Malware Analysis Report

2024-10-19 12:18

Sample ID 230920-1xkmmsah31
Target a6e664bd38d4c2030e107e16efc00905f85554196bc3c4ba777edad54efefd09.bin
SHA256 a6e664bd38d4c2030e107e16efc00905f85554196bc3c4ba777edad54efefd09
Tags
octo banker evasion infostealer ransomware rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6e664bd38d4c2030e107e16efc00905f85554196bc3c4ba777edad54efefd09

Threat Level: Known bad

The file a6e664bd38d4c2030e107e16efc00905f85554196bc3c4ba777edad54efefd09.bin was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer ransomware rat stealth trojan

Octo

Octo payload

Makes use of the framework's Accessibility service.

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Loads dropped Dex/Jar

Requests dangerous framework permissions

Acquires the wake lock.

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data).

Removes a system notification.

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-20 22:01

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-20 22:01

Reported

2023-09-20 22:05

Platform

android-x86-arm-20230831-en

Max time kernel

3030438s

Max time network

138s

Command Line

com.pressfigure65

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json N/A N/A
N/A /data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json N/A N/A
N/A /data/user/0/com.pressfigure65/cache/hcjfh N/A N/A
N/A /data/user/0/com.pressfigure65/cache/hcjfh N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.pressfigure65

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.pressfigure65/app_DynamicOptDex/oat/x86/NKFq.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 9r8i1u84t2gp1.online udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
NL 142.251.36.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp

Files

/data/data/com.pressfigure65/app_DynamicOptDex/NKFq.json

MD5 a8f77d5722a4e089752397852a305a2e
SHA1 99124b37a548883dd05eb4007f2b697cef33898a
SHA256 91fd4d4ac57df1b30bc40406d2e03d68055633d5bf2cd8a184eba6f4a222c7ee
SHA512 a29486bb4abcff207030c8ea1d3fa4fd98654b178993847e50da19501e86360197bfb15067a7ece47ad75181e48c05f4ad1596ea436ef64490f4ae4992a5865b

/data/data/com.pressfigure65/app_DynamicOptDex/NKFq.json

MD5 87f9025a2e6ce4806027e51a2d05a15a
SHA1 ff1b6e1f28e153f9b3f74e957953c8b53c355d01
SHA256 f130a5bfcfa239dfb6c9807a02599916683bb334be342c7f3e3d97a725a55a76
SHA512 98011fe3bc58cbd91c3c074104dd443c517e58522628a33b495f73f5b61f2fa58bb2b5597232341f3a44c2b56f98d71cde635c8d6352673c1e4566b956febf32

/data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json

MD5 af73f1889e4ada2c7fbb0512c31c6dbb
SHA1 927cae26592a79b9eefda0dc8e8473954b3b49cc
SHA256 67b19fae633db8d33717975a406969e59cc00f2e70bd43ae41c79349c6f74a7d
SHA512 be7a9381f6169910e0baf052bd2978ea5577e024074d68e909244e3e5c248e856d90a9cf42bb9819a7e285a8e9fcf159f4a8de9a5c099e6f0f6b87e3e2f3916d

/data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json

MD5 d081aaa8c167bf676a3521d7dc6c888e
SHA1 cb56830b448ab1c485656d22d509b36839ce9acc
SHA256 d38501e22d23feb948612ea574812d167bc04874ec194ddb20864ca12b5f961c
SHA512 aa85ee5587af1c8565dd32ef2c38a8d0612d5be0fb76cff94707e2b7fa4d44dd6c2106deafcd2df9f9b2fec633f78c98ccb745e567c5cace9b5af0901a4b7fbd

/data/data/com.pressfigure65/cache/hcjfh

MD5 59e431e1f02923d8d1de501547797bb6
SHA1 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17
SHA256 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0
SHA512 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

/data/user/0/com.pressfigure65/cache/hcjfh

MD5 59e431e1f02923d8d1de501547797bb6
SHA1 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17
SHA256 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0
SHA512 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

/data/user/0/com.pressfigure65/cache/hcjfh

MD5 59e431e1f02923d8d1de501547797bb6
SHA1 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17
SHA256 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0
SHA512 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

/data/data/com.pressfigure65/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.pressfigure65/kl.txt

MD5 1a1dcc77a1115f38e469d5fbd7684733
SHA1 925d2d57658e00f25b5e6d38492935186e7e356f
SHA256 b39826e08f0a21487ac9e278609c1ce093f9d49016e13bcfe452890481f3d898
SHA512 449d17ab0be35752d2a4db2a1202f40336381c05cecf6879aba865d0ad30385eae57f5d6d06b4b83486356c7ea11df8b2d5742be020454c58688c875960811e4

/data/data/com.pressfigure65/kl.txt

MD5 779df406e28270c83d2f1fd02999b924
SHA1 4fd9be275ccd7a85bfb300e234bbe2e1e38e33ff
SHA256 eb3ce0952a993b159d87206a1456f4f35b356f9ae2003cfb3d2537c4f325b7fd
SHA512 2c105b49dd38eebd6193d2bcdff7ee043c3a65331114d8cf9b3f9b414d9c25a7ffa7d31729301c2747708b3727ee84344fc711bdaab7948d20fdd0d263e1ee22

/data/data/com.pressfigure65/kl.txt

MD5 1c36b01302b42196bcb9fdc99f211c64
SHA1 d20747d3483680ce142f7d7716a92dc94e5c8c68
SHA256 aa601d69eafb963bfc27074d755970df9798634f32d4d6e24baca9e1ae7b661e
SHA512 c27975ccc1a21338dea9ad12a9fad378fcfd0c024e6c28387a4249bd1d355f15b7b32af81869bd6de0b24739dd72a89b167656e8e0055b18497b5ac715c0a9b8

/data/data/com.pressfigure65/kl.txt

MD5 027be686e2bedaa16e42606481bdb20b
SHA1 9a2ef39aff046a9c7f3264ec5646eebeeb7b9468
SHA256 359d1dd74120978ccd7bf9c7ec627eb44d796635e22e15e4158ca1741e1fc0ab
SHA512 8819a3e8879d7eb4ad20cb8fa9ad30e94365f492043448cc3a279ead3a73c2def28bdd7da39083abcf88c386431ce4c4680aaf9d4c916d29f6cad05f03d447ab

/data/data/com.pressfigure65/cache/oat/hcjfh.cur.prof

MD5 40f753825c25b9787a0a1258cd5df9b3
SHA1 e207a2df1ccf55749e85a90807e7a2ff9554089c
SHA256 ebb75f25f3ff680e391ac53f55e3fc49f42992db05abe9b24d7a016a6c532622
SHA512 ad1c39c242c6be286278005ca686cd210c9fa33ae8ebe9e47b88402a62fe491787286242ca6c2f12f19ab6119fe39a170dfe77d2daedf56d6b94267d194341c6

/data/data/com.pressfigure65/.qcom.pressfigure65

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-20 22:01

Reported

2023-09-20 22:06

Platform

android-x64-20230831-en

Max time kernel

3030355s

Max time network

133s

Command Line

com.pressfigure65

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json N/A N/A
N/A /data/user/0/com.pressfigure65/cache/hcjfh N/A N/A
N/A /data/user/0/com.pressfigure65/cache/hcjfh N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.pressfigure65

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 9r8i1u84t2gp1.online udp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 arw2he7x57wp.pw udp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 arw2he7x57wp.pw udp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
US 1.1.1.1:53 cm603lzeyxdw.biz udp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
US 1.1.1.1:53 cm603lzeyxdw.space udp
N/A 185.161.248.142:443 cm603lzeyxdw.space tcp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
NL 142.250.179.206:443 tcp
NL 142.251.39.98:443 tcp
NL 172.217.168.202:443 infinitedata-pa.googleapis.com tcp
NL 172.217.168.202:443 infinitedata-pa.googleapis.com tcp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
DE 172.217.23.195:443 tcp
DE 172.217.23.195:443 tcp
US 1.1.1.1:53 g.tenor.com udp
NL 142.250.179.202:443 g.tenor.com tcp
N/A 185.161.248.142:443 cm603lzeyxdw.space tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
N/A 185.161.248.142:443 cm603lzeyxdw.space tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 172.217.168.202:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.pressfigure65/app_DynamicOptDex/NKFq.json

MD5 a8f77d5722a4e089752397852a305a2e
SHA1 99124b37a548883dd05eb4007f2b697cef33898a
SHA256 91fd4d4ac57df1b30bc40406d2e03d68055633d5bf2cd8a184eba6f4a222c7ee
SHA512 a29486bb4abcff207030c8ea1d3fa4fd98654b178993847e50da19501e86360197bfb15067a7ece47ad75181e48c05f4ad1596ea436ef64490f4ae4992a5865b

/data/data/com.pressfigure65/app_DynamicOptDex/NKFq.json

MD5 87f9025a2e6ce4806027e51a2d05a15a
SHA1 ff1b6e1f28e153f9b3f74e957953c8b53c355d01
SHA256 f130a5bfcfa239dfb6c9807a02599916683bb334be342c7f3e3d97a725a55a76
SHA512 98011fe3bc58cbd91c3c074104dd443c517e58522628a33b495f73f5b61f2fa58bb2b5597232341f3a44c2b56f98d71cde635c8d6352673c1e4566b956febf32

/data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json

MD5 af73f1889e4ada2c7fbb0512c31c6dbb
SHA1 927cae26592a79b9eefda0dc8e8473954b3b49cc
SHA256 67b19fae633db8d33717975a406969e59cc00f2e70bd43ae41c79349c6f74a7d
SHA512 be7a9381f6169910e0baf052bd2978ea5577e024074d68e909244e3e5c248e856d90a9cf42bb9819a7e285a8e9fcf159f4a8de9a5c099e6f0f6b87e3e2f3916d

/data/data/com.pressfigure65/cache/hcjfh

MD5 59e431e1f02923d8d1de501547797bb6
SHA1 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17
SHA256 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0
SHA512 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

/data/user/0/com.pressfigure65/cache/hcjfh

MD5 59e431e1f02923d8d1de501547797bb6
SHA1 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17
SHA256 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0
SHA512 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

/data/user/0/com.pressfigure65/cache/hcjfh

MD5 59e431e1f02923d8d1de501547797bb6
SHA1 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17
SHA256 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0
SHA512 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

/data/data/com.pressfigure65/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.pressfigure65/kl.txt

MD5 1b018df64455a77939c555971eee4830
SHA1 3e2993004240e7993f59300467642ac76c03844c
SHA256 5f550b2f9761c245e2f8b6e21e3851d91476044cf1997fe56d3487b26dc5d241
SHA512 3b15ebcde85cb9da34a0b3dd413a6646f5610bce56f1cf64f387cbe12f7b98c4e201718f93582f99cad95fc53bc200e7ebc3a0426c30b827c2984db60c0516cd

/data/data/com.pressfigure65/kl.txt

MD5 29ce45815a02a80a159b4ae76ff1a8e5
SHA1 0ea10f15d531ca32570077f2b3e84950981ae334
SHA256 c27572050c97616325276bfdbe23cad8d5de5ccee9f637f431edfd08b63773c1
SHA512 b7b80dbdb37bfdff26ad204a06580b6a2f50cd1a4c6f7bb02600635066da91e62c61436e6091c4b8a87cdfbd7f77b079a18c1625dc76a15076ad149c6c10e253

/data/data/com.pressfigure65/cache/oat/hcjfh.cur.prof

MD5 8a43da3e8f1b03032445abd30df880a8
SHA1 518db56c92590d1caccd243c7ecb2f6889465d91
SHA256 3569cd7d77921f8c81c1a1eff0e9e7f68bb34563ad784d6797a39db07949db1a
SHA512 5418c91e3027edaab68d0c19fe7221658a4d313152e4f2b2200e5e00947d8702922378a570acf696a361887a6847fbecc21412662468e1e43986a82d37b5fa42

/data/data/com.pressfigure65/.qcom.pressfigure65

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral3

Detonation Overview

Submitted

2023-09-20 22:01

Reported

2023-09-20 22:04

Platform

win7-20230831-en

Max time kernel

134s

Max time network

133s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6007da1f0eecd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401409177" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000e7fc1fdfbc1143049d2fc5f8a4e507621ef20d3ffe2af8b28471cde5d8bd6038000000000e80000000020000200000003c474e813c64531e7235cc2265b916c411e19055a09c3832bb92d146f270db41200000005d70ef58cf70bed5d200a1a4d8fe64ace03bd15fd7aafc6bdde4fac24cea6bfb400000002665791f92d2c8d6f35383511b7040223305b4df97713b0b1f2fefc8de57ad917e3f5538d626c5db61808ab40541f0ce61243959638977558c2489eeeb4f8983 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4A88FFC1-5801-11EE-865B-4E9D0FD57FD1} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac20000000002000000000010660000000100002000000058638eb927a197699e7ea91a95f129a26c838e2df01220442b59c4ce2f29f3ac000000000e8000000002000020000000ce836edba1ab791dd7e856d967809feffb33da56013a3690aa8ee2d02829a28f90000000ecef03093a88dfd7521f28b0b17e57b6b248b2faad3c25963f4bdadd81c05281180711ca96c880ea2cc9e7bffd0dc7ce70dd151d2ee7fb86dfaa77231c96b04bbef8bd3da28efaa26f9d28f29e824237c8abed9e17d75add1d37f9e0aa775b16983473f51e5d4016fca7c0e95bdb9df8f01e8c3839fe2d935dedb1f502713641f89dffd5a445e712a51c6061b9a8fd9840000000f098118f8c04d077240784f0892c83174bb0fdeea65ea44fe83fa7e047d27beaadfb7b809f0e3479a4c728a5b6e568f6550f1f10a87f01a78f9c70aa6513bc2f C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2392 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab5998.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5A56.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8496e912e62f8daadbddbd9561535e38
SHA1 80bb41dbd07b2e6c7c9649ee420f85e3f9e085a9
SHA256 cf46efd87c7fc4afd77c6405ffd0efd90f1e41183d848f805ba8a3c128276bb9
SHA512 70643f84020d50aa18d06d23bc40db808ea5a157d8fc608c22be6358a9a60161894c186f77978c70b39d65a98f805f1cc12db73561875f15674cd2744d67086d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34ddc0b99498e179f11793528a0cb638
SHA1 2648f43e7bd7ff9d3637539402996ade484ea8e0
SHA256 651798850d32a6bfbf2b9c6b1d3a2a451448ac532ee0d6f9f2689420ef2d834e
SHA512 7a1624d424c90ffbf5f20c1e5aeca3e86d153cb395a1ce2871b5cfc258b25503c06b283220260a0e61ec3fa859d6e053b828f74acb7dc0427cc268d228ee08a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d8178c6e5aba2933151c68ddc9d71c0
SHA1 775047367e94d1cf9ea1dff963afaf1de70ca3e9
SHA256 d691dd84f46b23eb78fcaae4e341c4337829c736fb49a01d113d5a8892ca300c
SHA512 6345671f2e77c370743b5fe1aab916e87ad1f4383bdeac939a7a771b4655e20ee36fba65f4c885f0b7e6074d81a90a1eda4388eab1bcff1deadca34dc39a4da6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f64a6243a7812af1845425346749a03
SHA1 a001e22460d18921b0d132aad6bfb2d2d03f4271
SHA256 4d0f674f904e3f00c770a9f7fe5bed7df594dfa3c7cf17d4083e927c083bc0be
SHA512 8bf78d73a71f82566a9f61802d03bc70c9c2a7027eaf0150b4d16a58255228db9c825f64d74bf4ed1e6cc6a8f41381051dad15a55586f89d7692bac90b0fd4d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15c989d676c36cfb356cf4b9907e8c24
SHA1 3528367218ce9127fd2634655ac667ec3635964b
SHA256 1a7978b30e09f26660791b846c0dc15dd186b7a9c998dacf1425108d3d88393e
SHA512 cbbab6ba0ee2350c7645f472608afad32c6376fa7b66da3791b37931e91f9be3501a45d117b74d72c662ae7073df2d013835d7c043196235ce59e1fbd816be57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99a08a9f662b4a8273b087c4e6be601d
SHA1 c44dccd3313e028b039969d5f5566029c6763371
SHA256 a5f9e8f0461613263a6d3d7232a375bd03f6e94c785b44b049de15c79f12103c
SHA512 e23223458224497a55e9b59d1228e340322ee75d27a2fd7cac3d986f9e86c56f12b80825b59275a7d240747abebccb6b8a3172a1e0557a1a89ffb16f6c16c210

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 095aa80d8a423f311add574f9c2ea1e0
SHA1 edc550d56b9b847c073f17b210e0f38a3f8c5e0b
SHA256 7f60288f92e73e14d26b6d40008a8967ccf2e7edafa511d47540cfc0010d0d08
SHA512 c658b14f20b43da36f34eb0682bd5dcff45e17d8f421b48cb8ce0b2181b93d11611df3ad38d5fce8d1a156b8990a94757ac9d19337b15ebcc0bcd1bfec1c162d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85eca0cca8084e112405745fa7582861
SHA1 356d99a32895513fe5a69bd32687e9ee4092dda1
SHA256 7ffaf0897fb4261bcf5659b6c64323d07c72c97d2d3615837c64a88d8469b8e8
SHA512 75e3b60d1a305dff90142211011d8722571db94b6df3297197f7d7c52858b225bbb0e4d40eebf25577eba86d6e7f1d82131e9affd20fb0444a84ee4683fd9ce5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34cb6ce23491eac4fa92f24d3e87d63a
SHA1 5653f4b2c1f2e4969cd49f6dc28bd6a07beecde0
SHA256 df79024fa5b7f68bc684a80e81ba9747006d53dd9a5b829148b32ab56211d588
SHA512 a697ade20163f11eae80547febc8f3e34fcde6db698b9ede6a529bdf62f40095bdf4f19490c33af852f06a3527c742727bc78163856b973ed36e49fbb92c6820

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca7f4d57a1743b22288c65498a3cde25
SHA1 e2a84ad6528afa93440e3f77c7cebbf198e25baa
SHA256 7bf590b11597494acdfc7e90bb5af9ced64f66b742bd0729131b5a44c09677a2
SHA512 5a839a28cd542d366aa9132699b6ccf6c0e0dfb7f43970fb69d46ca7cf4b2300452ce8c7aa9912e65e6b3f50b11d91d0b5c661052a82f345c6b4f124b8a554af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f2eb697dbdbed04f08a4de990b33365
SHA1 276decf30e645f171bd5609baef8a13650d93f69
SHA256 92d1ede096bf888c4af8412350226c2017f959698ff5fc0d35a81a61bd3fadd7
SHA512 7f99c7af72f952ab8efac1dc7208844f08487ccc4c152bc90955a464c331ef4101d893ac43f1e9ae1bfb84516cdb7c220b180296e3c159f53c9babb4f0a4df29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6d32e21c3664e38fb16f8fd1caae5d9
SHA1 e4112a1e2f6925bf94f8d7f9b499a17a2c2c7f0d
SHA256 d41e298999cb48f25ff6fdaf3165c6ab1eefc2261a2ffde8020dc00624c25937
SHA512 5087e7fb4f9680a8baee9cc5330849165c56c867aa6564cb130f818b279bb862a35a804ec0803afd69fab92eb3a9247e39ba257779519cf8d0f41789aa89fb60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1bb4b20c7734617f7f1b64fa5fe18e1c
SHA1 3f165c4aaaa0bf3f86081e1252ed4a5ecb64ac6b
SHA256 d909aed63937eb20c5abf451694c0ef312f5f0ad384c84d3d5f3600f5738b476
SHA512 159a79b69cfc71bb470cc944b4e88983f58d855ba1aad1951a05bc11869461bfc980beb95dad81ab634908d0a7c7f6161b62d808ad21128a6f965dd84f68cb1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2076d9920a03be545472a3dc9bc719ef
SHA1 8c60a662ef005b5d91fcc9836bf8daeb287ac86e
SHA256 0e0da56f3ed732698dc01491c93af952c71966cb3e81ab12c8ce195ee0eb1c61
SHA512 8670defda33a040566b7b8529f09764500cddb97adb5d1301e435edd04d4b1b72a2c9a4b01010be986cbb2eef6472a20ec86aa6c86544b567e680b6abc23f660

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb8cae636f331b34965b8a764ebe8d48
SHA1 8e0f9a818bddc00a70c2be8bdf76f1f970923890
SHA256 3a91b238cb91ca7ef64a19b08cb2e23a0464b44239649b1325d85fcae9c9b6e7
SHA512 e3d71bead18f7c8821bc77afdb63427130d2908af44b88621227853e19fa6da9888da7646f23c783ed5fb8cd497a172119a0d0e3f6485c0ac2b84903f88b75dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8bad31b00ad596d880d6a9a03ace8954
SHA1 412baba3072a8e2f201b3261ba2e8b0aa0bb3d5e
SHA256 a2b9410b117a37e15605a7e88a418c3f077d79e2486f06411630d0eb34617d2f
SHA512 605daeb1497af99cd745d81e772454f56ddf49a1ee7759211655b50a4798bcebfcc5a9bcc89063bbf185ad2d72a6dbc0161ba1c9cb4d2adf7e4440cda6ceb1c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9997b510bdd1bc412fb7a60b1041bde9
SHA1 f4e06705d27d5f65521e3618ead9b9e324442d3d
SHA256 25491586b269f3a8410460596c317caa8edd65199b565bbc7f26d457961846b0
SHA512 5fb60b5c767afcb3e983c49caf412d9a197846bd18a321eaf95f8b71132c1b33e03dafb8b4c27467741dc99e2b2bfc70e8da536aea9c9692aeef88b8dab72fa1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b60937684b65176e313caaeff04e767
SHA1 b477db87101254c8cc25bae03a07bbef078bd9a9
SHA256 a6f7493406062d4881b0a2b7996da941a5de54b7948bb4b738880fe018e50631
SHA512 3e01a980a87a3fa68ec08ffa990c90ca151fbda2d5f612c3d230d2a687433de0004716a98d53bfef82b874365d0b012ef9729097ab21f29f57f97f5067e032a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a55d2e59614ffe3f09534fdff62223a
SHA1 8ed971b8e1160c7d081bfc328e710e7d0695947b
SHA256 b704f3e5740e2b5c1ceda04a12852c6ca1df711fc228146e1c8284ece5d007a8
SHA512 fc1b0aa1a7ca9a6b9fc2ad34d1c7a3210bea62efb45fbf31483ed8a0dc6efca7ae1314c155b0ef45b06a4a80f0a33e9bdd1012a9025aaeb5e2782b7da523d350

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23fe143276bc418d36f7690d7edf91f1
SHA1 943367cabac6d449b7e4c2e3792730eedf633f89
SHA256 913746a1c3e3cef53657a3c14c8d302f09fbf52a4da11d49bd54882d3c2d4377
SHA512 ffb6ebb4b0f8229edc077a91588c628f4194b59d829d6c2366b9dfa98980898ce0b6b193b413f1ebcbbf5a31ead841243babf4713355d5a94ecf0c3054e84af2

Analysis: behavioral4

Detonation Overview

Submitted

2023-09-20 22:01

Reported

2023-09-20 22:04

Platform

win10v2004-20230915-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058958" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "548498338" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058958" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0119a220eecd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d72dbb839895304dbc3a7dbf8a262ef5000000000200000000001066000000010000200000001d47571ba9e4acc9adb433af505499651efecdedbc1aa2199fdcea71678de587000000000e8000000002000020000000e776fef4da522c0da59bb31f0f657f4f1a4099571a4c7f239beb4bd45b95113a20000000847cd98bb6748836559be1a4012b06390c343e45fc279d41af66d5dab7be7bef400000002d920b04408d470ea9ce27259a8b72790c2a227239e9b5d46789b986f68be5c4839e5b082c5917ce4aae2cc3e4f917e8158fa2034b7a2fcefda033965d0c0c2d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402012284" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31058958" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d72dbb839895304dbc3a7dbf8a262ef500000000020000000000106600000001000020000000ebcda583e18a6e45a4f847e2ce1d593a6562f7207a3d67f87c17963158bd3aa7000000000e8000000002000020000000c30495bcbb8abe6fad02e3d505417f057796d13808ae94af4169d9da2036b0b120000000e99bda61766346f71ae2c853c45215a04037ddcd3ecd1d14861bb2956b5bac0d400000004b76fe0c660d90b6649fa19cf455785ad0583fe200a626135175bf9a1d896b2e5ac089f6d8d921420ca0125d1b4a44afc0e3bceba6ce43ed5cd028a6ce2cdadc C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c06ecf210eecd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4C267901-5801-11EE-9784-66F797301216} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "558812957" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "548498338" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 11.175.53.84.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MBSMWSRL\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee