Malware Analysis Report

2024-10-19 11:55

Sample ID 231004-1wr1bsfc61
Target d358000cd10d3182c1f5a11d68a6a35952adb70ee4119deebe8a9861f61f3515.bin
SHA256 d358000cd10d3182c1f5a11d68a6a35952adb70ee4119deebe8a9861f61f3515
Tags
alienbot cerberus banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d358000cd10d3182c1f5a11d68a6a35952adb70ee4119deebe8a9861f61f3515

Threat Level: Known bad

The file d358000cd10d3182c1f5a11d68a6a35952adb70ee4119deebe8a9861f61f3515.bin was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker evasion infostealer rat stealth trojan

Alienbot

Cerberus

Cerberus payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Acquires the wake lock.

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-04 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-10-04 22:00

Reported

2023-10-04 22:03

Platform

win10v2004-20230915-en

Max time kernel

149s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 112.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-10-04 22:00

Reported

2023-10-04 22:02

Platform

win7-20230831-en

Max time kernel

134s

Max time network

132s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6C11FF61-6301-11EE-8AA1-FAEDD45E79E3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000c9cbff5dd83b4b569bc79f5c09c3797fda119dfe2abe2781d99ce20108f2d691000000000e800000000200002000000084a0a23686635598e6bd1078a530fec5fcafc638d8b50c022aa9ea6e404a1c592000000012b7b7c33a68092209afef6a4891e9845951d239606d692acac9cbc7687d726b40000000844f7afe39eac4d767cf8196d0a968d71aa595aa8f94c2fdd8dfbcf1d9f00e5a3088803f0002c40b4c385827bdaa6e63594dc2484dd8e44273f7387d2b8ebbc5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000796f5d160c41e020bffdea8bbfabc43a8ff21b0667d70c088d350311daa91780000000000e8000000002000020000000a45c37ee1c6369c4eaffb9230b7e15304b2ba4d18ee0c697958af17358ea0b3e90000000c84e1552d5fd89f4e9e9c8551c47ab30333de7ca2cbf8517a18cd5e1581bcdf6b06faa465e2a8aeee2ff9384b7d75d336e5dd864d9ff0f7d5c7086a301c3e967c3c0f1d8be704dc1585a2c307e3728f7dcc38e35d855d8ed9746b741392731609f21327d8e7c5210c7f11965c9666f797f23541a4d098c418bce808df45b1c66166acc5afcbaa2dff19bb26876f0ed5040000000b87d59a6f98bf5cd6153dde50a7b782d1369276e675e9271e8e78341c6935dbff1b3a3d0ac2569ca1afb194ae3f1a2413406d2f2d8c29e6e1e413c28f01bf81c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0850c420ef7d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402618694" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1064 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dacf5d27c6a7b235afbdcadf3f3db919
SHA1 d8d4152762ed43f14912879198005a0d708b9422
SHA256 fd5699a82b2f44f99654d0905cbfd0b858ddbb0c8f4713e88af6916196680db7
SHA512 a00fd776f88a465c52468d1bf674a510b8760f1b26c9554a6b77fecd2716c38963f54706881dbb83643667055f5d35072968249b4472fe2cf0cf6780e60ec6e9

C:\Users\Admin\AppData\Local\Temp\Cab52D4.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar52D3.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f85b5c6bf313a83b6b8e67680e16c8c6
SHA1 c9d9ea7aaef27a00362eb65983386cad4141b758
SHA256 aa053ce67a85fcd5e04fe540bff30c7a0fbc849167234d847525e212d2495fde
SHA512 8501cdf0e764f023a598dce938aabc6c2f2cdfb876a5f80e7127f37a4727ea1365ac4d14af73addd5fa133b3c9380f287ff80607b89b2832a16b63597b773638

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d99ddc6f695c4fc77c5718612af4ec2e
SHA1 9b6bba354f59bb5e288915a85d1216be827e4a2f
SHA256 957ec79a9cbd7a75851efb0a77d1027ae95c85df1505642e9675b8f8b1bf8e62
SHA512 5efb62356d88c27bc6fa0a52cbd68b47d5f11ebb2f7ded2b8cdb1bcba7d55136aedbc11d402255ea16ab81b72f0a577d5a03a1a16b521df550fe0f3d4af12377

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9caa10ee70724e4379f8871dd3903f4
SHA1 5ea656dbbd2fefccbf2ef2e455c21bcf6a9541ef
SHA256 462d62cac13e29c2f59395c4ff87f8f6fa3416e0320f025a1ad9543af739dfee
SHA512 0d4810f82fbf789eb181324d1a5344e1f886750555907fe1480e8f1c4335398c191c39b928b8f3a3c9bd1dc0d3a61d606c5a472fbc247250692e7b4801610825

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 029e1639c8cc78ba8316587a5f4fe95d
SHA1 6c220d07fd4a525508a4d9e9ede2476666e96251
SHA256 b3384dc719f6857df84af403a46f383b9de858910cddf9fd973eb3c5f8856c46
SHA512 1517ec2601ec09ceb75b517958ff891b99b2625e564d9d70084106b5ba064e8405e650b740c7dd1c0089a03845356f64c2040e85eb3f1d5c19655f010d3d6a72

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e7b9a4c1d82d1ec01fe8e0f047012ca
SHA1 e07892df55114562204883b44ed6c6cb82d8ce97
SHA256 045e5edb260c4089f36a64d2d4464dc812bc57e4686a6c37e33edeef9ee271be
SHA512 cf8703f357887cca3af468c7c9ff86db59d9bf1fd56401c8d2874f14c121f61443d1c431bd2983819310f705aab5ad5ddda166d9efcd02fb0bf17bbfb036555b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83f5e99cc226b743d06d8b87d6547634
SHA1 047653177a7129602e945681d7d7f086121e8b76
SHA256 12f43d5f4f3a57b07377ef99874b286b0a9611100a3bd8285fb52b86f80b38a2
SHA512 0dfb695ecbdd2eddf5b50105566b15c966765b8f3ed6a662b8b736ea15e174ff514722fd85a11c301b4696353b04bd4a3a7be2eac6324ff0d01d630dc7af3adf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01808ff768b8599f2dd0aea3222bb9e0
SHA1 43ebe8085246a3d4c48e8bbc28da22500fc7a830
SHA256 9a40fb65b0914aeaa9640725f76540de5f4e3695d69c2e122cd9e7c5344d6ed7
SHA512 b236e385928bba9507beafc019e827ce0de1f4d59a76fae3c16e2284bf92aa8a428280be31ce0cd975cfade6ad5136990032700a61af5dae5df0672341f0f5c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8110587bcf8c077823d9ce0123fff567
SHA1 8d3a7d6d94fda0b0ac37a4d57b4ea41ec5eceb8b
SHA256 3a2f08e9a9bac4da0ec7401f29f79be5d609cc03140c21921f574c44d49ee5c0
SHA512 1bd98ab7da840b171820fbe17e6147954851c46a61e7187c21dd0e893fe5a946d77e3d8d0b2fc4453c58a4aec3bdd5fbcf92855a86e214c023c2893e094573ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db1b1bc49433ebef6e385d74d0ea0187
SHA1 99a6af2a30e7f090fb8bf811f6dbb8d63c2c5b79
SHA256 35e0efdd732c73d9b789beff2eb24079097cf22888af29e55826da2d38017578
SHA512 07c925fefb46ca7efd20689d667efa12315250aa2b3005f9730f877a4d50771e3adff50d3ea627475369f7f9ff231e9a403f3137a81722929ba14a5b523dcb75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 917d8bb948d349cfbb2edc8148e15a95
SHA1 214546fd26a01758f90ab38cca79e8f0739f28e7
SHA256 1277828845081decf9a2d3cc21d24b09c06ee1be4aba3d43bc96766ae07bd545
SHA512 2b51ee9689a6864c5230c81f414a621fae1086f8416ea3a27adaaed34b1f54d449fafcd7607e6dd2e39a330d44696b18dc8f1d8e11ac4f16e0873e24976ca817

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86b251f256d040ed722c3398a6c4adf6
SHA1 b9488a2c5c8227b12e12945f3c5adb644b36c546
SHA256 4c5fe93cce070de78f612c7fb157d30a70d33aef4d785a83b05b89af8dfbb0aa
SHA512 a4148f92c180ecd963582b6c26b397c2bf6ba52ad01e0baf07b9d3945b5dd13b71feddf0d841ee41c51336df8e4964bab908c221df2ec439b214f3252bc573b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad0e2b0d240d03d1927c9695539aaed6
SHA1 8e9d9da00ff11af32307c4ad15304010d405450d
SHA256 0704d2d2ed73496b4ccf2d5d78c63466a2a8f0c7661b5f9e69fa9cd2a0a3441a
SHA512 16e99f77e82fa8aee559089eea1dd5be8e7f5e06dd7e05180b8ce8a14d431375b8953bf67496a61ee4f01234bdd6fa5694b6fd94ce319be64febff06aac8a282

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a85d9ef7e47aef7a0fbdf53aba58b02
SHA1 939df8c4a560543c9839cbb90bb6b67b3d61780b
SHA256 cc788cf9bf1c5a0a3cdf8bb0c7038319556a260ee6d23691ce5175aab892d41a
SHA512 956349576c29cd7bb34d90191d92b89755766efcabb99b2c16cb2dfa5a9e5bed2f7567e2a28601bdeee4055a686e26078e7cbf87e5cd2b7ae6d7c14200401a2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57a9744d0f22ed65306d9e225cfa2117
SHA1 e84c9271ddbceda072f4dee2e5c8e5656b27312a
SHA256 1e7d1a6a56df170058585df823b03bea8ac2c0df5767b6e02172005c83de0ab4
SHA512 211c974310a692cca3ae2c33c77dcb2b325b16c44231885d98dc42e972437c06f00046aca1fc4e29d933b4fb95cff8726af2465d96de739f2d376b4116019c8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 81e46abbe5d088eec80c8e1aa8c7b094
SHA1 3a5c650e4689a89e0db45b43f99f4a0af9aeb095
SHA256 6412b0269d4e853a6c35816fd765f985a27ff9126da53d1600b193b85b17c25d
SHA512 7caf819c84c712f75e9b695266a6f5395a82192f0a564e0d394bf6dd94a588750a2c4a25f7fdbe81aaade8dc2a16f29e7f98181558645778bb6379b6d10426a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 280eb2f9d66d966e73cdd3d6ce8d4031
SHA1 f555155c9263e161db65495e856526d1bbe32071
SHA256 aefd0f2455a9b5054a2e59294f196a2284753f68c8906025e0f98866bc55ad8a
SHA512 c96219c47b670d66ea55c7c57767af6054c1647b124a020a3c5feaff5c6cb9cd20fdd3b77ccc16bc39546f9e527541a43051c21e0daea304f3863a4b7216c99a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eae224c6bb943f8b8aca626b09dcabf6
SHA1 09c8a04bac210284604beaf0a17e5e28137dea1d
SHA256 505b3990ec8ef5f105b8cd9c77d4c2474614b5fcc365a9bd79e0fd41df7d2d2f
SHA512 5ac6244fd9b993c330d0382064c471cb10f2bce997441454cbca5602f27e308aadb15fef884babd167bf6c41b75e3f2e12ad3a0d598a9ead68e799932abba1c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c65e928b48de5e61df279d74c74974e
SHA1 dd1b561d8aefd29c893278a4b244c215aa905890
SHA256 1089e02cc3cb110a9b4ba45731140135b64dd874a9a92c743a935fafe0f974e6
SHA512 05e277af5b1cb6309dfe09e748ec566dddc986ab85787044a87794aa6b045af2fc3d2543f58ddde1b418197ccb54ee2250a8aa499af898adf06e0d9af4b49c13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c2e47cbf83b2640623cc5b241e18230
SHA1 4b25aa880c399d7878b618bfbb9f8603d195bf29
SHA256 06629325ebd90d42771f3ac90aa75281d23b52073fa1526d9e235c98911ba019
SHA512 39f0ad144c7a2e236bfdecd5fe94c2dbcfb9d6e4570c54cf65073607afbf3108cc2c94db51f4b166dc501a1bc3e5e707ffb85f47e6ea1699b5b16f0cd448e4f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 c18025b3ff34879decc388a5efdf3c4f
SHA1 3d2fe4225d92c05801a96a5b74019d7c18f593e0
SHA256 1a60df6d8a40833a1f1f77667bc84ee36950d2d20faf937b3cab341a1495da1b
SHA512 e4b864caac14a7496087e2176cfb40ba9a95d012886ab0d3c0bb4ab45b1d625b6a67bc531638e29edd5975a594a1f490f66c7d59b6ccf34d986e66dda55e6af0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a9b28963e6ded82c79d5eacc403f06d
SHA1 7c178d7ca7b1e468b4dbba9fdd50ee243a548fb5
SHA256 c32e0a38e1a7b9a48ee0798f2beea75db7d01fac70a5daa12a95faebc10460f6
SHA512 033ea488e3d7c906c9164143cf8559feb44a28790830695e324b3e1bdba0d2c46b33423f0e13361733cb235da4ea56357572a5dd743ac31d90cddcf3bad1dd12

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3580d6885d4b750d8bbffa781c9f0ffd
SHA1 9de5b3bbfddd0a5b9e7511b0a46588443b2025a6
SHA256 063e8138d3014a9bafb112e874b4c5a1098a40bb27bd77d414b961a52b0fd820
SHA512 4d7e75c818be78df26edc33df42416ddc0d98f9f717cdf8b7095e5fe3c7b5f76641b975883367174748b6c0780b73f387da7ab5e10621217863fd678e94a9fb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5127fd0662249b07b0d7c857e0b75163
SHA1 2a4b178897a11bb05672b4425cb5563ccab82de1
SHA256 2eb63caa24258e52058f6bf0d7315546ad33bcf56ecf605924ef617754951508
SHA512 8366cc2cc75d1e94607a920cc3429b0ece83985413aa0457d7e8db495123d496fe5743203f420551145b97da55c3e8ed64f657e6c81595fd237b7d658d3f56ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 444c051b4c8642a49cce316527528618
SHA1 043f526fa02dadc90c1d730a6d0f6996a6a0c949
SHA256 08b6b628330f3293d5bb94bff892b6b6e419f7b779a566013ad8846f32b7a1e0
SHA512 dd0cdb315403c4b83ffda39ff87a537176a9f8ab6feded0fc3c74efb412ec82188215a3ad61b2a4938699c36c45de169c84fb11ea1e45d7b076f8c0ac2dc000a

Analysis: behavioral7

Detonation Overview

Submitted

2023-10-04 22:00

Reported

2023-10-04 22:02

Platform

win10v2004-20230915-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d72dbb839895304dbc3a7dbf8a262ef500000000020000000000106600000001000020000000d20e10593616e1af3764a4a318bee0ca805854613a7136cc243576370289377b000000000e8000000002000020000000e9e39740523762a221617cf1261ed75b516d89a07f5cb1bf94e304df3b4f73b4200000000e36b3d425d36efa461b6a81ca840608ebf9b2cfb7e111e9391f14f73b6b08b840000000f282ced98ef04e24ba1fc4d14198731ea3074e3c3105edbb80b5bf388807e4c9e7de99dacc4d95397ddb071af11404b266c8ef9091f8a040db11f3d529be83ac C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f667430ef7d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31061774" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31061774" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403221803" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31061774" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6D1798DD-6301-11EE-9784-6A906B243823} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1114956384" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 205557430ef7d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1101519148" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1101519148" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d72dbb839895304dbc3a7dbf8a262ef500000000020000000000106600000001000020000000e27b684f348a0eda398717ae0720f8a6301652a4ea8077180e10f5b289dd39fa000000000e8000000002000020000000164133c92a3019e8d3c826b030094cc500bf5dbe9dc69063ad2e10031a73c8b720000000f0139dd5e2ecb52f7e47a06030d4edab7ad568ca975b89e18e32584f3e7e449a400000007e367d39034b4e7e41d2dd8a7142f51422e2fbadc857de40c10783b5648723714d0d2f5117213f0058b935bb8a24fcd8c285c1b581e253a5c7c2b34cf0b86e69 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\742GEXTW\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-04 22:00

Reported

2023-10-04 22:03

Platform

android-x86-arm-20230831-en

Max time kernel

4239852s

Max time network

132s

Command Line

com.bracket.response

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json N/A N/A
N/A /data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.bracket.response

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.bracket.response/app_DynamicOptDex/oat/x86/poOgS.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.251.36.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 172.217.168.202:443 infinitedata-pa.googleapis.com tcp
NL 142.250.179.138:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.133.18:443 jsonplaceholder.typicode.com tcp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 eklimitonay.online udp

Files

/data/data/com.bracket.response/app_DynamicOptDex/poOgS.json

MD5 eb12dc860803fa235a67514476abad82
SHA1 06816b1c6187a7d140be9a0c13a6ffaa66f9dc70
SHA256 b3f6b4cc6cd8bff456f4aa2ef985a46d20f892e90ad78214d73417a8710be91e
SHA512 0c206e3eede4351cb67034e9dcf24fae3bb07fc091486a222a142eb0b28932e143b96db93f141a1a4b1568b0599ddc4c4bda4f992ed1c621ec410e5fd8a1bb46

/data/data/com.bracket.response/app_DynamicOptDex/poOgS.json

MD5 ea34525b6118054f1c247d9b9f12a88e
SHA1 320867b799af423780a346ce10032892d008369b
SHA256 46b133f9cd50cd7145b350f39b519a5956a63ef7b845a8e1c9dd0ae42791993c
SHA512 f304308b9df778f80b8e3c8901d74160af7bce928a980a41bc651fb9cddbb75e1c03e8330797691870f7901fd9dd4188410d6722a1709e5b884f095e6e68d03e

/data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json

MD5 3eb1657245e2ca6c42bbeafacf31f02a
SHA1 b6b5ab7a1d86a3aca95133cda391d8e7cae42fae
SHA256 2a5102bb793252bcaa0bd5c08aba8410b48bca16a383975130bc5dd3f8a64af2
SHA512 316106d36bb571b8ecb4666c460e38645c273d2ef33643544c3b800610443ab4a256474486711a0f1285d28ec78ca448d7302adb8ee32d8923ebeec038a67767

/data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json

MD5 41e439e3c62b9885f1dbd5934dde2949
SHA1 73ded2dacfe908dc8ed08a3535d0111d712501a3
SHA256 5aae4163bcb5869a98f0fd358726b42076b58b30db4ee0e24951952a2ad8a6a0
SHA512 e5b47ba9910f9ab6ded461dfc33dabe65d7ee2b6cdfced599c6ca126a4786391492ef514435e567e522932fac27bb425f1a54b7ca9ba8e2933e7d6d1e490a9a2

/data/data/com.bracket.response/app_DynamicOptDex/oat/poOgS.json.cur.prof

MD5 e412da86696504a043174151f29ab837
SHA1 3cfeb714eb0a3194db8d6897fc2c2791dfdba11e
SHA256 3dee9886ed3b23090c0581c581f5c1e7ee3f392b07e1dfc5c6873b4176219e1b
SHA512 d967258b39bb2a4edf9007805e94d6d27be45b3855a126a8327374ff62922ca91018d44f86aa49358041157799fd89280ce8f9ebc46930384f86c4669e205e2f

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-04 22:00

Reported

2023-10-04 22:03

Platform

android-x64-20230831-en

Max time kernel

4239857s

Max time network

133s

Command Line

com.bracket.response

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json N/A N/A

Processes

com.bracket.response

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.208.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.168:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.133.18:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 eklimitonay.online udp
US 1.1.1.1:53 eklimitonay.online udp
DE 172.217.23.202:443 infinitedata-pa.googleapis.com tcp

Files

/data/data/com.bracket.response/app_DynamicOptDex/poOgS.json

MD5 eb12dc860803fa235a67514476abad82
SHA1 06816b1c6187a7d140be9a0c13a6ffaa66f9dc70
SHA256 b3f6b4cc6cd8bff456f4aa2ef985a46d20f892e90ad78214d73417a8710be91e
SHA512 0c206e3eede4351cb67034e9dcf24fae3bb07fc091486a222a142eb0b28932e143b96db93f141a1a4b1568b0599ddc4c4bda4f992ed1c621ec410e5fd8a1bb46

/data/data/com.bracket.response/app_DynamicOptDex/poOgS.json

MD5 ea34525b6118054f1c247d9b9f12a88e
SHA1 320867b799af423780a346ce10032892d008369b
SHA256 46b133f9cd50cd7145b350f39b519a5956a63ef7b845a8e1c9dd0ae42791993c
SHA512 f304308b9df778f80b8e3c8901d74160af7bce928a980a41bc651fb9cddbb75e1c03e8330797691870f7901fd9dd4188410d6722a1709e5b884f095e6e68d03e

/data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json

MD5 3eb1657245e2ca6c42bbeafacf31f02a
SHA1 b6b5ab7a1d86a3aca95133cda391d8e7cae42fae
SHA256 2a5102bb793252bcaa0bd5c08aba8410b48bca16a383975130bc5dd3f8a64af2
SHA512 316106d36bb571b8ecb4666c460e38645c273d2ef33643544c3b800610443ab4a256474486711a0f1285d28ec78ca448d7302adb8ee32d8923ebeec038a67767

/data/data/com.bracket.response/app_DynamicOptDex/oat/poOgS.json.cur.prof

MD5 620a90141150941cd02ee12f6c96f352
SHA1 4dc427f490740b1a07e192904ab84529e975b36a
SHA256 d5876df73050b09ab44d51d8c15b5756ccb06ec62e0d2768f341d2c29df90228
SHA512 658f602256db517b061c1d0b712072e3a155a86b2e527316d5970ccdca59c4899cb582acc7557220ce7df8e9e431f555ba93fdad85ba6a859cb03f65cc98aef0

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-04 22:00

Reported

2023-10-04 22:03

Platform

android-x64-arm64-20230831-en

Max time kernel

4239869s

Max time network

148s

Command Line

com.bracket.response

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.bracket.response

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.39.110:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.36.10:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.133.18:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 eklimitonay.online udp

Files

/data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json

MD5 eb12dc860803fa235a67514476abad82
SHA1 06816b1c6187a7d140be9a0c13a6ffaa66f9dc70
SHA256 b3f6b4cc6cd8bff456f4aa2ef985a46d20f892e90ad78214d73417a8710be91e
SHA512 0c206e3eede4351cb67034e9dcf24fae3bb07fc091486a222a142eb0b28932e143b96db93f141a1a4b1568b0599ddc4c4bda4f992ed1c621ec410e5fd8a1bb46

/data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json

MD5 ea34525b6118054f1c247d9b9f12a88e
SHA1 320867b799af423780a346ce10032892d008369b
SHA256 46b133f9cd50cd7145b350f39b519a5956a63ef7b845a8e1c9dd0ae42791993c
SHA512 f304308b9df778f80b8e3c8901d74160af7bce928a980a41bc651fb9cddbb75e1c03e8330797691870f7901fd9dd4188410d6722a1709e5b884f095e6e68d03e

/data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json

MD5 3eb1657245e2ca6c42bbeafacf31f02a
SHA1 b6b5ab7a1d86a3aca95133cda391d8e7cae42fae
SHA256 2a5102bb793252bcaa0bd5c08aba8410b48bca16a383975130bc5dd3f8a64af2
SHA512 316106d36bb571b8ecb4666c460e38645c273d2ef33643544c3b800610443ab4a256474486711a0f1285d28ec78ca448d7302adb8ee32d8923ebeec038a67767

/data/user/0/com.bracket.response/app_DynamicOptDex/oat/poOgS.json.cur.prof

MD5 4059e3937c40b579488ba69616dd1560
SHA1 b70a5c1af9a6343a092b2604d454337a2e08ac56
SHA256 5c5d0da9afb626458fd0b0fad45d8c0d61368fc0e8347eaed4f5e83c6043f186
SHA512 d2093bf3e9617da8c626e25112df8d2987afdf86f733b74a26628578affd1ee4d6102c37abc592a423705dfad1a295fea1f3fdb2e5b9894f30173f0c777ae9e1

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-04 22:00

Reported

2023-10-04 22:02

Platform

win7-20230831-en

Max time kernel

122s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js

Network

N/A

Files

N/A