Loading ...

Play interactive tourEdit tour

Analysis Report https://894f2824690f4f688cb014399e893234.svc.dynamics.com/t/r/vb3XY_VLx7l-xHga3YHy8JRbFYUbDDzXt6qsDcUtzO0#covid19@rztienen.be

Overview

General Information

Sample URL:https://894f2824690f4f688cb014399e893234.svc.dynamics.com/t/r/vb3XY_VLx7l-xHga3YHy8JRbFYUbDDzXt6qsDcUtzO0#covid19@rztienen.be
Analysis ID:350539

Most interesting Screenshot:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Form action URLs do not match main URL
Found iframes
HTML body contains low number of good links
HTML title does not match URL
Submit button contains javascript call
Suspicious form URL found
URL contains potential PII (phishing indication)

Classification

Startup

  • System is w10x64
  • chrome.exe (PID: 5152 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized 'https://894f2824690f4f688cb014399e893234.svc.dynamics.com/t/r/vb3XY_VLx7l-xHga3YHy8JRbFYUbDDzXt6qsDcUtzO0#covid19@rztienen.be' MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 1364 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,17904341760629683302,5698386004384518543,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1684 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: https://894f2824690f4f688cb014399e893234.svc.dynamics.com/t/r/vb3XY_VLx7l-xHga3YHy8JRbFYUbDDzXt6qsDcUtzO0#covid19@rztienen.beUrlScan: detection malicious, Label: phishing brand: microsoftPerma Link
Antivirus detection for URL or domainShow sources
Source: https://32273976467384105930.eu-gb.cf.appdomain.cloud/#covid19@rztienen.beUrlScan: Label: phishing brand: microsoftPerma Link
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uUrlScan: Label: phishing brand: microsoftPerma Link
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/Avira URL Cloud: Label: phishing
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qAvira URL Cloud: Label: phishing
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloudAvira URL Cloud: Label: phishing
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: Form action: https://frontlinecommunications.network/sharep-shk-43f432c9b6fad8243f432c9e2/sharep-shk-43f432c9b6fad8243f432c9e2/sharep-shk-43f432c9b6fad8243f432c9e2.php appdomain frontlinecommunications
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: Form action: https://frontlinecommunications.network/sharep-shk-43f432c9b6fad8243f432c9e2/sharep-shk-43f432c9b6fad8243f432c9e2/sharep-shk-43f432c9b6fad8243f432c9e2.php appdomain frontlinecommunications
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: Iframe src: css/dest5.html
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: Iframe src: css/storage.html
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: Iframe src: css/dest5.html
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: Iframe src: css/storage.html
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: Number of links: 0
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: Number of links: 0
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: Title: SharePoint Mobile App for Android, Apple does not match URL
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: Title: SharePoint Mobile App for Android, Apple does not match URL
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: On click: return validate();
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: On click: return validate();
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: Form action: https://frontlinecommunications.network/sharep-shk-43f432c9b6fad8243f432c9e2/sharep-shk-43f432c9b6fad8243f432c9e2/sharep-shk-43f432c9b6fad8243f432c9e2.php
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: Form action: https://frontlinecommunications.network/sharep-shk-43f432c9b6fad8243f432c9e2/sharep-shk-43f432c9b6fad8243f432c9e2/sharep-shk-43f432c9b6fad8243f432c9e2.php
Source: https://894f2824690f4f688cb014399e893234.svc.dynamics.com/t/r/vb3XY_VLx7l-xHga3YHy8JRbFYUbDDzXt6qsDcUtzO0#covid19@rztienen.beSample URL: PII: covid19@rztienen.be
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: No <meta name="author".. found
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: No <meta name="author".. found
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: No <meta name="copyright".. found
Source: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm#://32273976467384105930.eu-gb.cf.appdomain.cloud/:903092a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2qESwbhSnief4OL_VfRFmzw6HgUoESwb_hSnief4OLVfRFm37784=w020--2uHTTP Parser: No <meta name="copyright".. found

Compliance:

barindex
Creates a directory in C:\Program FilesShow sources
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
Uses secure TLS version for HTTPS connectionsShow sources
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknownHTTPS traffic detected: 158.176.79.200:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknownHTTPS traffic detected: 158.176.79.200:443 -> 192.168.2.3:49752 version: TLS 1.2
Source: unknownHTTPS traffic detected: 158.176.79.200:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknownHTTPS traffic detected: 158.176.79.200:443 -> 192.168.2.3:49755 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49773 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49774 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49776 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49775 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49779 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49787 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49788 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49789 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49790 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49792 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49793 version: TLS 1.2
Source: unknownDNS traffic detected: queries for: 894f2824690f4f688cb014399e893234.svc.dynamics.com
Source: Current Session.0.drString found in binary or memory: https://32273976467384105930.eu-gb.cf.appdomain.cloud
Source: Network Action Predictor.0.drString found in binary or memory: https://32273976467384105930.eu-gb.cf.appdomain.cloud/
Source: Current Session.0.dr, History.0.drString found in binary or memory: https://32273976467384105930.eu-gb.cf.appdomain.cloud/#covid19
Source: Current Session.0.dr, History.0.drString found in binary or memory: https://32273976467384105930.eu-gb.cf.appdomain.cloud/perl/token/reactjs/?92a6281f-d6ba-4907-aeb5-a6
Source: Current Session.0.drString found in binary or memory: https://47410795723635106367.eu-gb.cf.appdomain.cloud
Source: Network Action Predictor-journal.0.drString found in binary or memory: https://47410795723635106367.eu-gb.cf.appdomain.cloud/
Source: History.0.drString found in binary or memory: https://47410795723635106367.eu-gb.cf.appdomain.cloud/?92a6281f-d6ba-4907-aeb5-a668ae5df160vU053dh2q
Source: Current Session.0.drString found in binary or memory: https://47410795723635106367.eu-gb.cf.appdomain.cloud/css/dest5.html
Source: Current Session.0.drString found in binary or memory: https://47410795723635106367.eu-gb.cf.appdomain.cloud/css/storage.html
Source: Current Session.0.drString found in binary or memory: https://47410795723635106367.eu-gb.cf.appdomain.cloud=5https://32273976467384105930.eu-gb.cf.appdoma
Source: Current Session.0.drString found in binary or memory: https://47410795723635106367.eu-gb.cf.appdomain.cloudh
Source: History.0.drString found in binary or memory: https://894f2824690f4f688cb014399e893234.svc.dynamics.com/t/r/vb3XY_VLx7l-xHga3YHy8JRbFYUbDDzXt6qsDc
Source: b835b65e-20f3-4464-8424-2379eda66ff8.tmp.1.dr, manifest.json0.0.drString found in binary or memory: https://accounts.google.com
Source: b835b65e-20f3-4464-8424-2379eda66ff8.tmp.1.dr, manifest.json0.0.drString found in binary or memory: https://apis.google.com
Source: 0eab880a7eb32e9b_0.0.dr, a21476c205fe2897_0.0.drString found in binary or memory: https://appdomain.cloud/
Source: 3de03e4ace9be524_0.0.drString found in binary or memory: https://appdomain.cloud/(
Source: b835b65e-20f3-4464-8424-2379eda66ff8.tmp.1.drString found in binary or memory: https://clients2.google.com
Source: manifest.json0.0.drString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: b835b65e-20f3-4464-8424-2379eda66ff8.tmp.1.drString found in binary or memory: https://clients2.googleusercontent.com
Source: manifest.json0.0.drString found in binary or memory: https://content.googleapis.com
Source: b835b65e-20f3-4464-8424-2379eda66ff8.tmp.1.dr, 806b53b5-432d-474e-8896-c81c2150adad.tmp.1.dr, 54c0d32b-b64d-4ac6-8909-bd7dffab1345.tmp.1.drString found in binary or memory: https://dns.google
Source: manifest.json0.0.drString found in binary or memory: https://feedback.googleusercontent.com
Source: b835b65e-20f3-4464-8424-2379eda66ff8.tmp.1.drString found in binary or memory: https://fonts.googleapis.com
Source: manifest.json0.0.drString found in binary or memory: https://fonts.googleapis.com;
Source: b835b65e-20f3-4464-8424-2379eda66ff8.tmp.1.drString found in binary or memory: https://fonts.gstatic.com
Source: manifest.json0.0.drString found in binary or memory: https://fonts.gstatic.com;
Source: manifest.json0.0.drString found in binary or memory: https://hangouts.google.com/
Source: b835b65e-20f3-4464-8424-2379eda66ff8.tmp.1.drString found in binary or memory: https://ogs.google.com
Source: manifest.json.0.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: b835b65e-20f3-4464-8424-2379eda66ff8.tmp.1.drString found in binary or memory: https://play.google.com
Source: manifest.json.0.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: b835b65e-20f3-4464-8424-2379eda66ff8.tmp.1.drString found in binary or memory: https://ssl.gstatic.com
Source: messages.json41.0.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json41.0.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: b835b65e-20f3-4464-8424-2379eda66ff8.tmp.1.dr, manifest.json0.0.drString found in binary or memory: https://www.google.com
Source: manifest.json.0.drString found in binary or memory: https://www.google.com/
Source: manifest.json0.0.drString found in binary or memory: https://www.google.com;
Source: b835b65e-20f3-4464-8424-2379eda66ff8.tmp.1.drString found in binary or memory: https://www.googleapis.com
Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/
Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: b835b65e-20f3-4464-8424-2379eda66ff8.tmp.1.drString found in binary or memory: https://www.gstatic.com
Source: manifest.json0.0.drString found in binary or memory: https://www.gstatic.com;
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknownHTTPS traffic detected: 158.176.79.200:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknownHTTPS traffic detected: 158.176.79.200:443 -> 192.168.2.3:49752 version: TLS 1.2
Source: unknownHTTPS traffic detected: 158.176.79.200:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknownHTTPS traffic detected: 158.176.79.200:443 -> 192.168.2.3:49755 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49773 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49774 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49776 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49775 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49779 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49787 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49788 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49789 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49790 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49792 version: TLS 1.2
Source: unknownHTTPS traffic detected: 141.125.73.152:443 -> 192.168.2.3:49793 version: TLS 1.2
Source: classification engineClassification label: mal56.win@29/165@5/6
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-602314F5-1420.pmaJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\c8db6bd9-836d-4cb1-86a7-19eadf8d4161.tmpJump to behavior
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized 'https://894f2824690f4f688cb014399e893234.svc.dynamics.com/t/r/vb3XY_VLx7l-xHga3YHy8JRbFYUbDDzXt6qsDcUtzO0#covid19@rztienen.be'
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,17904341760629683302,5698386004384518543,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1684 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,17904341760629683302,5698386004384518543,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1684 /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Drive-by Compromise1Scripting1Path InterceptionProcess Injection1Masquerading3OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.