Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
http://77.90.38.170/sos.txt

Overview

General Information

Sample URL:http://77.90.38.170/sos.txt
Analysis ID:1486304
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Drops PE files
Sigma detected: File Download From Browser Process Via Inline URL
Stores files to the Windows start menu directory

Classification

  • System is w10x64_ra
  • chrome.exe (PID: 7052 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://77.90.38.170/sos.txt MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6228 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1912,i,13011242999335438035,17881528118678045836,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup
No yara matches
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://77.90.38.170/sos.txt, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://77.90.38.170/sos.txt, CommandLine|base64offset|contains: -j~b,, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6084, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://77.90.38.170/sos.txt, ProcessId: 7052, ProcessName: chrome.exe
No Snort rule has matched
Timestamp:2024-08-01T22:47:21.570587+0200
SID:2008438
Source Port:80
Destination Port:49696
Protocol:TCP
Classtype:A Network Trojan was detected

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Users\user\Downloads\sos.txt.crdownloadAvira: detection malicious, Label: HEUR/AGEN.1318224
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: chrome.exeMemory has grown: Private usage: 1MB later: 31MB
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: unknownTCP traffic detected without corresponding DNS query: 77.90.38.170
Source: global trafficHTTP traffic detected: GET /sos.txt HTTP/1.1Host: 77.90.38.170Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: classification engineClassification label: mal48.win@15/9@2/101
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\8115f05c-9517-4ef0-9b9d-169bd85ce62b.tmp
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://77.90.38.170/sos.txt
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1912,i,13011242999335438035,17881528118678045836,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1912,i,13011242999335438035,17881528118678045836,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\sos.txt.crdownloadJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\8115f05c-9517-4ef0-9b9d-169bd85ce62b.tmpJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Registry Run Keys / Startup Folder
1
Process Injection
1
Masquerading
OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Registry Run Keys / Startup Folder
1
Process Injection
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Extra Window Memory Injection
1
Extra Window Memory Injection
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Ingress Tool Transfer
Traffic DuplicationData Destruction

This section contains all screenshots as thumbnails, including those not shown in the slideshow.