Edit tour

Windows Analysis Report
http://download.lenovo.com/pccbbs/desktop/u1ra101us17.exe

Overview

General Information

Sample URL:	http://download.lenovo.com/pccbbs/desktop/u1ra101us17.exe
Analysis ID:	1432074
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Drops executables to the windows directory (C:\Windows) and starts them

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Sigma detected: File Download From Browser Process Via Inline URL

Stores files to the Windows start menu directory

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Process Tree

System is w10x64_ra

chrome.exe (PID: 5132 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://download.lenovo.com/pccbbs/desktop/u1ra101us17.exe MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 2828 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1984,i,16616354626430115823,17598558010190862369,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 6460 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5340 --field-trial-handle=1984,i,16616354626430115823,17598558010190862369,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 8040 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4932 --field-trial-handle=1984,i,16616354626430115823,17598558010190862369,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

u1ra101us17.exe (PID: 1980 cmdline: "C:\Users\user\Downloads\u1ra101us17.exe" MD5: E372109B2BD3B0F50EF462D53E9989BA)

u1ra101us17.tmp (PID: 3392 cmdline: "C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp" /SL5="$80240,3550847,180224,C:\Users\user\Downloads\u1ra101us17.exe" MD5: DA27AEF67635F21FF5723FCD2DB5D2F9)

cleanup

Sigma Signatures

Sigma detected: File Download From Browser Process Via Inline URL

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://download.lenovo.com/pccbbs/desktop/u1ra101us17.exe, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://download.lenovo.com/pccbbs/desktop/u1ra101us17.exe, CommandLine|base64offset|contains: -j~b,, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2984, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://download.lenovo.com/pccbbs/desktop/u1ra101us17.exe, ProcessId: 5132, ProcessName: chrome.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.17:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.193.120.112:443 -> 192.168.2.17:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.193.120.112:443 -> 192.168.2.17:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.29.8:443 -> 192.168.2.17:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.17:49721 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112

Source: global traffic	DNS traffic detected: DNS query: download.lenovo.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.17:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.193.120.112:443 -> 192.168.2.17:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.193.120.112:443 -> 192.168.2.17:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.29.8:443 -> 192.168.2.17:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.17:49721 version: TLS 1.2

Source: C:\Users\user\Downloads\u1ra101us17.exe	File created: C:\Windows\TempInst
Source: C:\Users\user\Downloads\u1ra101us17.exe	File created: C:\Windows\TempInst\is-5AHOE.tmp
Source: C:\Users\user\Downloads\u1ra101us17.exe	File created: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	File created: C:\Windows\is-BBEMV.tmp
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	File created: C:\Windows\TempInst\is-2L981.tmp
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	File created: C:\Windows\TempInst\is-2L981.tmp\_isetup
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	File created: C:\Windows\TempInst\is-2L981.tmp\_isetup\_setup64.tmp

Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp

File deleted: C:\Windows\is-BBEMV.tmp

Source: classification engine

Classification label: sus23.evad.win@24/12@8/89

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\a37fe17a-04a3-4a31-9e10-b8ef14f0235f.tmp

Source: C:\Users\user\Downloads\u1ra101us17.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Downloads\u1ra101us17.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Downloads\u1ra101us17.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://download.lenovo.com/pccbbs/desktop/u1ra101us17.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1984,i,16616354626430115823,17598558010190862369,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5340 --field-trial-handle=1984,i,16616354626430115823,17598558010190862369,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1984,i,16616354626430115823,17598558010190862369,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5340 --field-trial-handle=1984,i,16616354626430115823,17598558010190862369,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4932 --field-trial-handle=1984,i,16616354626430115823,17598558010190862369,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4932 --field-trial-handle=1984,i,16616354626430115823,17598558010190862369,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\u1ra101us17.exe "C:\Users\user\Downloads\u1ra101us17.exe"
Source: C:\Users\user\Downloads\u1ra101us17.exe	Process created: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp "C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp" /SL5="$80240,3550847,180224,C:\Users\user\Downloads\u1ra101us17.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\u1ra101us17.exe "C:\Users\user\Downloads\u1ra101us17.exe"
Source: C:\Users\user\Downloads\u1ra101us17.exe	Process created: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp "C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp" /SL5="$80240,3550847,180224,C:\Users\user\Downloads\u1ra101us17.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Downloads\u1ra101us17.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\u1ra101us17.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\u1ra101us17.exe	Section loaded: apphelp.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: version.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: uxtheme.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: kernel.appcore.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: wtsapi32.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: winsta.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: textinputframework.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: coreuicomponents.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: coremessaging.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: ntmarta.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: coremessaging.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: wintypes.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: wintypes.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: wintypes.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: windows.storage.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: wldp.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: profapi.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: shfolder.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: rstrtmgr.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: ncrypt.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: ntasn1.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: textshaping.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: msftedit.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: windows.globalization.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: bcp47langs.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: bcp47mrm.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: globinputhost.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: windows.ui.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: windowmanagementapi.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: inputhost.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: twinapi.appcore.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: twinapi.appcore.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: propsys.dll
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Section loaded: dwmapi.dll

Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp

Window found: window name: TMainForm

Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Downloads\u1ra101us17.exe

Executable created and started: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\a37fe17a-04a3-4a31-9e10-b8ef14f0235f.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 690274.crdownload	Jump to dropped file
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	File created: C:\Windows\TempInst\is-2L981.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Downloads\u1ra101us17.exe	File created: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Jump to dropped file

Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	File created: C:\Windows\TempInst\is-2L981.tmp\_isetup\_setup64.tmp			Jump to dropped file
Source: C:\Users\user\Downloads\u1ra101us17.exe	File created: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp			Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Users\user\Downloads\u1ra101us17.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Source: C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp

Dropped PE file which has not been started: C:\Windows\TempInst\is-2L981.tmp\_isetup\_setup64.tmp

Jump to dropped file

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	121 Masquerading	OS Credential Dumping	2 System Owner/User Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 File Deletion	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Source	Detection	Scanner	Label	Link
http://download.lenovo.com/pccbbs/desktop/u1ra101us17.exe	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\Downloads\Unconfirmed 690274.crdownload	0%	ReversingLabs
C:\Users\user\Downloads\Unconfirmed 690274.crdownload	0%	Virustotal	Browse
C:\Windows\TempInst\is-2L981.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Windows\TempInst\is-2L981.tmp\_isetup\_setup64.tmp	0%	Virustotal	Browse
C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	2%	ReversingLabs
C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp	1%	Virustotal	Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	192.178.50.68	true	false		high
download.lenovo.com	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.189.142	unknown	United States	15169	GOOGLEUS	false
23.45.182.85	unknown	United States	20940	AKAMAI-ASN1EU	false
192.178.50.67	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
192.178.50.68	www.google.com	United States	15169	GOOGLEUS	false
173.194.211.84	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
184.84.136.138	unknown	United States	16625	AKAMAI-ASUS	false
23.43.44.216	unknown	United States	18734	OperbesSAdeCVMX	false
172.217.3.67	unknown	United States	15169	GOOGLEUS	false
142.250.217.238	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.17

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432074
Start date and time:	2024-04-26 11:38:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	http://download.lenovo.com/pccbbs/desktop/u1ra101us17.exe
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus23.evad.win@24/12@8/89

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded IPs from analysis (whitelisted): 172.217.3.67, 184.84.136.138, 142.250.189.142, 173.194.211.84, 34.104.35.123
Excluded domains from analysis (whitelisted): download.lenovo.com.edgekey.net.globalredir.akadns.net, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, download.lenovo.com.akadns.net, clientservices.googleapis.com, e7741.d.akamaiedge.net, clients.l.google.com, download.lenovo.com.edgekey.net
Not all processes where analyzed, report is missing behavior information

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	69993
Entropy (8bit):	7.99584879649948
Encrypted:	true
SSDEEP:
MD5:	29F65BA8E88C063813CC50A4EA544E93
SHA1:	05A7040D5C127E68C25D81CC51271FFB8BEF3568
SHA-256:	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
SHA-512:	E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
Malicious:	false
Reputation:	unknown
Preview:	MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[I.hOB."..rK.RQ..}f..f...}....9.\|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..\|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..\|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.1475546137593846
Encrypted:	false
SSDEEP:
MD5:	C39790BDFF39FFDA7DC57AEDB5C44C24
SHA1:	2D8335FE579300FE70B4AA8726445CF1D7EF1F7E
SHA-256:	391A25FCEBDD66B910F674C1D9BA28FBFFF1DB0364BB1EBF25DBD0CD27041B8D
SHA-512:	CAC94A94987753BB8DAA177925155E2E2C9043CFDC7C2920BC705AD2C5EA46DB3B630DDFBA6426160D8453F39CC475D93B55840C30A0CE660214FCA4F671979F
Malicious:	false
Reputation:	unknown
Preview:	p...... ........x.......(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 08:38:36 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.993854306492525
Encrypted:	false
SSDEEP:
MD5:	4770D8B0943E3B8038AA21A24A490C04
SHA1:	9BFDD97044502E425ABC223CEAA85FCC9071020D
SHA-256:	BAE2438E48E73A4EDE7EF249FD2613D9D5AC304BD44F27CE67736A4865C6CC13
SHA-512:	239DB61B8B7238E412B682CF8BB18095BF38849107620CBF320884DF3B1D1D58513AB96C38834B828C90813EAB3BC0FED18ECFF66F2F92AD8F9C43341E3B3AE1
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....P./.........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.X.L....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.L....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.X.L....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.X.L...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.X.L...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............`=......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 08:38:36 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.0094383720368025
Encrypted:	false
SSDEEP:
MD5:	802B24D5F759A7A67505F6B1A0E3A245
SHA1:	49C8662DBF69C89DE440E9DECC7D37B56F92BE6D
SHA-256:	EA3FA04FED304102FDC0F19203403721FEBD2106E9BEAC5A19F50A763449EA17
SHA-512:	6C45C161462BF322214241D656EC23E1A172001BF0DAF0E986F1C0DAE6ECE7F9D13E5333981B2A2172A73D4BA1ABD040ECAC0E3F82DF83B28AECD38B24FC905A
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,................y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.X.L....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.L....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.X.L....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.X.L...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.X.L...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............`=......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.016653835960216
Encrypted:	false
SSDEEP:
MD5:	45A001C48BC5DF86AC91131526CA1C09
SHA1:	250A5F375A12D154A0F58E5D9CFFA28EF55502C6
SHA-256:	12293507DCA6B231DACBB477EA8F7295E93DFCAFAFC2B793D360C3F98968B5FC
SHA-512:	EB4E7B1B503E2AFB6A565FDE0B833BC23043A4EF23E665897450154D18EAC3B255B4AE2D457A9F9EA29B1D9C847574ADC3043CF5B20070F0F3401A3C5DB6D581
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....v. ;.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.X.L....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.L....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.X.L....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.X.L...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VFW.N...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............`=......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 08:38:36 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	4.0094763965999505
Encrypted:	false
SSDEEP:
MD5:	27A6F5636E0F7E2EAB227EF9FFC45377
SHA1:	0121A8CD1679913F6C4E03D9DB6C1CA9DFFF713F
SHA-256:	15CCBF6149AA573E689DFB180D77D034AAE40E22CD2C2BDEC01DC9AE1967677C
SHA-512:	7081C907AD344D1430969371E616D0FE4BCED1B74ED1D692E0FFCC995FAD254AC9D39D0454B69CFF506EBC7AF51DE62849A77AEF9A146511782AE9D3DD0A2795
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,................y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.X.L....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.L....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.X.L....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.X.L...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.X.L...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............`=......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 08:38:36 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9976975506458943
Encrypted:	false
SSDEEP:
MD5:	171DFC2C36740B3DEC7C0E93E73259CF
SHA1:	7BD3E51F4DD366D29F6E17549609F2BF09AFFDC4
SHA-256:	6DC01DD87A6FECE87A8BE0BF8D3BD9FBE75E1C5EED0EC14DD1D010484E5399EB
SHA-512:	0486673A40D37C3378B20564C5EEDF5AA946952084D8457C7912E3686E4E56C92B09635FF72165509DB144929BD7FCBEE92A9B255187BFF6EF9D2C126BC289EA
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....I'.........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.X.L....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.L....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.X.L....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.X.L...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.X.L...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............`=......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 08:38:36 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	4.010329488555458
Encrypted:	false
SSDEEP:
MD5:	525939551DB70E9E52F04526A4B90541
SHA1:	327D474767C2CC1AE0CCB560C943EFA0F9FB5BED
SHA-256:	4DA21D34916004307B8020482D7FD77ACB4E77CB6BF280BAB3F21D912A0CC06D
SHA-512:	D34914B4D3428F9AA5F35FBB4468AC67743AD1744770F411643DCD05F346875C336EE255BB501E5B39E01116DD8F945395CA3E4BDA997FEC58383A50BFD96EEB
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....>...........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.X.L....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.L....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.X.L....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.X.L...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.X.L...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............`=......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\Downloads\Unconfirmed 690274.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4336720
Entropy (8bit):	7.987807467068793
Encrypted:	false
SSDEEP:
MD5:	E372109B2BD3B0F50EF462D53E9989BA
SHA1:	94D80DFE20689B9C47B32E4C25875731AF4BD20B
SHA-256:	81CB774D3527ACAB6003E200FEF2E285BE7E6042693969FC25E38EDB71A562EC
SHA-512:	CDA8B17EFAEBA6CB6100409C92C8752E703D866E148D57273592C0DB059D6B7B1E649D7D61B34861B3FF286D2E4925FF55241F62197D8911A2F8AF7B7573DC2F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...R..^.................P...l.......[.......p....@...................................C...@......@................... ..q.......H....P...8.......... .B.0....................................@......................d...........>....................text....:.......<.................. ..`.itext..h....P.......@.............. ..`.data...(....p.......T..............@....bss....Xa...............................idata..H............l..............@....didata.>............t..............@....edata..q.... ......................@..@.tls.........0...........................rdata..]....@......................@..@.rsrc....8...P...8..................@..@....................................@..@........................................................

C:\Users\user\Downloads\a37fe17a-04a3-4a31-9e10-b8ef14f0235f.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16074
Entropy (8bit):	6.24186527968806
Encrypted:	false
SSDEEP:
MD5:	BBEC9F6E3AF3DDEBEBF992B4D88FE564
SHA1:	8812736E10C3F9BF283B24A54212D489ADD17D41
SHA-256:	96B1767D6EA0ECAFBE1BBA6C59C59B5D31BCD19F0A383B46D47F7D469B47AF3B
SHA-512:	2BACFBEF15E1BC11BAB790013502224998B662253CC342FE742DD4B7E8D5E87A97092534F256A882E5A2BAEE109809CD12DFFC4E6FF65825420E7C7B5B120105
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...R..^.................P...l.......[.......p....@...................................C...@......@................... ..q.......H....P...8.......... .B.0....................................@......................d...........>....................text....:.......<.................. ..`.itext..h....P.......@.............. ..`.data...(....p.......T..............@....bss....Xa...............................idata..H............l..............@....didata.>............t..............@....edata..q.... ......................@..@.tls.........0...........................rdata..]....@......................@..@.rsrc....8...P...8..................@..@....................................@..@........................................................

C:\Users\user\Downloads\u1ra101us17.exe (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	E372109B2BD3B0F50EF462D53E9989BA
SHA1:	94D80DFE20689B9C47B32E4C25875731AF4BD20B
SHA-256:	81CB774D3527ACAB6003E200FEF2E285BE7E6042693969FC25E38EDB71A562EC
SHA-512:	CDA8B17EFAEBA6CB6100409C92C8752E703D866E148D57273592C0DB059D6B7B1E649D7D61B34861B3FF286D2E4925FF55241F62197D8911A2F8AF7B7573DC2F
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...R..^.................P...l.......[.......p....@...................................C...@......@................... ..q.......H....P...8.......... .B.0....................................@......................d...........>....................text....:.......<.................. ..`.itext..h....P.......@.............. ..`.data...(....p.......T..............@....bss....Xa...............................idata..H............l..............@....didata.>............t..............@....edata..q.... ......................@..@.tls.........0...........................rdata..]....@......................@..@.rsrc....8...P...8..................@..@....................................@..@........................................................

C:\Windows\TempInst\is-2L981.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp

Download File

Process:	C:\Users\user\Downloads\u1ra101us17.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2913840
Entropy (8bit):	6.457664673539778
Encrypted:	false
SSDEEP:
MD5:	DA27AEF67635F21FF5723FCD2DB5D2F9
SHA1:	ACD0929D0A8E19F1EE315C5ACE271969BFF3D597
SHA-256:	C5167284574EEFE9780BB5606B1FC6E8D7E836A2BE2C873976E0E29DA3903ADA
SHA-512:	7DC7DBA8FD0F0E34A60591777EB876EB31ACB7E23A1D028AFD03EE414D2B87639CEC902287D7099D5F0A0CF69186EF30DC57813D8FE7E4F0535F98B1147D45F5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...T..^.................^..........s..........@..........................0-.......,...@......@....................+......`+.......+..:...........\,.0.....................................+......................b+......p+..M...................text....7......8................. ..`.itext...%...P..&...<............. ..`.data...4^......`...b.............@....bss.....q..............................idata.......`+....................@....didata..M...p+..N.................@....edata........+.......+.............@..@.tls....H.....+..........................rdata..].....+...... +.............@..@.rsrc....:....+..:..."+.............@..@.............0-......\,.............@..@........................................................

Static File Info

⊘No static file info

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://download.lenovo.com/pccbbs/desktop/u1ra101us17.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Downloads\Unconfirmed 690274.crdownload

C:\Users\user\Downloads\a37fe17a-04a3-4a31-9e10-b8ef14f0235f.tmp

C:\Users\user\Downloads\u1ra101us17.exe (copy)

C:\Windows\TempInst\is-2L981.tmp\_isetup\_setup64.tmp

C:\Windows\TempInst\is-5AHOE.tmp\u1ra101us17.tmp

Static File Info

Windows Analysis Report
http://download.lenovo.com/pccbbs/desktop/u1ra101us17.exe