Windows
Analysis Report
https://download.dymo.com/dymo/Software/Win/DCDSetup1.4.5.1.exe
Overview
General Information
Detection
Score: | 2 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w7x64
- chrome.exe (PID: 2440 cmdline:
"C:\Progra m Files (x 86)\Google \Chrome\Ap plication\ chrome.exe " --start- maximized "about:bla nk" MD5: FFA2B8E17F645BCC20F0E0201FEF83ED) - chrome.exe (PID: 2252 cmdline:
"C:\Progra m Files (x 86)\Google \Chrome\Ap plication\ chrome.exe " --type=u tility --u tility-sub -type=netw ork.mojom. NetworkSer vice --lan g=en-US -- service-sa ndbox-type =none --mo jo-platfor m-channel- handle=144 8 --field- trial-hand le=1260,i, 1445659277 7815792829 ,113558228 8485261099 2,131072 - -disable-f eatures=Op timization GuideModel Downloadin g,Optimiza tionHints, Optimizati onHintsFet ching,Opti mizationTa rgetPredic tion /pref etch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
- chrome.exe (PID: 2640 cmdline:
"C:\Progra m Files (x 86)\Google \Chrome\Ap plication\ chrome.exe " "https:/ /download. dymo.com/d ymo/Softwa re/Win/DCD Setup1.4.5 .1.exe" MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Window detected: |
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | |||
Source: | File created: | Jump to dropped file |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | 1 Process Injection | 13 Masquerading | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Process Injection | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
www.google.com | 142.250.217.196 | true | false | high | |
download.dymo.com | unknown | unknown | false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
142.250.217.196 | www.google.com | United States | 15169 | GOOGLEUS | false | |
239.255.255.250 | unknown | Reserved | unknown | unknown | false |
IP |
---|
192.168.2.5 |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1427013 |
Start date and time: | 2024-04-16 22:05:06 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 6s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | browseurl.jbs |
Sample URL: | https://download.dymo.com/dymo/Software/Win/DCDSetup1.4.5.1.exe |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 3 |
Number of new started drivers analysed: | 2 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | CLEAN |
Classification: | clean2.win@18/3@4/3 |
EGA Information: | Failed |
HCA Information: |
|
- Exclude process from analysis (whitelisted): vga.dll
- Excluded IPs from analysis (whitelisted): 173.194.211.94, 142.250.217.206, 64.233.176.84, 34.104.35.123, 104.18.33.158, 172.64.154.98, 173.194.213.94
- Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, update.googleapis.com, clientservices.googleapis.com, download.dymo.com.cdn.cloudflare.net, clients.l.google.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtSetInformationFile calls found.
- VT rate limit hit for: https://download.dymo.com/dymo/Software/Win/DCDSetup1.4.5.1.exe
Process: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13041 |
Entropy (8bit): | 5.882902585401527 |
Encrypted: | false |
SSDEEP: | 192:xwWVCA2Li61Xt6x9gG0lKpagNQvN5aeMMMEo5Il4AV0U81:xwW87myIElgNQl5aeMMMd5wnV0Uk |
MD5: | 76BC974CCE32F2C7C3F68BEC877C2A6D |
SHA1: | 59D5E518168DAC604411FA05FF8E716F30676029 |
SHA-256: | 52B4A30F4C12397E63AF38FC9AEAEE5264CF6B62AE759C614F6D738D0E0E7186 |
SHA-512: | E734D1FAFB494244371948265EFDC181C47113F8D9DE58618325CAEC243B12395CC997E48396BE9F597E2C89ADD0DF8D627999C55EC4C928C252FCD9EC84DEB8 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 21255 |
Entropy (8bit): | 5.983475666079584 |
Encrypted: | false |
SSDEEP: | 384:xwW87myIElgNQl5aeMMMd5wnV0UW0dcHZouKUA2qBeqR/X2MyX/Q7KxFa:6W87ImfA35mwbAUv0Ka |
MD5: | 88D836254519145C0BECDB0575F97DD9 |
SHA1: | C6F1C3752521FB0D1DA4F8A02D6961D4582F0477 |
SHA-256: | 1248D7F209260430892762CB7F714CFB898E586462C28D75DDE8E572FA77E3A7 |
SHA-512: | C9A10BDA50BEB079FBC8F7634051B69AE16E7A443C522EF93C5CA86180EAD19795F083DE5BEEE8308EBCC98093D63ABF2F8227219DE7CFBC359BECA5A3AE61FC |
Malicious: | false |
Reputation: | low |
URL: | https://download.dymo.com/dymo/Software/Win/DCDSetup1.4.5.1.exe |
Preview: |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 16, 2024 22:06:00.887701035 CEST | 49167 | 443 | 192.168.2.22 | 142.250.217.196 |
Apr 16, 2024 22:06:00.887732983 CEST | 443 | 49167 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:06:00.887790918 CEST | 49167 | 443 | 192.168.2.22 | 142.250.217.196 |
Apr 16, 2024 22:06:00.893358946 CEST | 49167 | 443 | 192.168.2.22 | 142.250.217.196 |
Apr 16, 2024 22:06:00.893374920 CEST | 443 | 49167 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:06:01.161866903 CEST | 443 | 49167 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:06:01.197392941 CEST | 49167 | 443 | 192.168.2.22 | 142.250.217.196 |
Apr 16, 2024 22:06:01.197405100 CEST | 443 | 49167 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:06:01.201251030 CEST | 443 | 49167 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:06:01.201333046 CEST | 49167 | 443 | 192.168.2.22 | 142.250.217.196 |
Apr 16, 2024 22:06:01.202624083 CEST | 49167 | 443 | 192.168.2.22 | 142.250.217.196 |
Apr 16, 2024 22:06:01.202820063 CEST | 443 | 49167 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:06:01.408204079 CEST | 443 | 49167 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:06:01.408304930 CEST | 49167 | 443 | 192.168.2.22 | 142.250.217.196 |
Apr 16, 2024 22:06:11.140397072 CEST | 443 | 49167 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:06:11.140463114 CEST | 443 | 49167 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:06:11.140508890 CEST | 49167 | 443 | 192.168.2.22 | 142.250.217.196 |
Apr 16, 2024 22:06:12.722460985 CEST | 49167 | 443 | 192.168.2.22 | 142.250.217.196 |
Apr 16, 2024 22:06:12.722485065 CEST | 443 | 49167 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:07:00.843302011 CEST | 49169 | 443 | 192.168.2.22 | 142.250.217.196 |
Apr 16, 2024 22:07:00.843326092 CEST | 443 | 49169 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:07:00.843369007 CEST | 49169 | 443 | 192.168.2.22 | 142.250.217.196 |
Apr 16, 2024 22:07:00.843795061 CEST | 49169 | 443 | 192.168.2.22 | 142.250.217.196 |
Apr 16, 2024 22:07:00.843811989 CEST | 443 | 49169 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:07:01.112205982 CEST | 443 | 49169 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:07:01.112556934 CEST | 49169 | 443 | 192.168.2.22 | 142.250.217.196 |
Apr 16, 2024 22:07:01.112574100 CEST | 443 | 49169 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:07:01.113679886 CEST | 443 | 49169 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:07:01.114152908 CEST | 49169 | 443 | 192.168.2.22 | 142.250.217.196 |
Apr 16, 2024 22:07:01.114331007 CEST | 443 | 49169 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:07:01.320158005 CEST | 443 | 49169 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:07:01.320238113 CEST | 49169 | 443 | 192.168.2.22 | 142.250.217.196 |
Apr 16, 2024 22:07:11.107811928 CEST | 443 | 49169 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:07:11.107886076 CEST | 443 | 49169 | 142.250.217.196 | 192.168.2.22 |
Apr 16, 2024 22:07:11.107935905 CEST | 49169 | 443 | 192.168.2.22 | 142.250.217.196 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 16, 2024 22:05:56.427490950 CEST | 53 | 54821 | 8.8.8.8 | 192.168.2.22 |
Apr 16, 2024 22:05:56.499222994 CEST | 53 | 52781 | 8.8.8.8 | 192.168.2.22 |
Apr 16, 2024 22:05:57.215408087 CEST | 53 | 65510 | 8.8.8.8 | 192.168.2.22 |
Apr 16, 2024 22:05:58.543112040 CEST | 49384 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 16, 2024 22:05:58.556121111 CEST | 54842 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 16, 2024 22:06:00.777909040 CEST | 57390 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 16, 2024 22:06:00.778359890 CEST | 58095 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 16, 2024 22:06:00.883301020 CEST | 53 | 58095 | 8.8.8.8 | 192.168.2.22 |
Apr 16, 2024 22:06:00.884367943 CEST | 53 | 57390 | 8.8.8.8 | 192.168.2.22 |
Apr 16, 2024 22:06:14.339659929 CEST | 53 | 61618 | 8.8.8.8 | 192.168.2.22 |
Apr 16, 2024 22:06:21.288310051 CEST | 53 | 63469 | 8.8.8.8 | 192.168.2.22 |
Apr 16, 2024 22:06:32.280762911 CEST | 53 | 64956 | 8.8.8.8 | 192.168.2.22 |
Apr 16, 2024 22:06:50.686141014 CEST | 53 | 65084 | 8.8.8.8 | 192.168.2.22 |
Apr 16, 2024 22:06:56.228439093 CEST | 53 | 51014 | 8.8.8.8 | 192.168.2.22 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 16, 2024 22:05:58.543112040 CEST | 192.168.2.22 | 8.8.8.8 | 0xfed8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 16, 2024 22:05:58.556121111 CEST | 192.168.2.22 | 8.8.8.8 | 0x675e | Standard query (0) | 65 | IN (0x0001) | false | |
Apr 16, 2024 22:06:00.777909040 CEST | 192.168.2.22 | 8.8.8.8 | 0x33de | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 16, 2024 22:06:00.778359890 CEST | 192.168.2.22 | 8.8.8.8 | 0x4555 | Standard query (0) | 65 | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 16, 2024 22:05:58.651005030 CEST | 8.8.8.8 | 192.168.2.22 | 0xfed8 | No error (0) | download.dymo.com.cdn.cloudflare.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Apr 16, 2024 22:05:58.671186924 CEST | 8.8.8.8 | 192.168.2.22 | 0x675e | No error (0) | download.dymo.com.cdn.cloudflare.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Apr 16, 2024 22:06:00.883301020 CEST | 8.8.8.8 | 192.168.2.22 | 0x4555 | No error (0) | 65 | IN (0x0001) | false | |||
Apr 16, 2024 22:06:00.884367943 CEST | 8.8.8.8 | 192.168.2.22 | 0x33de | No error (0) | 142.250.217.196 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 22:05:53 |
Start date: | 16/04/2024 |
Path: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fd20000 |
File size: | 3'151'128 bytes |
MD5 hash: | FFA2B8E17F645BCC20F0E0201FEF83ED |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 1 |
Start time: | 22:05:55 |
Start date: | 16/04/2024 |
Path: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fd20000 |
File size: | 3'151'128 bytes |
MD5 hash: | FFA2B8E17F645BCC20F0E0201FEF83ED |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 4 |
Start time: | 22:05:57 |
Start date: | 16/04/2024 |
Path: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff020000 |
File size: | 3'151'128 bytes |
MD5 hash: | FFA2B8E17F645BCC20F0E0201FEF83ED |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |