Loading ...

Play interactive tourEdit tour

Analysis Report https://karim-imam.slite.com/api/s/note/SqnQsbLkBSz63u4ddagkVS/Forest-Contractors-Document

Overview

General Information

Sample URL:https://karim-imam.slite.com/api/s/note/SqnQsbLkBSz63u4ddagkVS/Forest-Contractors-Document

Most interesting Screenshot:

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

No high impact signatures.

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 4644 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5940 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4644 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4219a30a,0x01d630a4</date><accdate>0x4219a30a,0x01d630a4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4219a30a,0x01d630a4</date><accdate>0x421c2b63,0x01d630a4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4223b096,0x01d630a4</date><accdate>0x4223b096,0x01d630a4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4223b096,0x01d630a4</date><accdate>0x4223b096,0x01d630a4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4226260f,0x01d630a4</date><accdate>0x4226260f,0x01d630a4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4226260f,0x01d630a4</date><accdate>0x4226260f,0x01d630a4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknownDNS traffic detected: queries for: karim-imam.slite.com
Source: box-469cf41adb11dc78be68c1ae7f9457a4[1].htm.2.drString found in binary or memory: http://insights-staging.hotjar.com
Source: box-469cf41adb11dc78be68c1ae7f9457a4[1].htm.2.drString found in binary or memory: http://local.hotjar.com
Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.drString found in binary or memory: http://www.youtube.com/
Source: runtime~app-150c5f229068c15104d4[1].js.2.drString found in binary or memory: https://assets.slite.com/app/stable-7.35.25/
Source: 404[1].htm.2.drString found in binary or memory: https://assets.slite.com/app/stable-7.35.25/0.app-150c5f229068c15104d4.css
Source: 404[1].htm.2.drString found in binary or memory: https://assets.slite.com/app/stable-7.35.25/3-d97a6b6dd6c2489ed543.js
Source: 404[1].htm.2.drString found in binary or memory: https://assets.slite.com/app/stable-7.35.25/3.app-150c5f229068c15104d4.css
Source: 404[1].htm.2.drString found in binary or memory: https://assets.slite.com/app/stable-7.35.25/app-80ea451253baaa2f1946.js
Source: 404[1].htm.2.drString found in binary or memory: https://assets.slite.com/app/stable-7.35.25/runtime~app-150c5f229068c15104d4.js
Source: 404[1].htm.2.drString found in binary or memory: https://cdn.segment.com/analytics.js/v1/
Source: imagestore.dat.2.drString found in binary or memory: https://cdn.slite.com/favicon/simple.ico
Source: imagestore.dat.2.drString found in binary or memory: https://cdn.slite.com/favicon/simple.ico~
Source: 3.app-150c5f229068c15104d4[1].css.2.drString found in binary or memory: https://cdn.slite.com/fonts/GeomanistBook.woff)
Source: 3.app-150c5f229068c15104d4[1].css.2.drString found in binary or memory: https://cdn.slite.com/fonts/GeomanistMedium.woff)
Source: 3.app-150c5f229068c15104d4[1].css.2.drString found in binary or memory: https://cdn.slite.com/fonts/GeomanistRegular.woff)
Source: 3.app-150c5f229068c15104d4[1].css.2.drString found in binary or memory: https://cdn.slite.com/fonts/RobotoBold.woff)
Source: 3.app-150c5f229068c15104d4[1].css.2.drString found in binary or memory: https://cdn.slite.com/fonts/RobotoMedium.woff)
Source: 3.app-150c5f229068c15104d4[1].css.2.drString found in binary or memory: https://cdn.slite.com/fonts/RobotoRegular.woff)
Source: 32ws89n3[1].js.2.drString found in binary or memory: https://deploy.userpilot.io/
Source: 32ws89n3SDK[1].js.2.drString found in binary or memory: https://docs.userpilot.com
Source: 404[1].htm.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Source
Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/sourcecodepro/v11/HI_SiYsKILxRpg3hIP6sJ7fM7PqlPevQ.woff)
Source: box-469cf41adb11dc78be68c1ae7f9457a4[1].htm.2.drString found in binary or memory: https://insights-staging.hotjar.com
Source: ~DF395D05443702436F.TMP.1.drString found in binary or memory: https://karim-imam.slite.com/404
Source: {6B2286B9-9C97-11EA-AAE6-9CC1A2A860C6}.dat.1.drString found in binary or memory: https://karim-imam.slite.com/404Root
Source: box-469cf41adb11dc78be68c1ae7f9457a4[1].htm.2.drString found in binary or memory: https://local.hotjar.com
Source: 404[1].htm.2.drString found in binary or memory: https://metrics.slite.com/graphql
Source: 32ws89n3SDK[1].js.2.drString found in binary or memory: https://run.userpilot.com/
Source: hotjar-1060620[1].js.2.drString found in binary or memory: https://script.hotjar.com/
Source: 404[1].htm.2.drString found in binary or memory: https://slite.com
Source: app-80ea451253baaa2f1946[1].js.2.drString found in binary or memory: https://slite.com/privacy
Source: ~DF395D05443702436F.TMP.1.drString found in binary or memory: https://vars.hotjar.com/box-469cf41adb11dc78be68c1ae7f9457a4.html
Source: box-469cf41adb11dc78be68c1ae7f9457a4[1].htm.2.drString found in binary or memory: https://www.hotjar.com
Source: modules.6f96225a5dce34bcb8ed[1].js.2.drString found in binary or memory: https://www.hotjarconsent.com/
Source: modules.6f96225a5dce34bcb8ed[1].js.2.drString found in binary or memory: https://www.hotjarconsent.com/de.html
Source: modules.6f96225a5dce34bcb8ed[1].js.2.drString found in binary or memory: https://www.hotjarconsent.com/el.html
Source: modules.6f96225a5dce34bcb8ed[1].js.2.drString found in binary or memory: https://www.hotjarconsent.com/es.html
Source: modules.6f96225a5dce34bcb8ed[1].js.2.drString found in binary or memory: https://www.hotjarconsent.com/fi.html
Source: modules.6f96225a5dce34bcb8ed[1].js.2.drString found in binary or memory: https://www.hotjarconsent.com/fr.html
Source: modules.6f96225a5dce34bcb8ed[1].js.2.drString found in binary or memory: https://www.hotjarconsent.com/it.html
Source: modules.6f96225a5dce34bcb8ed[1].js.2.drString found in binary or memory: https://www.hotjarconsent.com/nl.html
Source: modules.6f96225a5dce34bcb8ed[1].js.2.drString found in binary or memory: https://www.hotjarconsent.com/pl.html
Source: modules.6f96225a5dce34bcb8ed[1].js.2.drString found in binary or memory: https://www.hotjarconsent.com/pt.html
Source: modules.6f96225a5dce34bcb8ed[1].js.2.drString found in binary or memory: https://www.hotjarconsent.com/pt_br.html
Source: modules.6f96225a5dce34bcb8ed[1].js.2.drString found in binary or memory: https://www.hotjarconsent.com/ru.html
Source: modules.6f96225a5dce34bcb8ed[1].js.2.drString found in binary or memory: https://www.hotjarconsent.com/sq.html
Source: modules.6f96225a5dce34bcb8ed[1].js.2.drString found in binary or memory: https://www.hotjarconsent.com/sv.html
Source: modules.6f96225a5dce34bcb8ed[1].js.2.drString found in binary or memory: https://www.hotjarconsent.com/zh.html
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49940
Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49949 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49961 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49935 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49958 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49937
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49935
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49934
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
Source: unknownNetwork traffic detected: HTTP traffic on port 49950 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49960 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49957 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49964 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49964
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49963
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49962
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49961
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49960
Source: unknownNetwork traffic detected: HTTP traffic on port 49953 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49947 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49940 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49937 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49956 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49963 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49959
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49958
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49957
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49956
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
Source: unknownNetwork traffic detected: HTTP traffic on port 49948 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49953
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49951
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49950
Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49959 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49934 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49962 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49949
Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49948
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49945
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943

Source: classification engineClassification label: clean0.win@3/39@17/15
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6B2286B7-9C97-11EA-AAE6-9CC1A2A860C6}.datJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF3F205C045E4EE14B.TMPJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4644 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4644 CREDAT:17410 /prefetch:2Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingFile and Directory Discovery1Application Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.