Analysis Overview
SHA256
d358000cd10d3182c1f5a11d68a6a35952adb70ee4119deebe8a9861f61f3515
Threat Level: Known bad
The file d358000cd10d3182c1f5a11d68a6a35952adb70ee4119deebe8a9861f61f3515.bin was found to be: Known bad.
Malicious Activity Summary
Alienbot
Cerberus
Cerberus payload
Removes its main activity from the application launcher
Makes use of the framework's Accessibility service.
Loads dropped Dex/Jar
Acquires the wake lock.
Requests dangerous framework permissions
Requests disabling of battery optimizations (often used to enable hiding in the background).
Removes a system notification.
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-04 22:00
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2023-10-04 22:00
Reported
2023-10-04 22:03
Platform
win10v2004-20230915-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-10-04 22:00
Reported
2023-10-04 22:02
Platform
win7-20230831-en
Max time kernel
134s
Max time network
132s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6C11FF61-6301-11EE-8AA1-FAEDD45E79E3} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000c9cbff5dd83b4b569bc79f5c09c3797fda119dfe2abe2781d99ce20108f2d691000000000e800000000200002000000084a0a23686635598e6bd1078a530fec5fcafc638d8b50c022aa9ea6e404a1c592000000012b7b7c33a68092209afef6a4891e9845951d239606d692acac9cbc7687d726b40000000844f7afe39eac4d767cf8196d0a968d71aa595aa8f94c2fdd8dfbcf1d9f00e5a3088803f0002c40b4c385827bdaa6e63594dc2484dd8e44273f7387d2b8ebbc5 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000796f5d160c41e020bffdea8bbfabc43a8ff21b0667d70c088d350311daa91780000000000e8000000002000020000000a45c37ee1c6369c4eaffb9230b7e15304b2ba4d18ee0c697958af17358ea0b3e90000000c84e1552d5fd89f4e9e9c8551c47ab30333de7ca2cbf8517a18cd5e1581bcdf6b06faa465e2a8aeee2ff9384b7d75d336e5dd864d9ff0f7d5c7086a301c3e967c3c0f1d8be704dc1585a2c307e3728f7dcc38e35d855d8ed9746b741392731609f21327d8e7c5210c7f11965c9666f797f23541a4d098c418bce808df45b1c66166acc5afcbaa2dff19bb26876f0ed5040000000b87d59a6f98bf5cd6153dde50a7b782d1369276e675e9271e8e78341c6935dbff1b3a3d0ac2569ca1afb194ae3f1a2413406d2f2d8c29e6e1e413c28f01bf81c | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0850c420ef7d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402618694" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1064 wrote to memory of 1728 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1064 wrote to memory of 1728 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1064 wrote to memory of 1728 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1064 wrote to memory of 1728 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1064 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dacf5d27c6a7b235afbdcadf3f3db919 |
| SHA1 | d8d4152762ed43f14912879198005a0d708b9422 |
| SHA256 | fd5699a82b2f44f99654d0905cbfd0b858ddbb0c8f4713e88af6916196680db7 |
| SHA512 | a00fd776f88a465c52468d1bf674a510b8760f1b26c9554a6b77fecd2716c38963f54706881dbb83643667055f5d35072968249b4472fe2cf0cf6780e60ec6e9 |
C:\Users\Admin\AppData\Local\Temp\Cab52D4.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar52D3.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f85b5c6bf313a83b6b8e67680e16c8c6 |
| SHA1 | c9d9ea7aaef27a00362eb65983386cad4141b758 |
| SHA256 | aa053ce67a85fcd5e04fe540bff30c7a0fbc849167234d847525e212d2495fde |
| SHA512 | 8501cdf0e764f023a598dce938aabc6c2f2cdfb876a5f80e7127f37a4727ea1365ac4d14af73addd5fa133b3c9380f287ff80607b89b2832a16b63597b773638 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d99ddc6f695c4fc77c5718612af4ec2e |
| SHA1 | 9b6bba354f59bb5e288915a85d1216be827e4a2f |
| SHA256 | 957ec79a9cbd7a75851efb0a77d1027ae95c85df1505642e9675b8f8b1bf8e62 |
| SHA512 | 5efb62356d88c27bc6fa0a52cbd68b47d5f11ebb2f7ded2b8cdb1bcba7d55136aedbc11d402255ea16ab81b72f0a577d5a03a1a16b521df550fe0f3d4af12377 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a9caa10ee70724e4379f8871dd3903f4 |
| SHA1 | 5ea656dbbd2fefccbf2ef2e455c21bcf6a9541ef |
| SHA256 | 462d62cac13e29c2f59395c4ff87f8f6fa3416e0320f025a1ad9543af739dfee |
| SHA512 | 0d4810f82fbf789eb181324d1a5344e1f886750555907fe1480e8f1c4335398c191c39b928b8f3a3c9bd1dc0d3a61d606c5a472fbc247250692e7b4801610825 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 029e1639c8cc78ba8316587a5f4fe95d |
| SHA1 | 6c220d07fd4a525508a4d9e9ede2476666e96251 |
| SHA256 | b3384dc719f6857df84af403a46f383b9de858910cddf9fd973eb3c5f8856c46 |
| SHA512 | 1517ec2601ec09ceb75b517958ff891b99b2625e564d9d70084106b5ba064e8405e650b740c7dd1c0089a03845356f64c2040e85eb3f1d5c19655f010d3d6a72 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9e7b9a4c1d82d1ec01fe8e0f047012ca |
| SHA1 | e07892df55114562204883b44ed6c6cb82d8ce97 |
| SHA256 | 045e5edb260c4089f36a64d2d4464dc812bc57e4686a6c37e33edeef9ee271be |
| SHA512 | cf8703f357887cca3af468c7c9ff86db59d9bf1fd56401c8d2874f14c121f61443d1c431bd2983819310f705aab5ad5ddda166d9efcd02fb0bf17bbfb036555b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 83f5e99cc226b743d06d8b87d6547634 |
| SHA1 | 047653177a7129602e945681d7d7f086121e8b76 |
| SHA256 | 12f43d5f4f3a57b07377ef99874b286b0a9611100a3bd8285fb52b86f80b38a2 |
| SHA512 | 0dfb695ecbdd2eddf5b50105566b15c966765b8f3ed6a662b8b736ea15e174ff514722fd85a11c301b4696353b04bd4a3a7be2eac6324ff0d01d630dc7af3adf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 01808ff768b8599f2dd0aea3222bb9e0 |
| SHA1 | 43ebe8085246a3d4c48e8bbc28da22500fc7a830 |
| SHA256 | 9a40fb65b0914aeaa9640725f76540de5f4e3695d69c2e122cd9e7c5344d6ed7 |
| SHA512 | b236e385928bba9507beafc019e827ce0de1f4d59a76fae3c16e2284bf92aa8a428280be31ce0cd975cfade6ad5136990032700a61af5dae5df0672341f0f5c4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8110587bcf8c077823d9ce0123fff567 |
| SHA1 | 8d3a7d6d94fda0b0ac37a4d57b4ea41ec5eceb8b |
| SHA256 | 3a2f08e9a9bac4da0ec7401f29f79be5d609cc03140c21921f574c44d49ee5c0 |
| SHA512 | 1bd98ab7da840b171820fbe17e6147954851c46a61e7187c21dd0e893fe5a946d77e3d8d0b2fc4453c58a4aec3bdd5fbcf92855a86e214c023c2893e094573ea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | db1b1bc49433ebef6e385d74d0ea0187 |
| SHA1 | 99a6af2a30e7f090fb8bf811f6dbb8d63c2c5b79 |
| SHA256 | 35e0efdd732c73d9b789beff2eb24079097cf22888af29e55826da2d38017578 |
| SHA512 | 07c925fefb46ca7efd20689d667efa12315250aa2b3005f9730f877a4d50771e3adff50d3ea627475369f7f9ff231e9a403f3137a81722929ba14a5b523dcb75 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 917d8bb948d349cfbb2edc8148e15a95 |
| SHA1 | 214546fd26a01758f90ab38cca79e8f0739f28e7 |
| SHA256 | 1277828845081decf9a2d3cc21d24b09c06ee1be4aba3d43bc96766ae07bd545 |
| SHA512 | 2b51ee9689a6864c5230c81f414a621fae1086f8416ea3a27adaaed34b1f54d449fafcd7607e6dd2e39a330d44696b18dc8f1d8e11ac4f16e0873e24976ca817 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 86b251f256d040ed722c3398a6c4adf6 |
| SHA1 | b9488a2c5c8227b12e12945f3c5adb644b36c546 |
| SHA256 | 4c5fe93cce070de78f612c7fb157d30a70d33aef4d785a83b05b89af8dfbb0aa |
| SHA512 | a4148f92c180ecd963582b6c26b397c2bf6ba52ad01e0baf07b9d3945b5dd13b71feddf0d841ee41c51336df8e4964bab908c221df2ec439b214f3252bc573b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ad0e2b0d240d03d1927c9695539aaed6 |
| SHA1 | 8e9d9da00ff11af32307c4ad15304010d405450d |
| SHA256 | 0704d2d2ed73496b4ccf2d5d78c63466a2a8f0c7661b5f9e69fa9cd2a0a3441a |
| SHA512 | 16e99f77e82fa8aee559089eea1dd5be8e7f5e06dd7e05180b8ce8a14d431375b8953bf67496a61ee4f01234bdd6fa5694b6fd94ce319be64febff06aac8a282 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a85d9ef7e47aef7a0fbdf53aba58b02 |
| SHA1 | 939df8c4a560543c9839cbb90bb6b67b3d61780b |
| SHA256 | cc788cf9bf1c5a0a3cdf8bb0c7038319556a260ee6d23691ce5175aab892d41a |
| SHA512 | 956349576c29cd7bb34d90191d92b89755766efcabb99b2c16cb2dfa5a9e5bed2f7567e2a28601bdeee4055a686e26078e7cbf87e5cd2b7ae6d7c14200401a2a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 57a9744d0f22ed65306d9e225cfa2117 |
| SHA1 | e84c9271ddbceda072f4dee2e5c8e5656b27312a |
| SHA256 | 1e7d1a6a56df170058585df823b03bea8ac2c0df5767b6e02172005c83de0ab4 |
| SHA512 | 211c974310a692cca3ae2c33c77dcb2b325b16c44231885d98dc42e972437c06f00046aca1fc4e29d933b4fb95cff8726af2465d96de739f2d376b4116019c8d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 81e46abbe5d088eec80c8e1aa8c7b094 |
| SHA1 | 3a5c650e4689a89e0db45b43f99f4a0af9aeb095 |
| SHA256 | 6412b0269d4e853a6c35816fd765f985a27ff9126da53d1600b193b85b17c25d |
| SHA512 | 7caf819c84c712f75e9b695266a6f5395a82192f0a564e0d394bf6dd94a588750a2c4a25f7fdbe81aaade8dc2a16f29e7f98181558645778bb6379b6d10426a7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 280eb2f9d66d966e73cdd3d6ce8d4031 |
| SHA1 | f555155c9263e161db65495e856526d1bbe32071 |
| SHA256 | aefd0f2455a9b5054a2e59294f196a2284753f68c8906025e0f98866bc55ad8a |
| SHA512 | c96219c47b670d66ea55c7c57767af6054c1647b124a020a3c5feaff5c6cb9cd20fdd3b77ccc16bc39546f9e527541a43051c21e0daea304f3863a4b7216c99a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eae224c6bb943f8b8aca626b09dcabf6 |
| SHA1 | 09c8a04bac210284604beaf0a17e5e28137dea1d |
| SHA256 | 505b3990ec8ef5f105b8cd9c77d4c2474614b5fcc365a9bd79e0fd41df7d2d2f |
| SHA512 | 5ac6244fd9b993c330d0382064c471cb10f2bce997441454cbca5602f27e308aadb15fef884babd167bf6c41b75e3f2e12ad3a0d598a9ead68e799932abba1c6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8c65e928b48de5e61df279d74c74974e |
| SHA1 | dd1b561d8aefd29c893278a4b244c215aa905890 |
| SHA256 | 1089e02cc3cb110a9b4ba45731140135b64dd874a9a92c743a935fafe0f974e6 |
| SHA512 | 05e277af5b1cb6309dfe09e748ec566dddc986ab85787044a87794aa6b045af2fc3d2543f58ddde1b418197ccb54ee2250a8aa499af898adf06e0d9af4b49c13 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7c2e47cbf83b2640623cc5b241e18230 |
| SHA1 | 4b25aa880c399d7878b618bfbb9f8603d195bf29 |
| SHA256 | 06629325ebd90d42771f3ac90aa75281d23b52073fa1526d9e235c98911ba019 |
| SHA512 | 39f0ad144c7a2e236bfdecd5fe94c2dbcfb9d6e4570c54cf65073607afbf3108cc2c94db51f4b166dc501a1bc3e5e707ffb85f47e6ea1699b5b16f0cd448e4f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | c18025b3ff34879decc388a5efdf3c4f |
| SHA1 | 3d2fe4225d92c05801a96a5b74019d7c18f593e0 |
| SHA256 | 1a60df6d8a40833a1f1f77667bc84ee36950d2d20faf937b3cab341a1495da1b |
| SHA512 | e4b864caac14a7496087e2176cfb40ba9a95d012886ab0d3c0bb4ab45b1d625b6a67bc531638e29edd5975a594a1f490f66c7d59b6ccf34d986e66dda55e6af0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2a9b28963e6ded82c79d5eacc403f06d |
| SHA1 | 7c178d7ca7b1e468b4dbba9fdd50ee243a548fb5 |
| SHA256 | c32e0a38e1a7b9a48ee0798f2beea75db7d01fac70a5daa12a95faebc10460f6 |
| SHA512 | 033ea488e3d7c906c9164143cf8559feb44a28790830695e324b3e1bdba0d2c46b33423f0e13361733cb235da4ea56357572a5dd743ac31d90cddcf3bad1dd12 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3580d6885d4b750d8bbffa781c9f0ffd |
| SHA1 | 9de5b3bbfddd0a5b9e7511b0a46588443b2025a6 |
| SHA256 | 063e8138d3014a9bafb112e874b4c5a1098a40bb27bd77d414b961a52b0fd820 |
| SHA512 | 4d7e75c818be78df26edc33df42416ddc0d98f9f717cdf8b7095e5fe3c7b5f76641b975883367174748b6c0780b73f387da7ab5e10621217863fd678e94a9fb0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5127fd0662249b07b0d7c857e0b75163 |
| SHA1 | 2a4b178897a11bb05672b4425cb5563ccab82de1 |
| SHA256 | 2eb63caa24258e52058f6bf0d7315546ad33bcf56ecf605924ef617754951508 |
| SHA512 | 8366cc2cc75d1e94607a920cc3429b0ece83985413aa0457d7e8db495123d496fe5743203f420551145b97da55c3e8ed64f657e6c81595fd237b7d658d3f56ae |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 444c051b4c8642a49cce316527528618 |
| SHA1 | 043f526fa02dadc90c1d730a6d0f6996a6a0c949 |
| SHA256 | 08b6b628330f3293d5bb94bff892b6b6e419f7b779a566013ad8846f32b7a1e0 |
| SHA512 | dd0cdb315403c4b83ffda39ff87a537176a9f8ab6feded0fc3c74efb412ec82188215a3ad61b2a4938699c36c45de169c84fb11ea1e45d7b076f8c0ac2dc000a |
Analysis: behavioral7
Detonation Overview
Submitted
2023-10-04 22:00
Reported
2023-10-04 22:02
Platform
win10v2004-20230915-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d72dbb839895304dbc3a7dbf8a262ef500000000020000000000106600000001000020000000d20e10593616e1af3764a4a318bee0ca805854613a7136cc243576370289377b000000000e8000000002000020000000e9e39740523762a221617cf1261ed75b516d89a07f5cb1bf94e304df3b4f73b4200000000e36b3d425d36efa461b6a81ca840608ebf9b2cfb7e111e9391f14f73b6b08b840000000f282ced98ef04e24ba1fc4d14198731ea3074e3c3105edbb80b5bf388807e4c9e7de99dacc4d95397ddb071af11404b266c8ef9091f8a040db11f3d529be83ac | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f667430ef7d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31061774" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31061774" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403221803" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31061774" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6D1798DD-6301-11EE-9784-6A906B243823} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1114956384" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 205557430ef7d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1101519148" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1101519148" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d72dbb839895304dbc3a7dbf8a262ef500000000020000000000106600000001000020000000e27b684f348a0eda398717ae0720f8a6301652a4ea8077180e10f5b289dd39fa000000000e8000000002000020000000164133c92a3019e8d3c826b030094cc500bf5dbe9dc69063ad2e10031a73c8b720000000f0139dd5e2ecb52f7e47a06030d4edab7ad568ca975b89e18e32584f3e7e449a400000007e367d39034b4e7e41d2dd8a7142f51422e2fbadc857de40c10783b5648723714d0d2f5117213f0058b935bb8a24fcd8c285c1b581e253a5c7c2b34cf0b86e69 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2676 wrote to memory of 2812 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2676 wrote to memory of 2812 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2676 wrote to memory of 2812 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 126.178.238.8.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\742GEXTW\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-04 22:00
Reported
2023-10-04 22:03
Platform
android-x86-arm-20230831-en
Max time kernel
4239852s
Max time network
132s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json | N/A | N/A |
| N/A | /data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Processes
com.bracket.response
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.bracket.response/app_DynamicOptDex/oat/x86/poOgS.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.251.36.42:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 172.217.168.202:443 | infinitedata-pa.googleapis.com | tcp |
| NL | 142.250.179.138:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | jsonplaceholder.typicode.com | udp |
| US | 172.64.133.18:443 | jsonplaceholder.typicode.com | tcp |
| NL | 142.250.179.142:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | eklimitonay.online | udp |
Files
/data/data/com.bracket.response/app_DynamicOptDex/poOgS.json
| MD5 | eb12dc860803fa235a67514476abad82 |
| SHA1 | 06816b1c6187a7d140be9a0c13a6ffaa66f9dc70 |
| SHA256 | b3f6b4cc6cd8bff456f4aa2ef985a46d20f892e90ad78214d73417a8710be91e |
| SHA512 | 0c206e3eede4351cb67034e9dcf24fae3bb07fc091486a222a142eb0b28932e143b96db93f141a1a4b1568b0599ddc4c4bda4f992ed1c621ec410e5fd8a1bb46 |
/data/data/com.bracket.response/app_DynamicOptDex/poOgS.json
| MD5 | ea34525b6118054f1c247d9b9f12a88e |
| SHA1 | 320867b799af423780a346ce10032892d008369b |
| SHA256 | 46b133f9cd50cd7145b350f39b519a5956a63ef7b845a8e1c9dd0ae42791993c |
| SHA512 | f304308b9df778f80b8e3c8901d74160af7bce928a980a41bc651fb9cddbb75e1c03e8330797691870f7901fd9dd4188410d6722a1709e5b884f095e6e68d03e |
/data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json
| MD5 | 3eb1657245e2ca6c42bbeafacf31f02a |
| SHA1 | b6b5ab7a1d86a3aca95133cda391d8e7cae42fae |
| SHA256 | 2a5102bb793252bcaa0bd5c08aba8410b48bca16a383975130bc5dd3f8a64af2 |
| SHA512 | 316106d36bb571b8ecb4666c460e38645c273d2ef33643544c3b800610443ab4a256474486711a0f1285d28ec78ca448d7302adb8ee32d8923ebeec038a67767 |
/data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json
| MD5 | 41e439e3c62b9885f1dbd5934dde2949 |
| SHA1 | 73ded2dacfe908dc8ed08a3535d0111d712501a3 |
| SHA256 | 5aae4163bcb5869a98f0fd358726b42076b58b30db4ee0e24951952a2ad8a6a0 |
| SHA512 | e5b47ba9910f9ab6ded461dfc33dabe65d7ee2b6cdfced599c6ca126a4786391492ef514435e567e522932fac27bb425f1a54b7ca9ba8e2933e7d6d1e490a9a2 |
/data/data/com.bracket.response/app_DynamicOptDex/oat/poOgS.json.cur.prof
| MD5 | e412da86696504a043174151f29ab837 |
| SHA1 | 3cfeb714eb0a3194db8d6897fc2c2791dfdba11e |
| SHA256 | 3dee9886ed3b23090c0581c581f5c1e7ee3f392b07e1dfc5c6873b4176219e1b |
| SHA512 | d967258b39bb2a4edf9007805e94d6d27be45b3855a126a8327374ff62922ca91018d44f86aa49358041157799fd89280ce8f9ebc46930384f86c4669e205e2f |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-04 22:00
Reported
2023-10-04 22:03
Platform
android-x64-20230831-en
Max time kernel
4239857s
Max time network
133s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json | N/A | N/A |
Processes
com.bracket.response
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.208.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.250.179.168:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | jsonplaceholder.typicode.com | udp |
| US | 172.64.133.18:443 | jsonplaceholder.typicode.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.36.46:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.251.36.42:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | eklimitonay.online | udp |
| US | 1.1.1.1:53 | eklimitonay.online | udp |
| DE | 172.217.23.202:443 | infinitedata-pa.googleapis.com | tcp |
Files
/data/data/com.bracket.response/app_DynamicOptDex/poOgS.json
| MD5 | eb12dc860803fa235a67514476abad82 |
| SHA1 | 06816b1c6187a7d140be9a0c13a6ffaa66f9dc70 |
| SHA256 | b3f6b4cc6cd8bff456f4aa2ef985a46d20f892e90ad78214d73417a8710be91e |
| SHA512 | 0c206e3eede4351cb67034e9dcf24fae3bb07fc091486a222a142eb0b28932e143b96db93f141a1a4b1568b0599ddc4c4bda4f992ed1c621ec410e5fd8a1bb46 |
/data/data/com.bracket.response/app_DynamicOptDex/poOgS.json
| MD5 | ea34525b6118054f1c247d9b9f12a88e |
| SHA1 | 320867b799af423780a346ce10032892d008369b |
| SHA256 | 46b133f9cd50cd7145b350f39b519a5956a63ef7b845a8e1c9dd0ae42791993c |
| SHA512 | f304308b9df778f80b8e3c8901d74160af7bce928a980a41bc651fb9cddbb75e1c03e8330797691870f7901fd9dd4188410d6722a1709e5b884f095e6e68d03e |
/data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json
| MD5 | 3eb1657245e2ca6c42bbeafacf31f02a |
| SHA1 | b6b5ab7a1d86a3aca95133cda391d8e7cae42fae |
| SHA256 | 2a5102bb793252bcaa0bd5c08aba8410b48bca16a383975130bc5dd3f8a64af2 |
| SHA512 | 316106d36bb571b8ecb4666c460e38645c273d2ef33643544c3b800610443ab4a256474486711a0f1285d28ec78ca448d7302adb8ee32d8923ebeec038a67767 |
/data/data/com.bracket.response/app_DynamicOptDex/oat/poOgS.json.cur.prof
| MD5 | 620a90141150941cd02ee12f6c96f352 |
| SHA1 | 4dc427f490740b1a07e192904ab84529e975b36a |
| SHA256 | d5876df73050b09ab44d51d8c15b5756ccb06ec62e0d2768f341d2c29df90228 |
| SHA512 | 658f602256db517b061c1d0b712072e3a155a86b2e527316d5970ccdca59c4899cb582acc7557220ce7df8e9e431f555ba93fdad85ba6a859cb03f65cc98aef0 |
Analysis: behavioral3
Detonation Overview
Submitted
2023-10-04 22:00
Reported
2023-10-04 22:03
Platform
android-x64-arm64-20230831-en
Max time kernel
4239869s
Max time network
148s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Processes
com.bracket.response
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.142:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.39.110:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.251.36.10:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | jsonplaceholder.typicode.com | udp |
| US | 172.64.133.18:443 | jsonplaceholder.typicode.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.251.36.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | eklimitonay.online | udp |
Files
/data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json
| MD5 | eb12dc860803fa235a67514476abad82 |
| SHA1 | 06816b1c6187a7d140be9a0c13a6ffaa66f9dc70 |
| SHA256 | b3f6b4cc6cd8bff456f4aa2ef985a46d20f892e90ad78214d73417a8710be91e |
| SHA512 | 0c206e3eede4351cb67034e9dcf24fae3bb07fc091486a222a142eb0b28932e143b96db93f141a1a4b1568b0599ddc4c4bda4f992ed1c621ec410e5fd8a1bb46 |
/data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json
| MD5 | ea34525b6118054f1c247d9b9f12a88e |
| SHA1 | 320867b799af423780a346ce10032892d008369b |
| SHA256 | 46b133f9cd50cd7145b350f39b519a5956a63ef7b845a8e1c9dd0ae42791993c |
| SHA512 | f304308b9df778f80b8e3c8901d74160af7bce928a980a41bc651fb9cddbb75e1c03e8330797691870f7901fd9dd4188410d6722a1709e5b884f095e6e68d03e |
/data/user/0/com.bracket.response/app_DynamicOptDex/poOgS.json
| MD5 | 3eb1657245e2ca6c42bbeafacf31f02a |
| SHA1 | b6b5ab7a1d86a3aca95133cda391d8e7cae42fae |
| SHA256 | 2a5102bb793252bcaa0bd5c08aba8410b48bca16a383975130bc5dd3f8a64af2 |
| SHA512 | 316106d36bb571b8ecb4666c460e38645c273d2ef33643544c3b800610443ab4a256474486711a0f1285d28ec78ca448d7302adb8ee32d8923ebeec038a67767 |
/data/user/0/com.bracket.response/app_DynamicOptDex/oat/poOgS.json.cur.prof
| MD5 | 4059e3937c40b579488ba69616dd1560 |
| SHA1 | b70a5c1af9a6343a092b2604d454337a2e08ac56 |
| SHA256 | 5c5d0da9afb626458fd0b0fad45d8c0d61368fc0e8347eaed4f5e83c6043f186 |
| SHA512 | d2093bf3e9617da8c626e25112df8d2987afdf86f733b74a26628578affd1ee4d6102c37abc592a423705dfad1a295fea1f3fdb2e5b9894f30173f0c777ae9e1 |
Analysis: behavioral4
Detonation Overview
Submitted
2023-10-04 22:00
Reported
2023-10-04 22:02
Platform
win7-20230831-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js