Loading ...

Play interactive tourEdit tour

Analysis Report https://drive.google.com//uc?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download

Overview

General Information

Sample URL:https://drive.google.com//uc?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download
Analysis ID:404275
Infos:

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 6404 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://drive.google.com//uc?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 6420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 6452 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://drive.google.com//uc?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • chrome.exe (PID: 6800 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'C:\Users\user\Desktop\download\uc@id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download.html' MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 7000 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,12290585205416118591,770383313206273744,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1708 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 466 ICMP L3retriever Ping 192.168.2.6: -> 142.250.185.99:
Source: unknownDNS traffic detected: queries for: clients2.googleusercontent.com
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crlp
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl-
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crly
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmpString found in binary or memory: http://crls.pki.g
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl0
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr1/gsr1.crt
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, manifest.json0.5.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.drString found in binary or memory: https://accounts.google.com
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, manifest.json0.5.dr, uc@id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download.2.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.drString found in binary or memory: https://apis.google.com
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.drString found in binary or memory: https://clients2.google.com
Source: manifest.json0.5.drString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.drString found in binary or memory: https://clients2.googleusercontent.com
Source: manifest.json0.5.drString found in binary or memory: https://content.googleapis.com
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, 88b21d77-c83a-436a-91cc-853cdfec67e8.tmp.7.dr, 1cea85ae-7fa5-4fe6-937e-4b41c395b45e.tmp.7.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.drString found in binary or memory: https://dns.google
Source: wget.exe, 00000002.00000002.332375964.00000000011E6000.00000004.00000040.sdmp, cmdline.out.2.drString found in binary or memory: https://drive.google.com//uc?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download
Source: wget.exe, 00000002.00000002.332803027.0000000002B50000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com//uc?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=downloadg
Source: wget.exe, 00000002.00000002.332823177.0000000002B80000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.332020013.0000000002B88000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/open?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ
Source: manifest.json0.5.drString found in binary or memory: https://feedback.googleusercontent.com
Source: 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.drString found in binary or memory: https://fonts.googleapis.com
Source: manifest.json0.5.drString found in binary or memory: https://fonts.googleapis.com;
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.drString found in binary or memory: https://fonts.gstatic.com
Source: manifest.json0.5.drString found in binary or memory: https://fonts.gstatic.com;
Source: manifest.json0.5.drString found in binary or memory: https://hangouts.google.com/
Source: uc@id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download.2.drString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: uc@id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download.2.drString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.drString found in binary or memory: https://ogs.google.com
Source: manifest.json.5.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: wget.exe, 00000002.00000003.332054258.0000000002B89000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Source: uc@id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download.2.drString found in binary or memory: https://plusone.google.com/u/0
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.drString found in binary or memory: https://r7---sn-n02xgoxufvg3-2gbs.gvt1.com
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.drString found in binary or memory: https://redirector.gvt1.com
Source: manifest.json.5.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.drString found in binary or memory: https://ssl.gstatic.com
Source: messages.json48.5.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json48.5.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, manifest.json0.5.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.drString found in binary or memory: https://www.google.com
Source: manifest.json.5.drString found in binary or memory: https://www.google.com/
Source: manifest.json0.5.drString found in binary or memory: https://www.google.com;
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.drString found in binary or memory: https://www.googleapis.com
Source: manifest.json.5.drString found in binary or memory: https://www.googleapis.com/
Source: manifest.json0.5.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json0.5.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json.5.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.5.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json0.5.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json0.5.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json0.5.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json0.5.drString found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json0.5.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json.5.drString found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.5.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json0.5.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: 4aa2863d-4eb1-42bb-8dc0-6a1e3ddabf97.tmp.7.dr, 891c2c1c-ee3e-40ce-8f20-dc7bb71ce0bf.tmp.7.drString found in binary or memory: https://www.gstatic.com
Source: manifest.json0.5.drString found in binary or memory: https://www.gstatic.com;
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: classification engineClassification label: mal48.win@36/169@1/4
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_01
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\45040fc5-b1d0-4b6a-be95-a5f4e016b916.tmpJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://drive.google.com//uc?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download' > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://drive.google.com//uc?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download'
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'C:\Users\user\Desktop\download\uc@id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download.html'
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,12290585205416118591,770383313206273744,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1708 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://drive.google.com//uc?id=1ExbiBQm3R9DeKMtJJ7y4hk9h5s5yiyeZ&export=download' Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,12290585205416118591,770383313206273744,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1708 /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_00B5C3E8 push C800B5C8h; ret 2_2_00B5C61D
Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_00B4A915 push eax; retf 2_2_00B4A9B1
Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_00B53968 pushfd ; retf 0076h2_2_00B5396A
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: wget.exeBinary or memory string: Hyper-V RAW