www.regonline.co.uk/page-not-found#op0%Avira URL Cloudsafe
https://www.regonline.p0%Avira URL Cloudsafe
https://www.regonline.co.uk/page-not-foundFPaco.uk/features/event-website.shtx.html0%Avira URL Cloudsafe
https://www.regonline.co.uk/features/ound#0%Avira URL Cloudsafe
https://www.regonline.co.uk/contact/ound#0%Avira URL Cloudsafe
https://www.regonline.co.uk/page-not-found0%Avira URL Cloudsafe
https://www.regonline.co.uk/page-not-foundFPaco.uk/get-started/Root0%Avira URL Cloudsafe
https://www.regonline.co.uk/page-not-foundFPaco.uk/pricing/ound#Root0%Avira URL Cloudsafe
https://www.regonline.co.uk/page-not-foundRoot0%Avira URL Cloudsafe
https://www.regonline.co.uk/page-not-foundFPaRoot0%Avira URL Cloudsafe
https://www.regonline.co.uk/features/0%Avira URL Cloudsafe
https://www.regonline.0%Avira URL Cloudsafe
https://www.regonline.co.uk/page-not-foundFPaco.uk/contact/ound#Root0%Avira URL Cloudsafe
https://rol.lanyonassets.com/styles/manager/manager_master_sessionless_min.css?v=6368812308692187640%Avira URL Cloudsafe
https://www.regonline.co.uk/page-not-found#top0%Avira URL Cloudsafe
https://www.regonline.co.uk/page-not-foundFPaco.uk/features/event-surveys.shtx.html0%Avira URL Cloudsafe
https://www.regonline.co.uk/pricing/ound#j0%Avira URL Cloudsafe
https://www.regonline.co.uk/get-started/0%Avira URL Cloudsafe
https://www.regonline.co.uk/features/event-surveys.shtml0%Avira URL Cloudsafe
https://www.regonline.co.uk/page-not-foundFPaco.uk/page-not-found#Root0%Avira URL Cloudsafe
https://www.regonline.co.uk/pricing/0%Avira URL Cloudsafe
https://www.regonline.co.Root0%Avira URL Cloudsafe
https://www.regonline.co.uk/page-not-foundFPaco.uk/page-not-found#topRoot0%Avira URL Cloudsafe
http://simonwillison.net/2006/Jan/20/escape/0%Avira URL Cloudsafe
https://www.regonline.co.uk/contact/0%Avira URL Cloudsafe
https://www.regonline.co.uk/features/event-website.shtml0%Avira URL Cloudsafe
https://www.regonline.co.uk/pricing/ound#0%Avira URL Cloudsafe
https://www.regonline.co.uk/features/8Product0%Avira URL Cloudsafe
https://www.regonline.co.uk/get-started/NSign0%Avira URL Cloudsafe
https://www.regonline.co.uk/pricing/:RegOnline0%Avira URL Cloudsafe
https://www.regonline.co.uk/features/ound#l0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.