Click to jump to signature section
Source: MSAssist.lnk | ReversingLabs: Detection: 56% |
Source: MSAssist.lnk | Virustotal: Detection: 50% | Perma Link |
Source: https://page.googledocpage.com/ | Avira URL Cloud: Label: malware |
Source: https://page.googledocpage.com/WiU | Avira URL Cloud: Label: malware |
Source: https://page.googledocpage.com/I | Avira URL Cloud: Label: malware |
Source: https://page.googledocpage.com/z | Avira URL Cloud: Label: malware |
Source: https://page.googledocpage.com/U | Avira URL Cloud: Label: malware |
Source: page.googledocpage.com | Virustotal: Detection: 12% | Perma Link |
Source: https://page.googledocpage.com/ | Virustotal: Detection: 12% | Perma Link |
Source: unknown | HTTPS traffic detected: 67.199.248.10:443 -> 192.168.2.3:49696 version: TLS 1.2 |
Source: Traffic | Snort IDS: 2033450 ET TROJAN Lazarus APT Related CnC Domain in DNS Lookup (page .googledocpage .com) 192.168.2.3:61787 -> 8.8.8.8:53 |
Source: global traffic | HTTP traffic detected: GET /35FlWc2 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bit.lyConnection: Keep-Alive |
Source: Joe Sandbox View | JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: C:\Windows\System32\mshta.exe | DNS query: name: bit.ly |
Source: Joe Sandbox View | IP Address: 67.199.248.10 67.199.248.10 |
Source: Joe Sandbox View | IP Address: 67.199.248.10 67.199.248.10 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49696 |
Source: unknown | Network traffic detected: HTTP traffic on port 49696 -> 443 |
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bit.ly/ |
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFC5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66C017000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66BFE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66BFB0000.00000004.00000020.00020000.00000000.sdmp, MSAssist.lnk | String found in binary or memory: https://bit.ly/35FlWc2 |
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bit.ly/35FlWc2... |
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFC5000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bit.ly/35FlWc2B |
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFB0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bit.ly/35FlWc2C: |
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFB7000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bit.ly/35FlWc2S |
Source: mshta.exe, 00000000.00000002.524417090.000001D66C1B0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bit.ly/35FlWc2aHOMEDRIVE |
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFC5000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bit.ly/35FlWc2r |
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bit.ly/r3 |
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://page.googledocpage.com/ |
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://page.googledocpage.com/I |
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://page.googledocpage.com/U |
Source: mshta.exe, 00000000.00000003.257329635.000001DE6E1B4000.00000004.00000020.00020000.00000000.sdmp, 35FlWc2[1].htm.0.dr | String found in binary or memory: https://page.googledocpage.com/WiU |
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://page.googledocpage.com/z |
Source: unknown | DNS traffic detected: queries for: bit.ly |
Source: global traffic | HTTP traffic detected: GET /35FlWc2 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bit.lyConnection: Keep-Alive |
Source: unknown | HTTPS traffic detected: 67.199.248.10:443 -> 192.168.2.3:49696 version: TLS 1.2 |
Source: Yara match | File source: MSAssist.lnk, type: SAMPLE |
Source: Initial file | Strings: https://bit.ly/35FlWc2%wN |
Source: C:\Windows\System32\mshta.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE | Jump to behavior |
Source: MSAssist.lnk | ReversingLabs: Detection: 56% |
Source: MSAssist.lnk | Virustotal: Detection: 50% |
Source: C:\Windows\System32\mshta.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32 | Jump to behavior |
Source: MSAssist.lnk | LNK file: ..\..\..\..\..\WINDOWS\system32\mshta.exe |
Source: C:\Windows\System32\mshta.exe | File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4 | Jump to behavior |
Source: classification engine | Classification label: mal84.rans.troj.winLNK@1/1@2/1 |
Source: C:\Windows\System32\mshta.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: mshta.exe, 00000000.00000002.524050952.000001D66C017000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66BFE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66C090000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: C:\Windows\System32\mshta.exe | Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation | Jump to behavior |