Loading ...

Play interactive tourEdit tour

Analysis Report http://hudsoncovidvax.org/register

Overview

General Information

Sample URL:http://hudsoncovidvax.org/register
Analysis ID:354427

Most interesting Screenshot:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Detected potential crypto function
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Startup

  • System is w10x64
  • cmd.exe (PID: 5944 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://hudsoncovidvax.org/register' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 5320 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://hudsoncovidvax.org/register' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • iexplore.exe (PID: 752 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\register.html MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4904 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:752 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance:

barindex
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Uses secure TLS version for HTTPS connectionsShow sources
Source: unknownHTTPS traffic detected: 52.222.120.45:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.222.120.45:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.222.120.45:443 -> 192.168.2.3:49719 version: TLS 1.2
Source: global trafficHTTP traffic detected: GET /register HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: hudsoncovidvax.orgConnection: Keep-Alive
Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbdcfa0fe,0x01d705b3</date><accdate>0xbdcfa0fe,0x01d705b3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbdcfa0fe,0x01d705b3</date><accdate>0xbdcfa0fe,0x01d705b3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbdd20301,0x01d705b3</date><accdate>0xbdd20301,0x01d705b3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbdd20301,0x01d705b3</date><accdate>0xbdd20301,0x01d705b3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbdd46566,0x01d705b3</date><accdate>0xbdd46566,0x01d705b3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbdd46566,0x01d705b3</date><accdate>0xbdd46566,0x01d705b3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknownDNS traffic detected: queries for: hudsoncovidvax.org
Source: wget.exe, 00000003.00000003.199978132.0000000002E89000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: wget.exe, 00000003.00000003.199978132.0000000002E89000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: wget.exe, 00000003.00000003.199978132.0000000002E89000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org
Source: wget.exe, 00000003.00000003.199978132.0000000002E89000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: wget.exe, 00000003.00000003.199978132.0000000002E89000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org
Source: wget.exe, 00000003.00000003.199978132.0000000002E89000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: wget.exeString found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000003.00000003.199985294.0000000002E45000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000003.00000003.199985294.0000000002E45000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crlh
Source: wget.exe, wget.exe, 00000003.00000003.199978132.0000000002E89000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl
Source: wget.exe, 00000003.00000003.199978132.0000000002E89000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: wget.exe, 00000003.00000002.200221225.0000000000B10000.00000004.00000020.sdmp, cmdline.out.3.drString found in binary or memory: http://hudsoncovidvax.org/register
Source: wget.exe, 00000003.00000003.199985294.0000000002E45000.00000004.00000001.sdmpString found in binary or memory: http://hudsoncovidvax.org/registerS
Source: app[1].js.5.drString found in binary or memory: http://new.gramota.ru/spravka/buro/search-answer?s=242637
Source: app[1].js.5.drString found in binary or memory: http://new.gramota.ru/spravka/rules/139-prop
Source: app[1].css.5.drString found in binary or memory: http://nicolasgallagher.com/micro-clearfix-hack/
Source: app[1].js.5.drString found in binary or memory: http://praleska.pro/
Source: wget.exe, 00000003.00000003.199978132.0000000002E89000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/
Source: wget.exe, 00000003.00000003.199978132.0000000002E89000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
Source: wget.exe, 00000003.00000003.199978132.0000000002E89000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
Source: msapplication.xml.4.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.4.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.4.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.4.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.4.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.4.drString found in binary or memory: http://www.twitter.com/
Source: app[1].js.5.drString found in binary or memory: http://www.unicode.org/cldr/charts/28/summary/ru.html#1753
Source: msapplication.xml6.4.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.4.drString found in binary or memory: http://www.youtube.com/
Source: register.3.drString found in binary or memory: https://cdn.jsdelivr.net/npm/apexcharts
Source: register.3.drString found in binary or memory: https://covid19.nj.gov/
Source: app[1].css.5.drString found in binary or memory: https://dbushell.com/
Source: register.3.drString found in binary or memory: https://fonts.googleapis.com/css?family=Nunito
Source: css[1].css.5.drString found in binary or memory: https://fonts.gstatic.com/s/nunito/v16/XRXV3I6Li01BKofINeaH.woff)
Source: app[1].js.5.drString found in binary or memory: https://github.com/Amine27
Source: app[1].js.5.drString found in binary or memory: https://github.com/B0k0
Source: app[1].js.5.drString found in binary or memory: https://github.com/BYK
Source: app[1].js.5.drString found in binary or memory: https://github.com/DevelopmentIL
Source: app[1].js.5.drString found in binary or memory: https://github.com/ElFadiliY
Source: app[1].js.5.drString found in binary or memory: https://github.com/IrakliJani
Source: app[1].js.5.drString found in binary or memory: https://github.com/JanisE
Source: app[1].js.5.drString found in binary or memory: https://github.com/Kaushik1987
Source: app[1].js.5.drString found in binary or memory: https://github.com/MadMG
Source: app[1].js.5.drString found in binary or memory: https://github.com/Manfre98
Source: app[1].js.5.drString found in binary or memory: https://github.com/Oire
Source: app[1].js.5.drString found in binary or memory: https://github.com/Quenty31
Source: app[1].js.5.drString found in binary or memory: https://github.com/ShahramMebashar
Source: app[1].js.5.drString found in binary or memory: https://github.com/TalAter
Source: app[1].js.5.drString found in binary or memory: https://github.com/Viktorminator
Source: app[1].js.5.drString found in binary or memory: https://github.com/WikiDiscoverer
Source: app[1].js.5.drString found in binary or memory: https://github.com/ZackVision
Source: app[1].js.5.drString found in binary or memory: https://github.com/abdelsaid
Source: app[1].js.5.drString found in binary or memory: https://github.com/adambrunner
Source: app[1].js.5.drString found in binary or memory: https://github.com/alesma
Source: app[1].js.5.drString found in binary or memory: https://github.com/aliem
Source: app[1].js.5.drString found in binary or memory: https://github.com/amaranthrose
Source: app[1].js.5.drString found in binary or memory: https://github.com/andela-batolagbe
Source: app[1].js.5.drString found in binary or memory: https://github.com/andrewhood125
Source: app[1].js.5.drString found in binary or memory: https://github.com/anthonylau
Source: app[1].js.5.drString found in binary or memory: https://github.com/armendarabyan
Source: app[1].js.5.drString found in binary or memory: https://github.com/askpt
Source: app[1].js.5.drString found in binary or memory: https://github.com/atamyratabdy
Source: app[1].js.5.drString found in binary or memory: https://github.com/avaly
Source: app[1].js.5.drString found in binary or memory: https://github.com/bangnk
Source: app[1].js.5.drString found in binary or memory: https://github.com/baryon
Source: app[1].js.5.drString found in binary or memory: https://github.com/ben-lin
Source: app[1].js.5.drString found in binary or memory: https://github.com/bkyceh
Source: app[1].js.5.drString found in binary or memory: https://github.com/bleadof
Source: app[1].js.5.drString found in binary or memory: https://github.com/bmarkovic
Source: app[1].js.5.drString found in binary or memory: https://github.com/boyaq
Source: app[1].js.5.drString found in binary or memory: https://github.com/bustta
Source: app[1].js.5.drString found in binary or memory: https://github.com/caio-ribeiro-pereira
Source: app[1].js.5.drString found in binary or memory: https://github.com/cepem
Source: app[1].js.5.drString found in binary or memory: https://github.com/chienkira
Source: app[1].js.5.drString found in binary or memory: https://github.com/chrisrodz
Source: app[1].js.5.drString found in binary or memory: https://github.com/chyngyz
Source: app[1].js.5.drString found in binary or memory: https://github.com/colindean
Source: app[1].js.5.drString found in binary or memory: https://github.com/demidov91
Source: app[1].js.5.drString found in binary or memory: https://github.com/ebraminio
Source: app[1].js.5.drString found in binary or memory: https://github.com/erhangundogan
Source: app[1].js.5.drString found in binary or memory: https://github.com/estellecomment
Source: app[1].js.5.drString found in binary or memory: https://github.com/evoL
Source: app[1].js.5.drString found in binary or memory: https://github.com/flakerimi
Source: app[1].js.5.drString found in binary or memory: https://github.com/floydpink
Source: app[1].js.5.drString found in binary or memory: https://github.com/forabi
Source: app[1].js.5.drString found in binary or memory: https://github.com/frontyard
Source: app[1].js.5.drString found in binary or memory: https://github.com/gaspard
Source: app[1].js.5.drString found in binary or memory: https://github.com/gholadr
Source: app[1].js.5.drString found in binary or memory: https://github.com/gurdiga
Source: app[1].js.5.drString found in binary or memory: https://github.com/harpreetkhalsagtbit
Source: app[1].js.5.drString found in binary or memory: https://github.com/hehachris
Source: app[1].js.5.drString found in binary or memory: https://github.com/hinrik
Source: app[1].js.5.drString found in binary or memory: https://github.com/ibnesayeed
Source: app[1].js.5.drString found in binary or memory: https://github.com/jalex79
Source: app[1].js.5.drString found in binary or memory: https://github.com/javkhaanj7
Source: app[1].js.5.drString found in binary or memory: https://github.com/jawish
Source: app[1].js.5.drString found in binary or memory: https://github.com/jbleduigou
Source: app[1].js.5.drString found in binary or memory: https://github.com/jfroffice
Source: app[1].js.5.drString found in binary or memory: https://github.com/johnideal
Source: app[1].js.5.drString found in binary or memory: https://github.com/jonashdown
Source: app[1].js.5.drString found in binary or memory: https://github.com/jonbca
Source: app[1].js.5.drString found in binary or memory: https://github.com/jorisroling
Source: app[1].js.5.drString found in binary or memory: https://github.com/joshbrooks
Source: app[1].js.5.drString found in binary or memory: https://github.com/juanghurtado
Source: app[1].js.5.drString found in binary or memory: https://github.com/julionc
Source: app[1].js.5.drString found in binary or memory: https://github.com/k2s
Source: app[1].js.5.drString found in binary or memory: https://github.com/kalehv
Source: app[1].js.5.drString found in binary or memory: https://github.com/karamell
Source: app[1].js.5.drString found in binary or memory: https://github.com/kaushikgandhi
Source: app[1].js.5.drString found in binary or memory: https://github.com/kcthota
Source: app[1].js.5.drString found in binary or memory: https://github.com/kikoanis
Source: app[1].js.5.drString found in binary or memory: https://github.com/kraz
Source: app[1].js.5.drString found in binary or memory: https://github.com/kruyvanna
Source: app[1].js.5.drString found in binary or memory: https://github.com/kwisatz
Source: app[1].js.5.drString found in binary or memory: https://github.com/kyungw00k
Source: app[1].js.5.drString found in binary or memory: https://github.com/le0tan
Source: app[1].js.5.drString found in binary or memory: https://github.com/lluchs
Source: app[1].js.5.drString found in binary or memory: https://github.com/madhenry
Source: app[1].js.5.drString found in binary or memory: https://github.com/marobo
Source: app[1].js.5.drString found in binary or memory: https://github.com/mayanksinghal
Source: app[1].js.5.drString found in binary or memory: https://github.com/mechuwind
Source: app[1].js.5.drString found in binary or memory: https://github.com/mehiel
Source: app[1].js.5.drString found in binary or memory: https://github.com/middagj
Source: app[1].js.5.drString found in binary or memory: https://github.com/miestasmia
Source: app[1].js.5.drString found in binary or memory: https://github.com/mik01aj
Source: app[1].js.5.drString found in binary or memory: https://github.com/milan-j
Source: app[1].js.5.drString found in binary or memory: https://github.com/miodragnikac
Source: app[1].js.5.drString found in binary or memory: https://github.com/mirontoli
Source: app[1].js.5.drString found in binary or memory: https://github.com/mmozuras
Source: app[1].css.5.drString found in binary or memory: https://github.com/mozdevs/cssremedy/issues/14
Source: app[1].css.5.drString found in binary or memory: https://github.com/mozdevs/cssremedy/issues/4
Source: app[1].js.5.drString found in binary or memory: https://github.com/mrbase
Source: app[1].js.5.drString found in binary or memory: https://github.com/muminoff
Source: app[1].js.5.drString found in binary or memory: https://github.com/mweimerskirch
Source: app[1].js.5.drString found in binary or memory: https://github.com/naderio
Source: app[1].js.5.drString found in binary or memory: https://github.com/narainsagar
Source: app[1].js.5.drString found in binary or memory: https://github.com/nostalgiaz
Source: app[1].js.5.drString found in binary or memory: https://github.com/noureddinem
Source: app[1].js.5.drString found in binary or memory: https://github.com/nurlan
Source: app[1].js.5.drString found in binary or memory: https://github.com/nusretparlak
Source: app[1].js.5.drString found in binary or memory: https://github.com/oerd
Source: app[1].js.5.drString found in binary or memory: https://github.com/orif-jr
Source: app[1].js.5.drString found in binary or memory: https://github.com/petrbela
Source: app[1].js.5.drString found in binary or memory: https://github.com/ragnar123
Source: app[1].js.5.drString found in binary or memory: https://github.com/ragulka
Source: app[1].js.5.drString found in binary or memory: https://github.com/rajeevnaikte
Source: app[1].js.5.drString found in binary or memory: https://github.com/rexxars
Source: app[1].js.5.drString found in binary or memory: https://github.com/robgallen
Source: app[1].js.5.drString found in binary or memory: https://github.com/robin0van0der0v
Source: app[1].js.5.drString found in binary or memory: https://github.com/ryangreaves
Source: app[1].js.5.drString found in binary or memory: https://github.com/ryanhart2
Source: app[1].js.5.drString found in binary or memory: https://github.com/sakarisson
Source: app[1].js.5.drString found in binary or memory: https://github.com/sampathsris
Source: app[1].js.5.drString found in binary or memory: https://github.com/sedovsek
Source: app[1].js.5.drString found in binary or memory: https://github.com/sigurdga
Source: app[1].js.5.drString found in binary or memory: https://github.com/sirn
Source: app[1].js.5.drString found in binary or memory: https://github.com/skakri
Source: app[1].js.5.drString found in binary or memory: https://github.com/skfd
Source: app[1].js.5.drString found in binary or memory: https://github.com/socketpair
Source: app[1].js.5.drString found in binary or memory: https://github.com/soniasimoes
Source: app[1].js.5.drString found in binary or memory: https://github.com/sschueller
Source: app[1].js.5.drString found in binary or memory: https://github.com/stephenramthun
Source: app[1].css.5.drString found in binary or memory: https://github.com/suitcss/base
Source: app[1].js.5.drString found in binary or memory: https://github.com/suupic
Source: app[1].js.5.drString found in binary or memory: https://github.com/suvash
Source: apexcharts[1].js.5.drString found in binary or memory: https://github.com/svgdotjs/svg.draggable.js
Source: app[1].css.5.drString found in binary or memory: https://github.com/tailwindcss/tailwindcss/issues/362
Source: app[1].css.5.drString found in binary or memory: https://github.com/tailwindcss/tailwindcss/pull/116
Source: app[1].js.5.drString found in binary or memory: https://github.com/thanyawzinmin
Source: app[1].js.5.drString found in binary or memory: https://github.com/tk120404
Source: app[1].js.5.drString found in binary or memory: https://github.com/tomer
Source: app[1].js.5.drString found in binary or memory: https://github.com/topchiyev
Source: app[1].js.5.drString found in binary or memory: https://github.com/ulmus
Source: app[1].js.5.drString found in binary or memory: https://github.com/uu109
Source: app[1].js.5.drString found in binary or memory: https://github.com/vajradog
Source: app[1].js.5.drString found in binary or memory: https://github.com/vnathalye
Source: app[1].js.5.drString found in binary or memory: https://github.com/wernerm
Source: apexcharts[1].js.5.drString found in binary or memory: https://github.com/wout/svg.filter.js
Source: app[1].js.5.drString found in binary or memory: https://github.com/xfh
Source: app[1].js.5.drString found in binary or memory: https://github.com/xsoh
Source: app[1].js.5.drString found in binary or memory: https://github.com/zemlanin
Source: app[1].js.5.drString found in binary or memory: https://github.com/zenozeng
Source: register.3.drString found in binary or memory: https://hudson-county-coronavirus-resources-hudsoncogis.hub.arcgis.com/
Source: register.3.drString found in binary or memory: https://hudsoncovidvax.org/css/app.css
Source: register.3.drString found in binary or memory: https://hudsoncovidvax.org/js/app.js
Source: register.3.drString found in binary or memory: https://hudsoncovidvax.org/login
Source: cmdline.out.3.drString found in binary or memory: https://hudsoncovidvax.org/register
Source: wget.exe, 00000003.00000003.199985294.0000000002E45000.00000004.00000001.sdmpString found in binary or memory: https://hudsoncovidvax.org/registerrg)
Source: app[1].js.5.drString found in binary or memory: https://nodejs.org/api/http.html#http_message_headers
Source: register.3.drString found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/index.html
Source: register.3.drString found in binary or memory: https://www.hudsonregional.org/
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownHTTPS traffic detected: 52.222.120.45:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.222.120.45:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.222.120.45:443 -> 192.168.2.3:49719 version: TLS 1.2
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E4E9AA3_3_02E4E9AA
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E51F943_3_02E51F94
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E483103_3_02E48310
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02E51F943_2_02E51F94
Source: classification engineClassification label: clean1.win@7/19@3/1
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_01
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF0BFD6412979B4C12.TMPJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: wget.exeString found in binary or memory: ext-sm leading-5 text-gray-500"> <img class="h-6 w-6 w-auto" src="/images/loading.gif" alt="Loader" /> </div> </div> </div> </div> </div> <div class="bg-gray-50 px-4 py-3
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://hudsoncovidvax.org/register' > cmdline.out 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://hudsoncovidvax.org/register'
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\register.html
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:752 CREDAT:17410 /prefetch:2
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://hudsoncovidvax.org/register' Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:752 CREDAT:17410 /prefetch:2Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E470C8 push 000100CFh; iretd 3_3_02E470DB
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E4D2A5 pushad ; retn 0078h3_3_02E4D2B5
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E4F42A push ss; iretd 3_3_02E4F42B
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E53235 push ecx; retf 3_3_02E5324B
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E4F235 push edx; iretd 3_3_02E4F24B
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E5123D push edx; iretd 3_3_02E51253
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E53205 push esi; retf 3_3_02E53233
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E4F205 push esp; iretd 3_3_02E4F21B
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E4520D push edx; iretd 3_3_02E45223
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E47215 push edx; iretd 3_3_02E4722B
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E4D210 push edi; iretd 3_3_02E4D22B
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E4921D push edx; iretd 3_3_02E49233
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E4F21D push edi; iretd 3_3_02E4F233
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E471E5 push esp; iretd 3_3_02E471FB
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E4D3E0 push ss; iretd 3_3_02E4D423
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E471FD push edi; iretd 3_3_02E47213
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E4D1FD pushad ; retn 0078h3_3_02E4D20D
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E551C2 push ecx; iretd 3_3_02E551C3
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E451DD push edi; iretd 3_3_02E4520B
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02E4734D push ss; iretd 3_3_02E4740B
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02E58057 pushad ; iretd 3_2_02E5805B
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02E4F42A push ss; iretd 3_2_02E4F42B
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02E53235 push ecx; retf 3_2_02E5324B
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02E4F235 push edx; iretd 3_2_02E4F24B
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02E5123D push edx; iretd 3_2_02E51253
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02E53205 push esi; retf 3_2_02E53233
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02E4F205 push esp; iretd 3_2_02E4F21B
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02E4D210 push edi; iretd 3_2_02E4D22B
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02E4921D push edx; iretd 3_2_02E49233
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02E4F21D push edi; iretd 3_2_02E4F233
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02E4D3E0 push ss; iretd 3_2_02E4D423
Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemorySystem Information Discovery12Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 354427 URL: http://hudsoncovidvax.org/r... Startdate: 17/02/2021 Architecture: WINDOWS Score: 1 5 cmd.exe 2 2->5         started        7 iexplore.exe 2 84 2->7         started        process3 9 wget.exe 2 5->9         started        12 conhost.exe 5->12         started        14 iexplore.exe 35 7->14         started        dnsIp4 16 hudsoncovidvax.org 52.222.120.45, 443, 49712, 49714 AMAZONEXPANSIONGB United States 9->16 18 cdn.jsdelivr.net 14->18

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.