Analysis Report https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9

Overview

General Information

Sample URL:	https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9
Analysis ID:	338878
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Queries the volume information (name, serial number etc) of a device

Classification

Signatures

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x68a89723,0x01d6e992</date><accdate>0x68a89723,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x68a89723,0x01d6e992</date><accdate>0x68aaf93e,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x68ad5b87,0x01d6e992</date><accdate>0x68ad5b87,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x68ad5b87,0x01d6e992</date><accdate>0x68ad5b87,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x68afbdec,0x01d6e992</date><accdate>0x68afbdec,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x68afbdec,0x01d6e992</date><accdate>0x68afbdec,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: partnersinhealth.sharepoint.com

Source: msapplication.xml.3.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.3.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.3.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.3.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.3.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.3.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.3.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.3.dr	String found in binary or memory: http://www.youtube.com/
Source: Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9.2.dr	String found in binary or memory: https://az741266.vo.msecnd.net/files/odsp-next-prod-amd_2020-12-04-sts_20201208.001/
Source: spoguestaccess-a0017cc2[1].js.4.dr	String found in binary or memory: https://github.com/microsoft/fluentui/wiki/Using-icons
Source: wget.exe, 00000002.00000002.212219619.00000000014B6000.00000004.00000040.sdmp, cmdline.out.2.dr	String found in binary or memory: https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntellige
Source: Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9.2.dr	String found in binary or memory: https://partnersinhealth.sharepoint.com/sites/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntellige
Source: Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9.2.dr	String found in binary or memory: https://spoprod-a.akamaihd.net
Source: spoguestaccess-a0017cc2[1].js.4.dr	String found in binary or memory: https://spoprod-a.akamaihd.net/files/fabric-cdn-prod_20201008.001/assets/item-types/
Source: Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9.2.dr	String found in binary or memory: https://spoprod-a.akamaihd.net/files/odsp-common-library-prod_2019-02-15_20190219.002/require.js
Source: spoguestaccess-a0017cc2[1].js.4.dr	String found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443

Source: classification engine

Classification label: clean0.win@7/18@3/2

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4792:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF3A4ED906E2C2A4CC.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9' > cmdline.out 2>&1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9.html
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:464 CREDAT:17410 /prefetch:2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9'	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:464 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\wget.exe

Queries volume information: C:\Users\user\Desktop\download VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
40.108.137.41	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
18164-ipv4.farm.prod.aa-rt.sharepoint.com	40.108.137.41	true
partnersinhealth.sharepoint.com	unknown	unknown
spoprod-a.akamaihd.net	unknown	unknown

ID:	338878
Product:	CloudBasic
Start time:	01:55:22
Start date:	13.01.2021
Cookbook:	urldownload.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{936DC963-5585-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	B0597B3AC8E190D261ABCB13EDFF1434	0CF4BBE91D9C10F6BF3716261CC4499E6D2D26FD	1E0FCBD36579F314189BC895C736C4C19737C58D77B0921D14659CA2AE2DF1D6
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{936DC965-5585-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	5684A0B6DD93E6956BB5BC78519AA698	F0C2B291DE1C373CF629F12923DA4B47D7BD89DD	D7A70796123125B9CB660F027B00D67B057FDCA5983FF916BD0B4CAF39A10804
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	3189F12305A29213FEEE3D258EC7113B	E58B953D45CB0EAFCD3458B091352DAE3E083DFB	CADD0BA5B4FA5E5DF6A13D1EE7E874765507ED399C652D1F32E8A5BE63294D8C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	019737DF1CDF8F3351C91CD933BB5BE7	3134DC169EEDEF30B751C9A0DCCA878CE5367AA0	729E275FE943D2C75EFCCA6B07F34E8DF6ECFA904B3B04148F09811A5B093723
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	E6FCA072E7BC8154138D240B6D67B9CC	FA7BBE84D82E2E5F4B47651ED03E944EB926A7C4	0DC29118F756850A8D09F61ED8CA3FFC768FFD324F98485F3AB16F9603B8D0FA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	0EE4592AC16B19AC08789E911F5B5486	D8A362BB195BD8929B6A721D9FBF7554C1D9DE9A	73011F6851EFEA39A4478101B7AD690D63E97237F1B47AE99271FBF402DFA952
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	10EBD6C78C8629C3CF8B3F2CD138F234	D8FA56F42E153A446C57F50FBBA84DFFD83D3282	87CBE17AD9839C47C4433E7707A1492AF3B1AE9DA14183B37F438266F84FD1AC
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	52A2F6E5D7C40F615C356D7466069306	F542C6B2B408D92FFE8CA6A881375D63B4F9EAB6	36A54D52BDFB803C10268FFFB74FDCF20316CD2D4D1EC554DF4BA2D87A6D98CA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	465725C770B6B1F4B405119CA19845A9	0A6C6574C8A0686EE472BDCA52AE2597C18DD572	7CA2082B7C9682A4AA0570B967643DE7C1A9C4CE7001FC1F9D339656BCA0F419
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	8808DD65D0D126F30E0E09D86605B9A0	C3CFE1E965F5105E76ADCAC97CE350054219D13D	B89325E8306BE5AFBB50200C2C5CB04EFB35ED1D094ADFFBFC0AADE01543FF0E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	1443C948F560E99D389F8DFCC367B1AA	C665E5FF179F6CCD5C0B944DBF2CE480EFCE1013	16178F3D7A84927E88DE8FCE30EB4324E3B37D46533B6CB229CD512E4A602520
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\xlsx[1].png	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	DF5801D25ACC3A3F1F23301440C00096	048E30F257749D063704FEFD74E2782D905344BC	687E84B08DA5544F8B05CB4C4CC9941D9B36461C594F9805382D18030710C371
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\spoguestaccess-a0017cc2[1].js	ASCII text, with very long lines	A0017CC26C936403E7606856755692A7	A87C65638A0FEBAA076F5316033BA08CDE5ED843	08BD9EDCC17CC0B47080B229C0A88A4347000B2904A7F5DFFD37C7DD07A99C22
C:\Users\user\AppData\Local\Temp\~DF3A4ED906E2C2A4CC.TMP	data	9E9F9E6E722E977139EA68A53AAB6B16	F9A75AFAF27BD48C649855EA637017DB2E978398	0209F6C80C1F3585E3E655111732BD55BDB298B75E10A84EA99FAA78A1C56ACF
C:\Users\user\AppData\Local\Temp\~DFF5BAC88AD18566F0.TMP	data	1C16DCF93BE5EC3608EF021DD8D119A3	1494425E51E6C56840DA889916BDC0C26D17EB10	5FDE717FFE45627D9E572E558A519A2AB3E7BB6B2631D0444D3D49A69DF14916
C:\Users\user\Desktop\cmdline.out	ASCII text, with CRLF line terminators	2E288A32724221E0457004F06B37A81C	CA43B7B04C00D17967DB1C223FC00A70C8432E35	A084D759889212664C61E42E02658C0B0313A883C4327809B08A8547F9F41C35
C:\Users\user\Desktop\download\.wget-hsts	ASCII text, with CRLF line terminators	5D63833B62B2B08BA0A49C127B052D52	7B20A4EA95A1E8D447FE88B8211B082EEE65D4AF	F7AD31DA55D1E035BC0C548B5CDD577077D16B68E0469F19CE9B12BD0393E933
C:\Users\user\Desktop\download\Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9	HTML document, ASCII text, with very long lines, with CRLF, LF line terminators	5ACA5A2FFE3302CB271ACE70DC0FE36E	91A88DBC7EEC2E1B069367E4F14E7D2979343573	74D4D2EA5C75CA9C2E5856D9E9DF05ADDAA8F07D3A9F84F291D8C6FA3BB1C69D

Analysis Report https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains