Source: MSAssist.lnk |
ReversingLabs: Detection: 56% |
Source: MSAssist.lnk |
Virustotal: Detection: 50% |
Perma Link |
Source: https://page.googledocpage.com/ |
Avira URL Cloud: Label: malware |
Source: https://page.googledocpage.com/WiU |
Avira URL Cloud: Label: malware |
Source: https://page.googledocpage.com/I |
Avira URL Cloud: Label: malware |
Source: https://page.googledocpage.com/z |
Avira URL Cloud: Label: malware |
Source: https://page.googledocpage.com/U |
Avira URL Cloud: Label: malware |
Source: page.googledocpage.com |
Virustotal: Detection: 12% |
Perma Link |
Source: https://page.googledocpage.com/ |
Virustotal: Detection: 12% |
Perma Link |
Source: unknown |
HTTPS traffic detected: 67.199.248.10:443 -> 192.168.2.3:49696 version: TLS 1.2 |
Source: Traffic |
Snort IDS: 2033450 ET TROJAN Lazarus APT Related CnC Domain in DNS Lookup (page .googledocpage .com) 192.168.2.3:61787 -> 8.8.8.8:53 |
Source: global traffic |
HTTP traffic detected: GET /35FlWc2 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bit.lyConnection: Keep-Alive |
Source: Joe Sandbox View |
JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: C:\Windows\System32\mshta.exe |
DNS query: name: bit.ly |
Source: Joe Sandbox View |
IP Address: 67.199.248.10 67.199.248.10 |
Source: Joe Sandbox View |
IP Address: 67.199.248.10 67.199.248.10 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49696 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49696 -> 443 |
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bit.ly/ |
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFC5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66C017000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66BFE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66BFB0000.00000004.00000020.00020000.00000000.sdmp, MSAssist.lnk |
String found in binary or memory: https://bit.ly/35FlWc2 |
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bit.ly/35FlWc2... |
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFC5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bit.ly/35FlWc2B |
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFB0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bit.ly/35FlWc2C: |
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFB7000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bit.ly/35FlWc2S |
Source: mshta.exe, 00000000.00000002.524417090.000001D66C1B0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bit.ly/35FlWc2aHOMEDRIVE |
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFC5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bit.ly/35FlWc2r |
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bit.ly/r3 |
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://page.googledocpage.com/ |
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://page.googledocpage.com/I |
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://page.googledocpage.com/U |
Source: mshta.exe, 00000000.00000003.257329635.000001DE6E1B4000.00000004.00000020.00020000.00000000.sdmp, 35FlWc2[1].htm.0.dr |
String found in binary or memory: https://page.googledocpage.com/WiU |
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://page.googledocpage.com/z |
Source: unknown |
DNS traffic detected: queries for: bit.ly |
Source: global traffic |
HTTP traffic detected: GET /35FlWc2 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bit.lyConnection: Keep-Alive |
Source: unknown |
HTTPS traffic detected: 67.199.248.10:443 -> 192.168.2.3:49696 version: TLS 1.2 |
Source: Yara match |
File source: MSAssist.lnk, type: SAMPLE |
Source: Initial file |
Strings: https://bit.ly/35FlWc2%wN |
Source: C:\Windows\System32\mshta.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE |
Jump to behavior |
Source: MSAssist.lnk |
ReversingLabs: Detection: 56% |
Source: MSAssist.lnk |
Virustotal: Detection: 50% |
Source: C:\Windows\System32\mshta.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32 |
Jump to behavior |
Source: MSAssist.lnk |
LNK file: ..\..\..\..\..\WINDOWS\system32\mshta.exe |
Source: C:\Windows\System32\mshta.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4 |
Jump to behavior |
Source: classification engine |
Classification label: mal84.rans.troj.winLNK@1/1@2/1 |
Source: C:\Windows\System32\mshta.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: mshta.exe, 00000000.00000002.524050952.000001D66C017000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66BFE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66C090000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: C:\Windows\System32\mshta.exe |
Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation |
Jump to behavior |