Loading ...

Play interactive tourEdit tour

Analysis Report https://somervoice.somervillema.gov/novel-coronavirus-resources-for-businesses/widgets/16897/videos/2327

Overview

General Information

Sample URL:https://somervoice.somervillema.gov/novel-coronavirus-resources-for-businesses/widgets/16897/videos/2327
Analysis ID:349157

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Queries the volume information (name, serial number etc) of a device

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 6080 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://somervoice.somervillema.gov/novel-coronavirus-resources-for-businesses/widgets/16897/videos/2327' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 4580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 5924 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://somervoice.somervillema.gov/novel-coronavirus-resources-for-businesses/widgets/16897/videos/2327' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • iexplore.exe (PID: 5988 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\2327.html MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2092 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5988 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Compliance:

barindex
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Uses secure TLS version for HTTPS connectionsShow sources
Source: unknownHTTPS traffic detected: 54.177.210.138:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.23.66:443 -> 192.168.2.5:49764 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.23.66:443 -> 192.168.2.5:49763 version: TLS 1.2

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 466 ICMP L3retriever Ping 192.168.2.5: -> 143.204.15.131:
Source: TrafficSnort IDS: 466 ICMP L3retriever Ping 192.168.2.5: -> 216.58.207.170:
Source: TrafficSnort IDS: 466 ICMP L3retriever Ping 192.168.2.5: -> 216.58.207.174:
Source: TrafficSnort IDS: 466 ICMP L3retriever Ping 192.168.2.5: -> 143.204.15.81:
Source: TrafficSnort IDS: 466 ICMP L3retriever Ping 192.168.2.5: -> 104.16.18.94:
Source: wtuxe7VPD3U[1].htm.6.drString found in binary or memory: <link rel="canonical" href="https://www.youtube.com/watch?v=wtuxe7VPD3U"> equals www.youtube.com (Youtube)
Source: base[1].js.6.drString found in binary or memory: (g.Ym(b,"www.youtube.com"),c=b.toString()):c=Nw(c);b=new Pw(c);b.set("cmo=pf","1");d&&b.set("cmo=td","a1.googlevideo.com");return b}; equals www.youtube.com (Youtube)
Source: {E57A1C95-6806-11EB-90E5-ECF4BB570DC9}.dat.5.drString found in binary or memory: 8https://www.youtube.com/embed/wtuxe7VPD3U?feature=oembed equals www.youtube.com (Youtube)
Source: wget.exe, 00000002.00000002.237274437.0000000001048000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: <a data-ariahandle="project_video_li" data-childId="1442" class="video-thumbnail-link" href="https://somervoice.somervillema.gov/novel-coronavirus-resources-for-businesses/widgets/16897/videos/1442"><img alt="3.23 SBA&#39;s Economic Disaster Relief Loan w/ Dan Martiniello of SBA Boston" data-url="https://www.youtube.com/watch?v=cuSif0I20vE" class="video-thumbnail wide" id="video_image_thumb_1442" style="cursor:pointer; padding: 7px; border: 1px solid #ccc; margin-bottom:10px; width: 140px; height: 96px;" src="https://i.ytimg.com/vi/cuSif0I20vE/hqdefault.jpg" /></a> equals www.youtube.com (Youtube)
Source: wget.exe, 00000002.00000003.236779922.0000000001040000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: <a data-ariahandle="project_video_li" data-childId="1443" class="video-thumbnail-link" href="https://somervoice.somervillema.gov/novel-coronavirus-resources-for-businesses/widgets/16897/videos/1443"><img alt="3.25 Considerations for Restaurants w/Rethink Restaurants" data-url="https://www.youtube.com/watch?v=5GRcO6cLNs8" class="video-thumbnail wide" id="video_image_thumb_1443" style="cursor:pointer; padding: 7px; border: 1px solid #ccc; margin-bottom:10px; width: 140px; height: 96px;" src="https://i.ytimg.com/vi/5GRcO6cLNs8/hqdefault.jpg" /></a> equals www.youtube.com (Youtube)
Source: wget.exe, 00000002.00000003.236779922.0000000001040000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: <a data-ariahandle="project_video_li" data-childId="1745" class="video-thumbnail-link" href="https://somervoice.somervillema.gov/novel-coronavirus-resources-for-businesses/widgets/16897/videos/1745"><img alt="De-Escalation Techniques for Businesses" data-url="https://www.youtube.com/watch?v=KTb4H2DQcdc" class="video-thumbnail wide" id="video_image_thumb_1745" style="cursor:pointer; padding: 7px; border: 1px solid #ccc; margin-bottom:10px; width: 140px; height: 96px;" src="https://i.ytimg.com/vi/KTb4H2DQcdc/hqdefault.jpg" /></a> equals www.youtube.com (Youtube)
Source: wget.exe, 00000002.00000003.236779922.0000000001040000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: <iframe title="Mayor's Business Town Hall 2.2.2021" width="427" height="240" src="https://www.youtube.com/embed/wtuxe7VPD3U?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> equals www.youtube.com (Youtube)
Source: wtuxe7VPD3U[1].htm.6.drString found in binary or memory: <noscript><div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><a href="https://www.youtube.com/watch?v=wtuxe7VPD3U" target="_blank">Try watching this video on www.youtube.com</a>, or enable JavaScript if it is disabled in your browser.</div></div></noscript></body></html> equals www.youtube.com (Youtube)
Source: base[1].js.6.drString found in binary or memory: b),this.U=!1,this.videoData.Y("html5_playready_enable_non_persist_license")&&(this.F.pst="0"));b=BH(this.B)?lta(c.initData).replace("skd://","https://"):this.B.C;this.videoData.Y("enable_shadow_yttv_channels")&&(b=new g.Wm(b),document.location.origin&&document.location.origin.includes("green")?g.Ym(b,"web-green-qa.youtube.com"):g.Ym(b,"www.youtube.com"),b=b.toString());this.baseUrl=b;this.fairplayKeyId=Qd(this.baseUrl,"ek")||"";if(b=Qd(this.baseUrl,"cpi")||"")this.cryptoPeriodIndex=Number(b);this.ga= equals www.youtube.com (Youtube)
Source: base[1].js.6.drString found in binary or memory: g.FO.prototype.B=function(a){var b=this;Bpa(this);var c=a.ly,d=this.api.S();"GENERIC_WITHOUT_LINK"!==c||d.I?"TOO_MANY_REQUESTS"===c?(d=this.api.getVideoData(),this.Gc(IO(this,"TOO_MANY_REQUESTS_WITH_LINK",d.Ml(),void 0,void 0,void 0,!1))):"HTML5_NO_AVAILABLE_FORMATS_FALLBACK"!==c||d.I?this.Gc(g.GO(a.errorMessage)):this.Gc(IO(this,"HTML5_NO_AVAILABLE_FORMATS_FALLBACK_WITH_LINK_SHORT","//www.youtube.com/supported_browsers")):(a=d.hostLanguage,c="//support.google.com/youtube/?p=player_error1",a&&(c= equals www.youtube.com (Youtube)
Source: base[1].js.6.drString found in binary or memory: g.ND=function(a){a=CD(a.U);return"www.youtube-nocookie.com"===a?"www.youtube.com":a}; equals www.youtube.com (Youtube)
Source: base[1].js.6.drString found in binary or memory: g.dE=function(a){var b=g.OD(a);!a.Y("yt_embeds_disable_new_error_lozenge_url")&&Kha.includes(b)&&(b="www.youtube.com");return a.protocol+"://"+b}; equals www.youtube.com (Youtube)
Source: base[1].js.6.drString found in binary or memory: g.k.clone=function(){var a=new bn;a.C=this.C;this.u&&(a.u=this.u.clone(),a.B=this.B);return a};var jn="://secure-...imrworldwide.com/ ://cdn.imrworldwide.com/ ://aksecure.imrworldwide.com/ ://[^.]*.moatads.com ://youtube[0-9]+.moatpixel.com ://pm.adsafeprotected.com/youtube ://pm.test-adsafeprotected.com/youtube ://e[0-9]+.yt.srs.doubleverify.com www.google.com/pagead/xsul www.youtube.com/pagead/slav".split(" "),Pda=/\bocr\b/;var Qda=/(?:\[|%5B)([a-zA-Z0-9_]+)(?:\]|%5D)/g;var JD={hY:"LIVING_ROOM_APP_MODE_UNSPECIFIED",eY:"LIVING_ROOM_APP_MODE_MAIN",dY:"LIVING_ROOM_APP_MODE_KIDS",fY:"LIVING_ROOM_APP_MODE_MUSIC",gY:"LIVING_ROOM_APP_MODE_UNPLUGGED",cY:"LIVING_ROOM_APP_MODE_GAMING"},Vxa={C0:"PLAYBACK_TYPE_UNKNOWN",w0:"PLAYBACK_TYPE_APPLICATION",v0:"PLAYBACK_TYPE_ADS",A0:"PLAYBACK_TYPE_REMOTE",B0:"PLAYBACK_TYPE_SECONDARY_CAMERA",z0:"PLAYBACK_TYPE_PREROLL_INTERSTITIAL",y0:"PLAYBACK_TYPE_POSTROLL_INTERSTITIAL",x0:"PLAYBACK_TYPE_MIDROLL_INTERSTITIAL"};mn.prototype.set=function(a,b){b=void 0===b?!0:b;0<=a&&52>a&&0===a%1&&this.u[a]!=b&&(this.u[a]=b,this.B=-1)}; equals www.youtube.com (Youtube)
Source: base[1].js.6.drString found in binary or memory: g.k.getVideoUrl=function(a,b,c,d,e){b={list:b};c&&(e?b.time_continue=c:b.t=c);c=g.OD(this);d&&"www.youtube.com"===c?d="https://youtu.be/"+a:g.HD(this)?(d="https://"+c+"/fire",b.v=a):(d=this.protocol+"://"+c+"/watch",b.v=a,gr&&(a=Zp())&&(b.ebc=a));return g.Kd(d,b)}; equals www.youtube.com (Youtube)
Source: base[1].js.6.drString found in binary or memory: kL.prototype.replace=function(a,b){for(var c=g.q(a),d=c.next();!d.done;d=c.next())delete this.u[d.value.encryptedTokenJarContents];zla(this,b)};lL.prototype.Gr=function(a){var b,c,d=null===(b=a.responseContext)||void 0===b?void 0:b.locationPlayabilityToken;void 0!==d&&(this.locationPlayabilityToken=d,this.u=void 0,"TVHTML5"===(null===(c=a.responseContext)||void 0===c?void 0:c.clientName)?(this.localStorage=Ala(this))&&this.localStorage.set("yt-location-playability-token",d,15552E3):g.Dq("YT_CL",JSON.stringify({x4:d}),15552E3,void 0,!0))};var Dla={bluetooth:"CONN_DISCO",cellular:"CONN_CELLULAR_UNKNOWN",ethernet:"CONN_WIFI",none:"CONN_NONE",wifi:"CONN_WIFI",wimax:"CONN_CELLULAR_4G",other:"CONN_UNKNOWN",unknown:"CONN_UNKNOWN","slow-2g":"CONN_CELLULAR_2G","2g":"CONN_CELLULAR_2G","3g":"CONN_CELLULAR_3G","4g":"CONN_CELLULAR_4G"};var oL;g.u(nL,Qq);nL.prototype.gu=function(a,b){var c=Qq.prototype.gu.call(this,a,b);return Object.assign(Object.assign({},c),this.u)};var Tla=/[&\?]action_proxy=1/,Sla=/[&\?]token=([\w-]*)/,Ula=/[&\?]video_id=([\w-]*)/,Vla=/[&\?]index=([\d-]*)/,Wla=/[&\?]m_pos_ms=([\d-]*)/,Zla=/[&\?]vvt=([\w-]*)/,$la=/[&\?]mt=([\d-]*)/,Nla="ca_type dt el flash u_tz u_his u_h u_w u_ah u_aw u_cd u_nplug u_nmime frm u_java bc bih biw brdim vis wgl".split(" "),Xla="www.youtube-nocookie.com youtube-nocookie.com www.youtube-nocookie.com:443 youtube.googleapis.com www.youtubeedu.com www.youtubeeducation.com video.google.com redirector.gvt1.com".split(" "), equals www.youtube.com (Youtube)
Source: base[1].js.6.drString found in binary or memory: l,"Trusted Ad Domain URL");this.ka=R(!1,a.privembed);this.protocol=0===this.dc.indexOf("http:")?"http":"https";this.U=Iw((b?b.customBaseYoutubeUrl:a.BASE_YT_URL)||"")||Iw(this.dc)||this.protocol+"://www.youtube.com/";l=b?b.eventLabel:a.el;h="detailpage";"adunit"===l?h=this.B?"embedded":"detailpage":"embedded"===l||this.C?h=gD(h,l,Iha):l&&(h="embedded");this.da=h;Fp();l=null;h=b?b.playerStyle:a.ps;var m=g.fb(mD,h);!h||m&&!this.C||(l=h);this.playerStyle=l;this.K=(this.I=g.fb(mD,this.playerStyle))&& equals www.youtube.com (Youtube)
Source: base[1].js.6.drString found in binary or memory: new Set;this.deviceHasDisplay=b?!b.deviceIsAudioOnly:R(!0,a.deviceHasDisplay);this.Vc=hD(this.Vc,a.ismb);t=a;g.eB(this.experiments,"html5_qoe_intercept")?t=g.eB(this.experiments,"html5_qoe_intercept"):this.Gj?(t=t.vss_host||"s.youtube.com",this.Y("www_for_videostats")&&"s.youtube.com"===t&&(t=CD(this.U)||"www.youtube.com")):t="video.google.com";this.Uh=t;DD(this,a,!0);this.N=new UC;g.E(this,this.N);t=b?b.innertubeApiKey:iD("",a.innertube_api_key);r=b?b.innertubeApiVersion:iD("",a.innertube_api_version); equals www.youtube.com (Youtube)
Source: base[1].js.6.drString found in binary or memory: oha=function(a,b){if(!a.u["0"]){var c=new nB("0","fakesb",void 0,new iB(0,0,0,void 0,void 0,"auto"),null,null,1);a.u["0"]=b?new fA(new Pw("http://www.youtube.com/videoplayback"),c,"fake"):new Hy(new Pw("http://www.youtube.com/videoplayback"),c,new Pv(0,0),new Pv(0,0),0,NaN)}}; equals www.youtube.com (Youtube)
Source: base[1].js.6.drString found in binary or memory: this.V("highrepfallback");else if(a.u){var d=this.B?this.B.B.F:null;if(iua(a)&&d&&d.isLocked())var e="FORMAT_UNAVAILABLE";else if(!this.u.I&&"auth"===a.errorCode&&"429"===a.details.rc){e="TOO_MANY_REQUESTS";var f="6"}this.V("playererror",a.errorCode,e,g.CB(a.details),f)}else d=/^pp/.test(this.videoData.clientPlaybackNonce),kU(this,a.errorCode,a.details),d&&"manifest.net.connect"===a.errorCode&&(d="https://www.youtube.com/generate_204?cpn="+this.videoData.clientPlaybackNonce+"&t="+(0,g.N)(),(new xT(d, equals www.youtube.com (Youtube)
Source: unknownDNS traffic detected: queries for: somervoice.somervillema.gov
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c?
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org=
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: wget.exe, 00000002.00000003.236805735.000000000100C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000003.236805735.000000000100C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.236805735.000000000100C000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl=
Source: wget.exe, 00000002.00000003.236805735.000000000100C000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crlh
Source: font-awesome.min[1].css.6.drString found in binary or memory: http://fontawesome.io
Source: font-awesome.min[1].css.6.drString found in binary or memory: http://fontawesome.io/license
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0&
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
Source: 2327.2.drString found in binary or memory: http://somervillema.gov
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: http://www.bangthetable.com/
Source: 2327.2.drString found in binary or memory: http://www.mozilla.org/en-US/firefox/new/
Source: wget.exe, 00000002.00000003.236779922.0000000001040000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: http://www.somervillebydesign.com
Source: wget.exe, 00000002.00000003.236779922.0000000001040000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: http://www.somervision2040.com
Source: base[1].js.6.drString found in binary or memory: http://www.youtube.com/videoplayback
Source: base[1].js.6.drString found in binary or memory: http://youtube.com/drm/2012/10/10
Source: base[1].js.6.drString found in binary or memory: http://youtube.com/streaming/metadata/segment/102015
Source: base[1].js.6.drString found in binary or memory: http://youtube.com/streaming/otf/durations/112015
Source: base[1].js.6.drString found in binary or memory: http://youtube.com/yt/2012/10/10
Source: js[1].js.6.drString found in binary or memory: https://ade.googlesyndication.com/ddm/activity
Source: base[1].js.6.drString found in binary or memory: https://admin.youtube.com
Source: js[1].js.6.drString found in binary or memory: https://adservice.google.com/ddm/regclk
Source: js[1].js.6.drString found in binary or memory: https://adservice.google.com/pagead/regclk
Source: analytics[1].js.6.drString found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId
Source: js[1].js.6.drString found in binary or memory: https://cct.google/taggy/agent.js
Source: 2327.2.drString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.6.1/css/font-awesome.min.css
Source: base[1].js.6.drString found in binary or memory: https://docs.google.com/get_video_info
Source: 2327.2.drString found in binary or memory: https://ehq-production-us-california.imgix.net/b811435cc596009e6a357d66f662c1fff094b1f4/image_stores
Source: js[1].js.6.drString found in binary or memory: https://github.com/krux/postscribe/blob/master/LICENSE.
Source: wget.exe, 00000002.00000003.236779922.0000000001040000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://i.ytimg.com/vi/5GRcO6cLNs8/hqdefault.jpg
Source: wget.exe, 00000002.00000002.237274437.0000000001048000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://i.ytimg.com/vi/Fn7Ou04BHvQ/hqdefault.jpg
Source: wget.exe, 00000002.00000003.236779922.0000000001040000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://i.ytimg.com/vi/KTb4H2DQcdc/hqdefault.jpg
Source: wget.exe, 00000002.00000003.236779922.0000000001040000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://i.ytimg.com/vi/VFxvnJ7wwwU/hqdefault.jpg
Source: wget.exe, 00000002.00000002.237274437.0000000001048000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://i.ytimg.com/vi/cuSif0I20vE/hqdefault.jpg
Source: wget.exe, 00000002.00000003.236779922.0000000001040000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://i.ytimg.com/vi/kaxh4pCyFss/hqdefault.jpg
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.236786957.0000000001048000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://i.ytimg.com/vi/wtuxe7VPD3U/hqdefault.jpg
Source: js[1].js.6.drString found in binary or memory: https://pagead2.googlesyndication.com
Source: js[1].js.6.drString found in binary or memory: https://pagead2.googlesyndication.com/
Source: base[1].js.6.drString found in binary or memory: https://pagead2.googlesyndication.com/pagead/osd.js
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://s3-ap-southeast-2.amazonaws.com/ehq-static-assets/gt-simplified-us.js
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmpString found in binary or memory: https://s3-us-west-1.amazonaws.co
Source: 2327.2.drString found in binary or memory: https://s3-us-west-1.amazonaws.com/ehq-production-us-california/8cfcc1570c81e97a242433b94052e3e65b3c
Source: 2327.2.drString found in binary or memory: https://somervoice.somervillema.gov/novel-coronavirus-resources-for-businesses/widgets/16897/videos/
Source: analytics[1].js.6.drString found in binary or memory: https://stats.g.doubleclick.net/j/collect
Source: base[1].js.6.drString found in binary or memory: https://support.google.com/youtube/?p=missing_quality
Source: base[1].js.6.drString found in binary or memory: https://support.google.com/youtube/?p=noaudio
Source: base[1].js.6.drString found in binary or memory: https://support.google.com/youtube/?p=report_playback
Source: base[1].js.6.drString found in binary or memory: https://support.google.com/youtube/answer/6276924
Source: base[1].js.6.drString found in binary or memory: https://viacon.corp.google.com
Source: js[1].js.6.drString found in binary or memory: https://www.google-analytics.com/analytics.js
Source: analytics[1].js.6.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=
Source: analytics[1].js.6.drString found in binary or memory: https://www.google.%/ads/ga-audiences
Source: js[1].js.6.drString found in binary or memory: https://www.google.com
Source: 2327.2.drString found in binary or memory: https://www.google.com/chrome
Source: js[1].js.6.drString found in binary or memory: https://www.google.com/travel/flights/click/conversion/
Source: base[1].js.6.drString found in binary or memory: https://www.googleapis.com/certificateprovisioning/v1/devicecertificates/create?key=AIzaSyB-5OLKTx2i
Source: js[1].js.6.drString found in binary or memory: https://www.googletagmanager.com/debug/bootstrap
Source: analytics[1].js.6.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-13225056-7
Source: js[1].js.6.drString found in binary or memory: https://www.googletraveladservices.com/travel/clk/pagead/conversion/
Source: wget.exe, 00000002.00000003.236779922.0000000001040000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://www.somervillema.gov/events
Source: wget.exe, 00000002.00000003.236779922.0000000001040000.00000004.00000001.sdmp, 2327.2.dr, {E57A1C95-6806-11EB-90E5-ECF4BB570DC9}.dat.5.drString found in binary or memory: https://www.youtube.com/embed/wtuxe7VPD3U?feature=oembed
Source: base[1].js.6.drString found in binary or memory: https://www.youtube.com/generate_204?cpn=
Source: wget.exe, 00000002.00000003.236779922.0000000001040000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://www.youtube.com/watch?v=5GRcO6cLNs8
Source: wget.exe, 00000002.00000003.236779922.0000000001040000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://www.youtube.com/watch?v=KTb4H2DQcdc
Source: wget.exe, 00000002.00000002.237274437.0000000001048000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://www.youtube.com/watch?v=cuSif0I20vE
Source: wtuxe7VPD3U[1].htm.6.drString found in binary or memory: https://www.youtube.com/watch?v=wtuxe7VPD3U
Source: base[1].js.6.drString found in binary or memory: https://youtu.be/
Source: wget.exe, 00000002.00000002.237274437.0000000001048000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://youtu.be/Fn7Ou04BHvQ
Source: wget.exe, 00000002.00000003.236779922.0000000001040000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://youtu.be/VFxvnJ7wwwU
Source: wget.exe, 00000002.00000003.236779922.0000000001040000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://youtu.be/kaxh4pCyFss
Source: wget.exe, 00000002.00000003.236829486.0000000001049000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.236786957.0000000001048000.00000004.00000001.sdmp, 2327.2.drString found in binary or memory: https://youtu.be/wtuxe7VPD3U
Source: base[1].js.6.drString found in binary or memory: https://youtube.com/api/drm/fps?ek=uninitialized
Source: base[1].js.6.drString found in binary or memory: https://youtubei.googleapis.com/youtubei/
Source: base[1].js.6.drString found in binary or memory: https://yurt.corp.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownHTTPS traffic detected: 54.177.210.138:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.23.66:443 -> 192.168.2.5:49764 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.23.66:443 -> 192.168.2.5:49763 version: TLS 1.2
Source: classification engineClassification label: mal48.win@7/21@13/3
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4580:120:WilError_01
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF945E8E7F0625E9E8.TMPJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://somervoice.somervillema.gov/novel-coronavirus-resources-for-businesses/widgets/16897/videos/2327' > cmdline.out 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://somervoice.somervillema.gov/novel-coronavirus-resources-for-businesses/widgets/16897/videos/2327'
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\2327.html
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5988 CREDAT:17410 /prefetch:2
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://somervoice.somervillema.gov/novel-coronavirus-resources-for-businesses/widgets/16897/videos/2327' Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5988 CREDAT:17410 /prefetch:2Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: wget.exe, 00000002.00000003.236779922.0000000001040000.00000004.00000001.sdmp, 2327.2.drBinary or memory string: Courtney Breese, Program Manager, Massachusetts Office of Public Collaboration
Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection2Masquerading1OS Credential DumpingProcess Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection2LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerSystem Information Discovery12SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.