Windows
Analysis Report
https://www.provincialnetcash.com/SVEKYOP/kyop_mult_web_pub/index.html#
Overview
General Information
Detection
Score: | 21 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w7x64
- chrome.exe (PID: 2168 cmdline:
"C:\Progra m Files (x 86)\Google \Chrome\Ap plication\ chrome.exe " --start- maximized "about:bla nk" MD5: FFA2B8E17F645BCC20F0E0201FEF83ED) - chrome.exe (PID: 1052 cmdline:
"C:\Progra m Files (x 86)\Google \Chrome\Ap plication\ chrome.exe " --type=u tility --u tility-sub -type=netw ork.mojom. NetworkSer vice --lan g=en-US -- service-sa ndbox-type =none --mo jo-platfor m-channel- handle=147 6 --field- trial-hand le=1256,i, 4293504143 906383849, 8966591030 562114885, 131072 --d isable-fea tures=Opti mizationGu ideModelDo wnloading, Optimizati onHints,Op timization HintsFetch ing,Optimi zationTarg etPredicti on /prefet ch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
- chrome.exe (PID: 2728 cmdline:
"C:\Progra m Files (x 86)\Google \Chrome\Ap plication\ chrome.exe " "https:/ /www.provi ncialnetca sh.com/SVE KYOP/kyop_ mult_web_p ub/index.h tml#" MD5: FFA2B8E17F645BCC20F0E0201FEF83ED) - chrome.exe (PID: 3148 cmdline:
"C:\Progra m Files (x 86)\Google \Chrome\Ap plication\ chrome.exe " --type=u tility --u tility-sub -type=netw ork.mojom. NetworkSer vice --lan g=en-US -- service-sa ndbox-type =none --mo jo-platfor m-channel- handle=144 4 --field- trial-hand le=1244,i, 1050623339 6208386409 ,258774021 2930642001 ,131072 /p refetch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
- cleanup
Click to jump to signature section
Phishing |
---|
Source: | LLM: |
Source: | HTTP Parser: |
Source: | HTTP Parser: |
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Window detected: |
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | 1 Process Injection | 2 Masquerading | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Process Injection | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
www.google.com | 142.250.191.36 | true | false | high | |
www.provincialnetcash.com | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
239.255.255.250 | unknown | Reserved | unknown | unknown | false | |
142.250.191.36 | www.google.com | United States | 15169 | GOOGLEUS | false |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1437898 |
Start date and time: | 2024-05-08 01:30:48 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 58s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | browseurl.jbs |
Sample URL: | https://www.provincialnetcash.com/SVEKYOP/kyop_mult_web_pub/index.html# |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 4 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | SUS |
Classification: | sus21.phis.win@21/5@6/2 |
EGA Information: | Failed |
HCA Information: |
|
- Exclude process from analysis (whitelisted): vga.dll
- Excluded IPs from analysis (whitelisted): 142.251.46.195, 172.217.12.110, 74.125.142.84, 34.104.35.123, 184.26.150.52, 142.250.191.42, 142.250.191.74, 142.251.46.170, 142.251.46.202, 172.217.164.106, 142.250.189.170, 142.250.189.202, 142.251.32.42, 142.251.46.234, 142.251.214.138, 172.217.12.106, 142.250.188.10, 142.250.189.234, 142.251.32.35
- Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, e17723.a.akamaiedge.net, content-autofill.googleapis.com, www.provincialnetcash.com.edgekey.net, update.googleapis.com, clientservices.googleapis.com, clients.l.google.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtSetInformationFile calls found.
- VT rate limit hit for: https://www.provincialnetcash.com/SVEKYOP/kyop_mult_web_pub/index.html#
Input | Output |
---|---|
URL: https://www.provincialnetcash.com/SVEKYOP/kyop_mult_web_pub/index.html# | ```json{ "phishing_score": 8, "brands": "IBM", "phishing": true, "suspicious_domain": true, "has_loginform": true, "has_captcha": false, "setechniques": true, "blank": false, "reasons": "The URL 'https://www.provincialnetcash.com/SVEKYOP/kyop_mult_web_pub/index.html#' does not match the expected domain for IBM, which typically uses 'ibm.com'. The presence of a login form on a suspicious domain increases the likelihood of a phishing attempt. The site uses the IBM brand name and styling to appear legitimate, which is a common social engineering technique."} |
Process: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 28 |
Entropy (8bit): | 4.066108939837481 |
Encrypted: | false |
SSDEEP: | 3:GMyoSt:jFSt |
MD5: | 96B191AE794C2C78387B3F4F9BB7A251 |
SHA1: | F974547DF0ADFFB7E80699552C6BCE3E709343A6 |
SHA-256: | CE76758AEEF2CAF12021AFB5257D0CA4E9E5C20015C2C85D68BB27FA6B1AFB28 |
SHA-512: | 07EE1CFDBD53C1046FA4F44FF7C83F4456CDAA099299816B451D114E3EEAAD4BE8F0CD0FC09F0E838418BCBB5E50547E806E8E080B8E3421D0DB26FF4C15D412 |
Malicious: | false |
Reputation: | low |
URL: | https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTA5LjAuNTQxNC4xMjASFwlgSEX-rDKUBxIFDeeNQA4SBQ3OQUx6?alt=proto |
Preview: |
Process: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 318 |
Entropy (8bit): | 0.8954609074739015 |
Encrypted: | false |
SSDEEP: | 3:PFErXllvlNl/AXll1//tn/55555555555555R:kyt/55555555555555R |
MD5: | 48EF31D7B8CB961FD55261CE750BD6A8 |
SHA1: | C0D46D8A20B4FA14530F92C9587D303AC6F94347 |
SHA-256: | 8A9FEA80F249B97C4075C4A2CD73FBCB005367375C41D8C4075806CB86EC9A72 |
SHA-512: | 8352BB4693CDCB3BA47E4C918D414A3A56B7C54D9F4334E167F795E516273A05ACB58108C3EFE0D56EF42B1A05571C4B74B78337FA7F2216752F8A715DE62DC5 |
Malicious: | false |
Reputation: | low |
URL: | https://www.provincialnetcash.com/favicon.ico |
Preview: |
Process: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 318 |
Entropy (8bit): | 0.8954609074739015 |
Encrypted: | false |
SSDEEP: | 3:PFErXllvlNl/AXll1//tn/55555555555555R:kyt/55555555555555R |
MD5: | 48EF31D7B8CB961FD55261CE750BD6A8 |
SHA1: | C0D46D8A20B4FA14530F92C9587D303AC6F94347 |
SHA-256: | 8A9FEA80F249B97C4075C4A2CD73FBCB005367375C41D8C4075806CB86EC9A72 |
SHA-512: | 8352BB4693CDCB3BA47E4C918D414A3A56B7C54D9F4334E167F795E516273A05ACB58108C3EFE0D56EF42B1A05571C4B74B78337FA7F2216752F8A715DE62DC5 |
Malicious: | false |
Reputation: | low |
Preview: |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 8, 2024 01:31:41.640369892 CEST | 49168 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:31:41.640402079 CEST | 443 | 49168 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:31:41.640508890 CEST | 49168 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:31:41.670569897 CEST | 49168 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:31:41.670594931 CEST | 443 | 49168 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:31:42.059153080 CEST | 443 | 49168 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:31:42.151392937 CEST | 49168 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:31:42.151407957 CEST | 443 | 49168 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:31:42.152851105 CEST | 443 | 49168 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:31:42.152864933 CEST | 443 | 49168 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:31:42.152906895 CEST | 49168 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:31:43.225658894 CEST | 49168 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:31:43.225857973 CEST | 443 | 49168 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:31:43.444123983 CEST | 443 | 49168 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:31:43.444200993 CEST | 49168 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:31:52.066565990 CEST | 443 | 49168 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:31:52.066636086 CEST | 443 | 49168 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:31:52.066692114 CEST | 49168 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:31:52.124160051 CEST | 49168 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:31:52.124190092 CEST | 443 | 49168 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:32:41.536695004 CEST | 49174 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:32:41.536725998 CEST | 443 | 49174 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:32:41.536823988 CEST | 49174 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:32:41.537003040 CEST | 49174 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:32:41.537017107 CEST | 443 | 49174 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:32:41.918709040 CEST | 443 | 49174 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:32:41.919013023 CEST | 49174 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:32:41.919034004 CEST | 443 | 49174 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:32:41.919368029 CEST | 443 | 49174 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:32:41.919873953 CEST | 49174 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:32:41.919938087 CEST | 443 | 49174 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:32:42.124121904 CEST | 443 | 49174 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:32:42.124176025 CEST | 49174 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:32:51.962086916 CEST | 443 | 49174 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:32:51.962162018 CEST | 443 | 49174 | 142.250.191.36 | 192.168.2.22 |
May 8, 2024 01:32:51.962213993 CEST | 49174 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:32:52.120805025 CEST | 49174 | 443 | 192.168.2.22 | 142.250.191.36 |
May 8, 2024 01:32:52.120837927 CEST | 443 | 49174 | 142.250.191.36 | 192.168.2.22 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 8, 2024 01:31:37.184017897 CEST | 53 | 54821 | 8.8.8.8 | 192.168.2.22 |
May 8, 2024 01:31:37.320839882 CEST | 53 | 52781 | 8.8.8.8 | 192.168.2.22 |
May 8, 2024 01:31:38.521661043 CEST | 53 | 62672 | 8.8.8.8 | 192.168.2.22 |
May 8, 2024 01:31:40.318558931 CEST | 54842 | 53 | 192.168.2.22 | 8.8.8.8 |
May 8, 2024 01:31:40.318627119 CEST | 58105 | 53 | 192.168.2.22 | 8.8.8.8 |
May 8, 2024 01:31:41.464040041 CEST | 58095 | 53 | 192.168.2.22 | 8.8.8.8 |
May 8, 2024 01:31:41.464188099 CEST | 54261 | 53 | 192.168.2.22 | 8.8.8.8 |
May 8, 2024 01:31:41.628758907 CEST | 53 | 54261 | 8.8.8.8 | 192.168.2.22 |
May 8, 2024 01:31:41.636459112 CEST | 53 | 58095 | 8.8.8.8 | 192.168.2.22 |
May 8, 2024 01:31:44.458468914 CEST | 53 | 49608 | 8.8.8.8 | 192.168.2.22 |
May 8, 2024 01:31:46.045304060 CEST | 62453 | 53 | 192.168.2.22 | 8.8.8.8 |
May 8, 2024 01:31:46.045479059 CEST | 50568 | 53 | 192.168.2.22 | 8.8.8.8 |
May 8, 2024 01:31:56.290610075 CEST | 53 | 63469 | 8.8.8.8 | 192.168.2.22 |
May 8, 2024 01:32:03.147150040 CEST | 53 | 65009 | 8.8.8.8 | 192.168.2.22 |
May 8, 2024 01:32:14.168919086 CEST | 53 | 58971 | 8.8.8.8 | 192.168.2.22 |
May 8, 2024 01:32:32.279530048 CEST | 53 | 61598 | 8.8.8.8 | 192.168.2.22 |
May 8, 2024 01:32:37.073079109 CEST | 53 | 54950 | 8.8.8.8 | 192.168.2.22 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
May 8, 2024 01:31:40.318558931 CEST | 192.168.2.22 | 8.8.8.8 | 0xfea2 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
May 8, 2024 01:31:40.318627119 CEST | 192.168.2.22 | 8.8.8.8 | 0x39fa | Standard query (0) | 65 | IN (0x0001) | false | |
May 8, 2024 01:31:41.464040041 CEST | 192.168.2.22 | 8.8.8.8 | 0x85b8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
May 8, 2024 01:31:41.464188099 CEST | 192.168.2.22 | 8.8.8.8 | 0xbaf1 | Standard query (0) | 65 | IN (0x0001) | false | |
May 8, 2024 01:31:46.045304060 CEST | 192.168.2.22 | 8.8.8.8 | 0xf1d4 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
May 8, 2024 01:31:46.045479059 CEST | 192.168.2.22 | 8.8.8.8 | 0x8c4a | Standard query (0) | 65 | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
May 8, 2024 01:31:40.530556917 CEST | 8.8.8.8 | 192.168.2.22 | 0xfea2 | No error (0) | www.provincialnetcash.com.edgekey.net | CNAME (Canonical name) | IN (0x0001) | false | ||
May 8, 2024 01:31:40.548090935 CEST | 8.8.8.8 | 192.168.2.22 | 0x39fa | No error (0) | www.provincialnetcash.com.edgekey.net | CNAME (Canonical name) | IN (0x0001) | false | ||
May 8, 2024 01:31:41.628758907 CEST | 8.8.8.8 | 192.168.2.22 | 0xbaf1 | No error (0) | 65 | IN (0x0001) | false | |||
May 8, 2024 01:31:41.636459112 CEST | 8.8.8.8 | 192.168.2.22 | 0x85b8 | No error (0) | 142.250.191.36 | A (IP address) | IN (0x0001) | false | ||
May 8, 2024 01:31:46.283047915 CEST | 8.8.8.8 | 192.168.2.22 | 0xf1d4 | No error (0) | www.provincialnetcash.com.edgekey.net | CNAME (Canonical name) | IN (0x0001) | false | ||
May 8, 2024 01:31:46.332638025 CEST | 8.8.8.8 | 192.168.2.22 | 0x8c4a | No error (0) | www.provincialnetcash.com.edgekey.net | CNAME (Canonical name) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 01:31:34 |
Start date: | 08/05/2024 |
Path: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f0f0000 |
File size: | 3'151'128 bytes |
MD5 hash: | FFA2B8E17F645BCC20F0E0201FEF83ED |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 1 |
Start time: | 01:31:35 |
Start date: | 08/05/2024 |
Path: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f0f0000 |
File size: | 3'151'128 bytes |
MD5 hash: | FFA2B8E17F645BCC20F0E0201FEF83ED |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 4 |
Start time: | 01:31:38 |
Start date: | 08/05/2024 |
Path: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f0f0000 |
File size: | 3'151'128 bytes |
MD5 hash: | FFA2B8E17F645BCC20F0E0201FEF83ED |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 5 |
Start time: | 01:31:39 |
Start date: | 08/05/2024 |
Path: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f0f0000 |
File size: | 3'151'128 bytes |
MD5 hash: | FFA2B8E17F645BCC20F0E0201FEF83ED |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |