Analysis Report https://drive.google.com//uc?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download

Overview

General Information

Sample URL: https://drive.google.com//uc?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download
Analysis ID: 404275
Infos:

Most interesting Screenshot:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)

Classification

Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 466 ICMP L3retriever Ping 192.168.2.6: -> 142.250.185.99:
Source: unknown DNS traffic detected: queries for: clients2.googleusercontent.com
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crlp
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl-
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crly
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmp String found in binary or memory: http://crls.pki.g
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmp String found in binary or memory: http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmp String found in binary or memory: http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl0
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr1/gsr1.crt
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, manifest.json0.5.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.dr String found in binary or memory: https://accounts.google.com
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, manifest.json0.5.dr, uc@id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download.2.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.dr String found in binary or memory: https://apis.google.com
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.dr String found in binary or memory: https://clients2.google.com
Source: manifest.json0.5.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: manifest.json0.5.dr String found in binary or memory: https://content.googleapis.com
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, 88b21d77-c83a-436a-91cc-853cdfec67e8.tmp.7.dr, 1cea85ae-7fa5-4fe6-937e-4b41c395b45e.tmp.7.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.dr String found in binary or memory: https://dns.google
Source: wget.exe, 00000002.00000002.332375964.00000000011E6000.00000004.00000040.sdmp, cmdline.out.2.dr String found in binary or memory: https://drive.google.com//uc?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com//uc?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=downloadg
Source: wget.exe, 00000002.00000002.332823177.0000000002B80000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.332020013.0000000002B88000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/open?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ
Source: manifest.json0.5.dr String found in binary or memory: https://feedback.googleusercontent.com
Source: 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.dr String found in binary or memory: https://fonts.googleapis.com
Source: manifest.json0.5.dr String found in binary or memory: https://fonts.googleapis.com;
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.dr String found in binary or memory: https://fonts.gstatic.com
Source: manifest.json0.5.dr String found in binary or memory: https://fonts.gstatic.com;
Source: manifest.json0.5.dr String found in binary or memory: https://hangouts.google.com/
Source: uc@id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download.2.dr String found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: uc@id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download.2.dr String found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.dr String found in binary or memory: https://ogs.google.com
Source: manifest.json.5.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: uc@id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download.2.dr String found in binary or memory: https://plusone.google.com/u/0
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr String found in binary or memory: https://r7---sn-n02xgoxufvg3-2gbs.gvt1.com
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr String found in binary or memory: https://redirector.gvt1.com
Source: manifest.json.5.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.dr String found in binary or memory: https://ssl.gstatic.com
Source: messages.json48.5.dr String found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json48.5.dr String found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, manifest.json0.5.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.dr String found in binary or memory: https://www.google.com
Source: manifest.json.5.dr String found in binary or memory: https://www.google.com/
Source: manifest.json0.5.dr String found in binary or memory: https://www.google.com;
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json.5.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json0.5.dr String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json0.5.dr String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json.5.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.5.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json0.5.dr String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json0.5.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json0.5.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json0.5.dr String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json0.5.dr String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json.5.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.5.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json0.5.dr String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.dr String found in binary or memory: https://www.gstatic.com
Source: manifest.json0.5.dr String found in binary or memory: https://www.gstatic.com;
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: classification engine Classification label: mal48.win@36/169@1/4
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\Desktop\cmdline.out Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_01
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\45040fc5-b1d0-4b6a-be95-a5f4e016b916.tmp Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://drive.google.com//uc?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download' > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://drive.google.com//uc?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download'
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'C:\Users\user\Desktop\download\uc@id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download.html'
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,12290585205416118591,770383313206273744,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1708 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://drive.google.com//uc?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download' Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,12290585205416118591,770383313206273744,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1708 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_00B5C3E8 push C800B5C8h; ret 2_2_00B5C61D
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_00B4A915 push eax; retf 2_2_00B4A9B1
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_00B53968 pushfd ; retf 0076h 2_2_00B5396A
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: wget.exe Binary or memory string: Hyper-V RAW

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\wget.exe Queries volume information: C:\Users\user\Desktop\download VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404275 URL: https://drive.google.com//u... Startdate: 04/05/2021 Architecture: WINDOWS Score: 48 28 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->28 6 chrome.exe 14 409 2->6         started        9 cmd.exe 2 2->9         started        process3 dnsIp4 18 192.168.2.1 unknown unknown 6->18 20 239.255.255.250 unknown Reserved 6->20 11 chrome.exe 17 6->11         started        14 wget.exe 2 9->14         started        16 conhost.exe 9->16         started        process5 dnsIp6 22 googlehosted.l.googleusercontent.com 216.58.212.129, 443, 49752 GOOGLEUS United States 11->22 24 127.0.0.1 unknown unknown 11->24 26 clients2.googleusercontent.com 11->26
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
216.58.212.129
googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
239.255.255.250
unknown Reserved
unknown unknown false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
googlehosted.l.googleusercontent.com 216.58.212.129 true
clients2.googleusercontent.com unknown unknown