Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://link.mail.beehiiv.com/ls/click?upn=u001.FC1hxQg0vjMaKvj1drxxGhIhXUkPFfRxKlXXnsrz2PM25dqPmi4BtCTWgv3CiFmkz-2B7Hc09iqRIhx3uSmkdd7QE0-2BnHx0mpXdDH0R4j2ecXYT4gMlABijGBQgiruXhEAIyR4Mpg-2BI9rgqzsUm9Ym4ntMFzX8ZZqOUxeSkDzXxVoJ8WeSXobIPUv2N8-2F9AvCiXURXVJQullKL1fGIZARuroIP0Rwd-2BwTicddUz9m9843Wwh45Wj

Overview

General Information

Sample URL:https://link.mail.beehiiv.com/ls/click?upn=u001.FC1hxQg0vjMaKvj1drxxGhIhXUkPFfRxKlXXnsrz2PM25dqPmi4BtCTWgv3CiFmkz-2B7Hc09iqRIhx3uSmkdd7QE0-2BnHx0mpXdDH0R4j2ecXYT4gMlABijGBQgiruXhEAIyR4Mpg-2BI9rgqzsUm9
Analysis ID:1458474

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Stores files to the Windows start menu directory

Classification

  • System is w10x64_ra
  • chrome.exe (PID: 460 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://link.mail.beehiiv.com/ls/click?upn=u001.FC1hxQg0vjMaKvj1drxxGhIhXUkPFfRxKlXXnsrz2PM25dqPmi4BtCTWgv3CiFmkz-2B7Hc09iqRIhx3uSmkdd7QE0-2BnHx0mpXdDH0R4j2ecXYT4gMlABijGBQgiruXhEAIyR4Mpg-2BI9rgqzsUm9Ym4ntMFzX8ZZqOUxeSkDzXxVoJ8WeSXobIPUv2N8-2F9AvCiXURXVJQullKL1fGIZARuroIP0Rwd-2BwTicddUz9m9843Wwh45WjoCgNjpFjIMwnkQSSVnjkmpl9RHa2uTbNVpomKKm17ID1RjWPCdBy0EpXuO2sCcEB2uqeViXVCzmBM-2FrQqLcPkSotW3jK1eSOlg-2FKIa8JRz653oEdMMsYT56-2FOhNIw5a9-2BNuZJkmfvFPOKaZLIZ65y5OLZQaLuQ7xTGAIgUdVXuzbgeFerxHGMDP8hEqzjUCIJN8hJ2DF1OZKFTvoEsLR51S78RvmTEJyLDECLNyB9Gf62lbie3o0yudclnajoEgplga1YLKYLTZ3MO6wqbJytm3RfP3wEE4vfXBg-3D-3Dnq7D_k5zaofJQ6PaDm4eQpA56e4xWG4OoVdk-2BXhZTssh6QwsCP88A0kMHGtSsxje-2F1AU3Us-2FAqI42-2Fyfjf1CXFECDeifYr626jCVDN-2Fp8UNMYaDS37CB4A9KTpDn9LWR6FZfUTkc5tU7dwMuI2jumTC7wXokNzeEDxuAqc35MGbfHe-2BRg-2B-2FsKUMtoWO6wwrECQ1IPwqZN-2F4JlCY9oDuBXPeL327ZURNFNTQcs2VIMFbLb-2FasgcPnr0Sj7W-2FozFbFnH0XAhOFjidPEbz-2F0-2B-2BZYu9PL9evq1fkkkU1uvY8VHkodsFQnKgXRtUzL00SmyXU158XJLD-2BweZymsamW640Y7FP9Lc8A-2By96oH3yG6P-2FhxEyLEUzjKuM5cKNwPaNcvbMuMQ-2Bt3Qgx771eCtv7AooKfSloIy67HE-2FxEYTbkr7jciWTgvvmIt0-2FKE-2FuKv8E6iUNBIlTu6ELpDdXGMI-2FHtH0KQBDQ-3D-3D MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
    • chrome.exe (PID: 2816 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2032,i,3875392723416854500,2325133546994465528,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
  • cleanup
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://firebasestorage.googleapis.com/2615514-.htmlHTTP Parser: No favicon
Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.17:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.211.8.90:443 -> 192.168.2.17:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.211.8.90:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.126.31.69:443 -> 192.168.2.17:49719 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 92.123.104.59:443 -> 192.168.2.17:49723 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.17:49724 version: TLS 1.2
Source: chrome.exeMemory has grown: Private usage: 10MB later: 29MB
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.8.90
Source: global trafficDNS traffic detected: DNS query: link.mail.beehiiv.com
Source: global trafficDNS traffic detected: DNS query: rallysportmag.com
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: cloud.antibot.cloud
Source: global trafficDNS traffic detected: DNS query: alt.antibot.cloud
Source: global trafficDNS traffic detected: DNS query: ajax.cloudflare.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.17:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.211.8.90:443 -> 192.168.2.17:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.211.8.90:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.126.31.69:443 -> 192.168.2.17:49719 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 92.123.104.59:443 -> 192.168.2.17:49723 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.17:49724 version: TLS 1.2
Source: classification engineClassification label: clean0.win@15/14@18/141
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://link.mail.beehiiv.com/ls/click?upn=u001.FC1hxQg0vjMaKvj1drxxGhIhXUkPFfRxKlXXnsrz2PM25dqPmi4BtCTWgv3CiFmkz-2B7Hc09iqRIhx3uSmkdd7QE0-2BnHx0mpXdDH0R4j2ecXYT4gMlABijGBQgiruXhEAIyR4Mpg-2BI9rgqzsUm9Ym4ntMFzX8ZZqOUxeSkDzXxVoJ8WeSXobIPUv2N8-2F9AvCiXURXVJQullKL1fGIZARuroIP0Rwd-2BwTicddUz9m9843Wwh45WjoCgNjpFjIMwnkQSSVnjkmpl9RHa2uTbNVpomKKm17ID1RjWPCdBy0EpXuO2sCcEB2uqeViXVCzmBM-2FrQqLcPkSotW3jK1eSOlg-2FKIa8JRz653oEdMMsYT56-2FOhNIw5a9-2BNuZJkmfvFPOKaZLIZ65y5OLZQaLuQ7xTGAIgUdVXuzbgeFerxHGMDP8hEqzjUCIJN8hJ2DF1OZKFTvoEsLR51S78RvmTEJyLDECLNyB9Gf62lbie3o0yudclnajoEgplga1YLKYLTZ3MO6wqbJytm3RfP3wEE4vfXBg-3D-3Dnq7D_k5zaofJQ6PaDm4eQpA56e4xWG4OoVdk-2BXhZTssh6QwsCP88A0kMHGtSsxje-2F1AU3Us-2FAqI42-2Fyfjf1CXFECDeifYr626jCVDN-2Fp8UNMYaDS37CB4A9KTpDn9LWR6FZfUTkc5tU7dwMuI2jumTC7wXokNzeEDxuAqc35MGbfHe-2BRg-2B-2FsKUMtoWO6wwrECQ1IPwqZN-2F4JlCY9oDuBXPeL327ZURNFNTQcs2VIMFbLb-2FasgcPnr0Sj7W-2FozFbFnH0XAhOFjidPEbz-2F0-2B-2BZYu9PL9evq1fkkkU1uvY8VHkodsFQnKgXRtUzL00SmyXU158XJLD-2BweZymsamW640Y7FP9Lc8A-2By96oH3yG6P-2FhxEyLEUzjKuM5cKNwPaNcvbMuMQ-2Bt3Qgx771eCtv7AooKfSloIy67HE-2FxEYTbkr7jciWTgvvmIt0-2FKE-2FuKv8E6iUNBIlTu6ELpDdXGMI-2FHtH0KQBDQ-3D-3D
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2032,i,3875392723416854500,2325133546994465528,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2032,i,3875392723416854500,2325133546994465528,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Registry Run Keys / Startup Folder
1
Process Injection
1
Masquerading
OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Registry Run Keys / Startup Folder
1
Process Injection
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Extra Window Memory Injection
1
Extra Window Memory Injection
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact

This section contains all screenshots as thumbnails, including those not shown in the slideshow.