Analysis Overview
SHA256
65f88e03c976323560c6ce136aeccacf227e46fca1a9e81296eea049d8fa2bcb
Threat Level: Known bad
The file 65f88e03c976323560c6ce136aeccacf227e46fca1a9e81296eea049d8fa2bcb.bin was found to be: Known bad.
Malicious Activity Summary
Cerberus payload
Alienbot
Cerberus
Removes its main activity from the application launcher
Makes use of the framework's Accessibility service.
Loads dropped Dex/Jar
Acquires the wake lock.
Requests dangerous framework permissions
Requests disabling of battery optimizations (often used to enable hiding in the background).
Removes a system notification.
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-06 22:00
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:06
Platform
android-x64-20231023.1-en
Max time kernel
2796164s
Max time network
166s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json | N/A | N/A |
Processes
com.clip.shoulder
getprop ro.miui.ui.version.name
Network
| Country | Destination | Domain | Proto |
| NL | 142.251.36.46:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.138:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | jsonplaceholder.typicode.com | udp |
| US | 172.64.165.25:443 | jsonplaceholder.typicode.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.206:443 | android.apis.google.com | tcp |
| NL | 142.250.179.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.251.36.40:443 | ssl.google-analytics.com | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| DE | 172.217.23.196:443 | tcp | |
| NL | 216.58.214.14:443 | tcp | |
| NL | 142.250.27.188:5228 | tcp | |
| NL | 142.251.36.34:443 | tcp | |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| US | 1.1.1.1:53 | g.tenor.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.36.14:443 | android.apis.google.com | tcp |
| NL | 142.251.36.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 216.58.208.106:443 | semanticlocation-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | g.tenor.com | udp |
| US | 1.1.1.1:53 | mdh-pa.googleapis.com | udp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| US | 1.1.1.1:53 | mdh-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | mdh-pa.googleapis.com | udp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | tcp |
Files
/data/data/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json
| MD5 | 966afdf8cdddbd6de72f0b2d30cde02e |
| SHA1 | 8c91f17f7cfe18fe684d7382cd098a2faf0b3fe8 |
| SHA256 | 6d8f35ca3d2875b7255dbef0d04df7697e884fbb2a5ca0fceef75a00c0375cbf |
| SHA512 | fc977a80e296af9e600ce511b0b4758b68072d52b7c40210249b26d97737c774d310a6d449f45555475c01e937d8def3485be5bbc325856cb0475ed9130832cb |
/data/data/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json
| MD5 | 033372e71cfe37afa161932ca1514575 |
| SHA1 | 6ab3eb0a97fefa13be0a0ae2c40d87072e3e28a2 |
| SHA256 | 080a2ace0567038838d754063aea5a7dc60bae013698e9152683247917842841 |
| SHA512 | c556ab68d506ec2bf107f2f1b65d22634c12d2ebb54652db8941d511d864936c316a41437d47db13be2648e131151f9fbaef44c313ae006108e33c9175d42374 |
/data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json
| MD5 | fef861697d6e865ffd0ac495bba92bc3 |
| SHA1 | 796094bd56f01b637c0165d8d734dc00a9481e4b |
| SHA256 | 9f81917c797bec5a26abf4ed12dd81f7b22837883182dea970398332af763f42 |
| SHA512 | fef90c111d11b58dc3a3ef8e50ba362a5d0307adc7d22b83dedbcab765b0926bbf074d7fe6d2a0f36177578432deee6c030b1696492b33b3d5685535d18fa7a8 |
Analysis: behavioral3
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:07
Platform
android-x64-arm64-20231023-en
Max time kernel
2796336s
Max time network
169s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Processes
com.clip.shoulder
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.251.39.106:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | jsonplaceholder.typicode.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| NL | 142.250.179.142:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.36.46:443 | android.apis.google.com | tcp |
| NL | 142.251.36.46:443 | android.apis.google.com | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
Files
/data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json
| MD5 | 966afdf8cdddbd6de72f0b2d30cde02e |
| SHA1 | 8c91f17f7cfe18fe684d7382cd098a2faf0b3fe8 |
| SHA256 | 6d8f35ca3d2875b7255dbef0d04df7697e884fbb2a5ca0fceef75a00c0375cbf |
| SHA512 | fc977a80e296af9e600ce511b0b4758b68072d52b7c40210249b26d97737c774d310a6d449f45555475c01e937d8def3485be5bbc325856cb0475ed9130832cb |
/data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json
| MD5 | 033372e71cfe37afa161932ca1514575 |
| SHA1 | 6ab3eb0a97fefa13be0a0ae2c40d87072e3e28a2 |
| SHA256 | 080a2ace0567038838d754063aea5a7dc60bae013698e9152683247917842841 |
| SHA512 | c556ab68d506ec2bf107f2f1b65d22634c12d2ebb54652db8941d511d864936c316a41437d47db13be2648e131151f9fbaef44c313ae006108e33c9175d42374 |
/data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json
| MD5 | fef861697d6e865ffd0ac495bba92bc3 |
| SHA1 | 796094bd56f01b637c0165d8d734dc00a9481e4b |
| SHA256 | 9f81917c797bec5a26abf4ed12dd81f7b22837883182dea970398332af763f42 |
| SHA512 | fef90c111d11b58dc3a3ef8e50ba362a5d0307adc7d22b83dedbcab765b0926bbf074d7fe6d2a0f36177578432deee6c030b1696492b33b3d5685535d18fa7a8 |
/data/user/0/com.clip.shoulder/app_DynamicOptDex/oat/xDrdtlu.json.cur.prof
| MD5 | eafae8a811bc8b926f22285962e14e92 |
| SHA1 | 3a5c3ef68d49a469a02e6ed3ef21ad9de7483640 |
| SHA256 | 7e4bcadf0d198f6b9b79175843c03dc38ca4b5362b6831afec0b18d3b18748b9 |
| SHA512 | b8f5c592a971335920617328ac6c9b69121366ba0035601be1e935887b2e50ad10cb20b9161861da6594abfe498be5b62069e876193d4c9cd5a2cd3b57992c72 |
Analysis: behavioral4
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:04
Platform
win7-20231020-en
Max time kernel
134s
Max time network
133s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005718aef034e0654ab00265bd8f8b2f5400000000020000000000106600000001000020000000f443e0f38369785376921683f38a53e821c1fde4b672aaa65e39bc526ee4cf43000000000e8000000002000020000000cff512986d18985518c0b48b5122bfd485c23fa5dcfac93e2a31f168e0cc3c24900000001f30fcca3fb5a1b8c2b2d20bcf35df7c33c5c983eea50ac774b8314a26692ce5586140eb56a0deec1d1fbc6d6ac9cbf8a3f9b9c7a657b160f3f7924a24a2112863f300ab39a6e8ffe72315c6060f7ccffc933e8c389a6623fef20129db71450bf344d36a4e3074ddaebd723eb7b92b6ee684262c83b145d59a68dedf6c925324dfd14c8f1dbe4a52b356ef33bd005d6240000000fd5795f05e3ceb16dc69e53de1c56b624c26184f5d8ab5795b26cd0e95350ef712c5ad1993b420f36e5d64e284700c8476a21ec4bb8182044a1a8c60aec8847e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5022d3dffc10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0AA8DC91-7CF0-11EE-9F09-7277A2B39E8A} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405469960" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005718aef034e0654ab00265bd8f8b2f54000000000200000000001066000000010000200000008c38ff7871843585a4cc03f854450d1a38705be0aee3afac9198d7513140ee16000000000e80000000020000200000008074d43a2ab3018c12e1b6124e2846bc8fb6313ca656bcf0e66a1f4da44c62f620000000ebe68a4561d4915745baafed08eefef5015fbed65abcb1525620c6d9704379bb400000005bf4415a9cf2f6d2bf97218a43dd97de38468fa8f7c00e9ddc328ad598a96708f3842d06392ecec8651f4d4d20016031f665f8c77645e8bff37de2c82e935ac2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1896 wrote to memory of 2344 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1896 wrote to memory of 2344 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1896 wrote to memory of 2344 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1896 wrote to memory of 2344 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Algebra_zs.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab6CF9.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar6D59.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 89be4e24e4b915da76112f495c386190 |
| SHA1 | a8652c731ae81d578a7fbb9d19f917955a666d7c |
| SHA256 | f53b8022e9a66c97faff79dc041420b2dd3832019adb8136dd492c0fcb0c7357 |
| SHA512 | 5d8f32504126cefc917b0d23bd31c00ffbbb99b1a6099ea98fc71b6444248601c87422cda2f8761d1ac27bbb73c83f8c24f6f49dca7e9c64cdf6ceaa9e222306 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 455218b0f105dabfb06549b73b148969 |
| SHA1 | 5456af24f12433d91dbf50553b166a948d2fd18e |
| SHA256 | 28a8e34bd76e7089cfe4ae322c4ccf756e929007602bb3287efab445a6b79284 |
| SHA512 | 234200882ad1a08765b86740d223140a7d73e405efe661bf7db2be5bf8c0d0541c3f6f223d8faebd2f10571f802d76fa36923d98ad8293a35a0c28ee42bf99b4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 466a50ecec78a40f2a0e863656b1f21f |
| SHA1 | 5cf7033718a5e1b690eecdd3e47b07f8b40f6338 |
| SHA256 | d864df21f960550337cd9ab9e1fc02f0be873a897e259509532198f24904c730 |
| SHA512 | 93d5ad29d1ec1cd2215d8ce49f3a49297ce48f8f4c37d7031b7dcea96cac71998509e375f68d560939f39dcb631f922afa8493f711b628b201071d55fcc0cd43 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6a9b463944648cd5b102f6fa84bb3667 |
| SHA1 | 7e78394d6c9f471aa2826af7c51954ae4c5f718f |
| SHA256 | 48625594cf5fdd08adff2e0f9ed22f720f9b92590f94faf8f03a555b0cbddf07 |
| SHA512 | 0f7b61bc7a59acb3563ff2e5e0959ffb61cf088ed14a824ba0be40f665ad598dd0009846afdcc8337ae5a3d12470ad3c1b87169f060bcb7bef762b9c6dfee3bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 459646f7065c9708b74357966b94c91d |
| SHA1 | 3f6d5ea1709f10b254764e844817727d89cc9f0f |
| SHA256 | d07c01333dd72d205790d444694d775ebb208cc28e2d73efe13f2991762c0f15 |
| SHA512 | 1dd05b5eed9f8805edeccff9903c0d5acda7cbc9ad0a8456165b26c978406a89a6def53ae5e7e2287de298a217f2bab02d576ac8ba8c0cc63b1fb5bb14b62c6e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac019c42ab2154d7652f081b322bfb04 |
| SHA1 | f165c80ce569384cc61f43ad1ee713c1ed7267ea |
| SHA256 | 8d76e16f0b0b9dc57778a496db30beabc9c3058cf9d55547a7b797b8ff0a8143 |
| SHA512 | 26e6eb959edbc4838d419063ca2cad0cbf46dcbf3d779b8aaee11b192326ca7cc7efd13c949a28284ebf2e40086d0ea96131f5ecb822c88d12e73c5b3d0f18c2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6b8e50b6feff80400c414b7b1d1dff54 |
| SHA1 | 6ffdd121edaa009043c4a7f8ea240116b82107e7 |
| SHA256 | 4f32b7f16a1360dbd676f17618cb41ec1e9d577b4471a229e5c63ba6fe52fddb |
| SHA512 | 1463a53b8f77aa3bd7d806ba4daed8e85506f536fd3ee0a0ec8dfd67c1d9bc9f8bf41987132ae91d36908f6743809deefe4f3748826545f67ceeee435db3229e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5319337ce5984c06f0b28f6158cd0b79 |
| SHA1 | 2737e36c3d28950deff005dfe996f46fedccb2a2 |
| SHA256 | ed331b1b09efefd812d328703a046da898ff8e234b49af1913ba705c8c7d85a4 |
| SHA512 | e5704596bef71a96726bb7793a8f3a3ce336a903f26fca4f2d8ad6bf3b703cb36a95406402c00a8829c57b39c6a93ce9bbd3a95fd5d803a3b20859b6942dfc34 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a04a702141c5c785d6424dac3ff9c324 |
| SHA1 | 60879d63464b24badca47f81ead7f7028391528f |
| SHA256 | ef36fe18936154d9c44520da254508953dc7e85e8fef65b52b67516f8dabc0be |
| SHA512 | 2269da0e3ed4a3922cc43ecee08f3c1c68635218ba655364c290f7bf1b83116f078a9f1c9cd3b986120307666320855342d1ded15fa649803820fe4c53a590dd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a60106a046b33b15f08223ac91d13471 |
| SHA1 | fed332fa9bb6d2bd8360eeb0d7cc9657b6cd6e04 |
| SHA256 | 1294dfeae32549cdd2597a21d953c155e7763f6340160de73df67e288b15987a |
| SHA512 | c1c257f89c4c084e5ecfb401803fc8d4de980847bad611294e23fffd49a243c195a424385d9f60f4acea40521f8313d4e43f2f57eb6c2eb14fbb4709e8e78e0b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 979024a11b49ad15cf8d766ba9ffbd98 |
| SHA1 | 86ebec40a80ec8b8aecce4dff92d40ad3582aa74 |
| SHA256 | 337b3c968be967c27de7d6b265255c3de6423a7385daf12da35d6ca18fa98fe5 |
| SHA512 | 9513fb22ad3ce2cee84801ccd198443b7a373decd00f5feb6a6f722ce776d75508eaae99d79512c0bbbf4824174a4ae5a9a91970df1e9aa0c9e3248d31dffd97 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 84d3ed49c8efd3c4ee0866b1f9d2c89c |
| SHA1 | 2b4ca7b72b5aea3d5c467fca9948962649dcb751 |
| SHA256 | 897beeea6166597988e56b34b43c5e5b3a579c5e629218a288843fa4f95d36ba |
| SHA512 | 1f027badaa38f69639346de692f697721bde6f51a7e0d2f730e0f36ac4a3961a9256062debbb8659fd04cacdac8e372222cb9dc59500d697fd7075aaa8d30f11 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35bb2dcb7c7c5103c73638c28335e18d |
| SHA1 | 10146227bfd44eebfbe5238f6d7ede7f3da4757c |
| SHA256 | 083f53f6ef24f7c76c3ce8c53c55a9706c94a52192b345891258305bcbdac710 |
| SHA512 | 4786655e91ea94c423502400c22337aa79be910255647218d3b6ec15bdd6c7c9874cb72e6395d60f65a9c8698ffbb4e50eda7458398f8f138fae842cbfecf69e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e32525cbfa71edacd5db2bea9d3ed82 |
| SHA1 | ff3048a9682993d7a98ce51b3516f966581e09fd |
| SHA256 | 892db47401db03cc064689ec48b706d698cad934765463457bb5f6ef52f8c1e1 |
| SHA512 | 2a560c29902839167c13f4643d25eeb4f3f52899418d3719362dd931f78c8fdee81048c1368f2d3d1c913fa78558eadc7ecda8663f4406c4d740666d9e99266d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 93a8df20b01b7bffa95ca649252e5bc1 |
| SHA1 | 8b2cade5cd0fe36bcffb8dfc03f95776addfd63a |
| SHA256 | f116581146e651e360e6d689f8096070e6c7b281dc0aacdafcd113c3abd58ebe |
| SHA512 | 1f0df7d351de030eca78b58999f4e2564b478180d1b5c68c20f51188aec8a19185385fe6c9aec95488cf90c48ef67e393aa7580ecce8bae4d90f1a1797db36f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 75dafe1b071e91e4e38d7763377db177 |
| SHA1 | 774cda2e860b6ce38b1e17257a7f27ed1dd779c1 |
| SHA256 | 066ff254651d5df72b4005094b0f18bd33b0f694a99d8e05aa4fcdd37294960a |
| SHA512 | d60e178c470e57cd71baaebf1d053b10bb472585315b1cc891fe7371ed7268511f95015595ab905b877620be97a0c8b0b2db6fb65561850b40ab3be3242924bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | affac93b3161949cd6ffeb72a84804d6 |
| SHA1 | fbd6142e54c10429052d28630b07c78b0e3fa5f3 |
| SHA256 | 1d1d855a54a4b6ff40ec76f811e58c8809db9f22e45499ab08d356deec54e118 |
| SHA512 | 59fd958786b1be21dd0339ac00418711a51325f6c37f7869a69d5f236f7c45096ab580c1385e1dea4a9efb1695222115778125dfa4ee5fb5ce704208cb317c62 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 110413c4feb35fddc2d7183be6bd8fcf |
| SHA1 | c98f802b9ae0286cd46e45d1f3f767cd812d03de |
| SHA256 | 8720ff95a1d3814a66c2be1e801228e7864c3a99f16d9cf09b67f55250edea0d |
| SHA512 | d3cd27a83c06c32bcb32feca6aa5af91da89840db121d632bcd7e70cae1d7bad7d8713e5a6c4e51d8f7837529edee9ef4225f90cbea0a619dec126242134a111 |
Analysis: behavioral5
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:03
Platform
win10v2004-20231020-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90f7fdccfc10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c4700000000020000000000106600000001000020000000440e5358c3ffdb243a8a29d367925da267af9d4c89766907697c4f9961f6ba11000000000e80000000020000200000002ad6ce581b76d7894abf40c06900ebe7e5d0a300c4ac4b5eb2b598057f600b3e1000000029bd2f47adbcc6f448abcff35a1bdb5b4000000080d9e93a49b69129813ff57824116928f9e97eae2a900995b946b5298036c5b6cda59aaf3d8376d2f9ee6459da4503e57ac8bbb566efe8c46a15c3a8ad9a3419 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c47000000000200000000001066000000010000200000005e60252f6cfccab17ced85beb29fc51e6bdd293c691be98acdd34611e3d317ed000000000e8000000002000020000000b4361cfb254598a814961bdcf5bc470a7f63b8b3ff0af5977ed929d1aea4f2d5500000001440eace2366ba4aa570ce7d01e63a5556840fea25a203e7e6cd089766700b8065e3fcae92af786edd1cf82b0508311b6948069fb0efe2523fd35ae7ee457229ef2d64798115ce1905d7f15504eb8d8240000000777dbdcc2e85c8a90dce85db1838f8344d35f85b70efa7e6c7256cd527d59a92c42880d949583756c840b0f1e293808a0d9b73bfb39b796d23dde56304075d2d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 6367109fb103da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3414828370" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068412" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31068412" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 6367109fb103da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F72AABCE-7CEF-11EE-91E2-7E7A7571E0BD} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\User Preferences | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c470000000002000000000010660000000100002000000011cc51aac1d2c1b6a743b7cfc7fa7d38d23eed8c3aaa03497234b0c204020207000000000e8000000002000020000000a467b1c9a5ff2b930d71bca8d71f63032709d5849be960ce4eced788869870bf20000000847dd1cb2511f6e7d6cdee32440e2b0d26082b08504abbc212f9a7e2c1396feb400000001369dae0ebf8aadad0d230d93dd365f6e4460401bee3ba37c8c083df5516f0e60f55e25a8a1ddc09ece17766b1b804f484aa4b7b55652e97569d953fa6099c1f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c470000000002000000000010660000000100002000000053317cfe4efead412f931beaae2fb10a84d295ad0baf6ecfe88ad455505dc588000000000e8000000002000020000000bc4fc3cc77efbc264b69e5640427892b64a8413692a73fddc748dafbf82b4472200000000483c973d2614493368b4c1649c8c5adb2b17b97dd6f94ddc3ecc8a7eb9ef6fb4000000078a4a5e63e6afa572027aa42b54e863a8d9428301bd2e585f4e91e3a5f82eb10084d7e7b8db52a89f7ae6c62210e4880c8679d030625bbac5649f0b43752573b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c4700000000020000000000106600000001000020000000736fc092588c77be8a5d3b93051560c40e0a5d5a02a3059a92ecc5ea8b2cb2d6000000000e80000000020000200000005f57325f5fbd96302deb0aa35f242ca43898856e6e1f62409bcc05be47741b8050000000fbb38b656ac52941777f0633c1bd0ea3272bc48e6a1ec523ba93d132909aea1a90fdb421109f973b28c81ec9edcb3df335840cfac2e144996586a3c55d199f816bdf59d03c19ae71dcfb6789a05d97224000000078f84ae53fa854ff22fb396aa3082e599d1f67a2c48ffd857469c791c68fa4c341d59c139e01b8ee903a7fca2d4f3f1cf5a685daa44608883e04d3bfeb882e86 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3427797864" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 600a11cdfc10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IENTSS" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3414828370" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068412" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c4700000000020000000000106600000001000020000000fe262f66816b0915c7e139a3d73a156a7b544bf972a18cb8ec38fe5f18859e41000000000e8000000002000020000000cd02c07174d10b7aff74cb19bcf5e6b93c08ed976c71ae0e116fbda9afddaf4c1000000004c086f7db4ada02b0c2d2896dabea76400000000173e2e2a4727182932bbe1e11fb4f7001b9835f3214b594fc26682ff0acf565326ae29cd3e1eccc59111f49fe4b5012774b599e52493cd76c5b81099eb1df26 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3712 wrote to memory of 2896 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3712 wrote to memory of 2896 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3712 wrote to memory of 2896 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Algebra_zs.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3712 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 183.2.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
| MD5 | da597791be3b6e732f0bc8b20e38ee62 |
| SHA1 | 1125c45d285c360542027d7554a5c442288974de |
| SHA256 | 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07 |
| SHA512 | d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e |
C:\Users\Admin\AppData\Local\Temp\Kno93C4.tmp
| MD5 | 002d5646771d31d1e7c57990cc020150 |
| SHA1 | a28ec731f9106c252f313cca349a68ef94ee3de9 |
| SHA256 | 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f |
| SHA512 | 689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5A2S7N8\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral14
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:03
Platform
win7-20231020-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\jquery-3.4.1.min.js
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:03
Platform
win10v2004-20231023-en
Max time kernel
141s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\hammerjs.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 254.210.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:03
Platform
win10v2004-20231023-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\jquery-3.4.1.min.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:03
Platform
win7-20231025-en
Max time kernel
134s
Max time network
134s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e7171840000000002000000000010660000000100002000000047b5a3999d992bf85c720accabd551b2cbbef3674a92c5404767b2cc7a9441b9000000000e800000000200002000000028e680a6eec29055580c250d214b00e4ad98913cf3ddf4b9a15e9b859600ac4c200000000f00eb20aebc5567c34b70753ba9902ecbc2bb8fbc0c8e2c4ecc05155c80c30d4000000060fdffcd260079f1011ebecc0e29486db8db58595cc77ca67c88dbda65dd74300f5fe7e465876dccab546f51b0612a4830beb4474f78f9c92940399ce54b1432 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F05ADA51-7CEF-11EE-AF87-7A1D39B0C785} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e71718400000000020000000000106600000001000020000000fe12dc891c7b5f313dd9a4a5315418cae8f43c313534694bed57cc3abfc199d3000000000e8000000002000020000000b4088d3cf13f25b3e225c4840ab45e4c3eeeb6f40365ff2d7ca3e884aa62bf9b90000000cd351ee9a8275289800f26e477de0eaa365ac6ce50e1fd3df9da308920d6d58b804bf971db308ee142a65ca306f89c4e690ab88fec8857f892976b2a086a31c50047baa050d775add8238bd36d4beb3b590fb679a8414233e30f4d13294824953fe3f6911498d78b0cd019853b860a883b5c0a2a419c37f428594fa9fc3714938d274308d4c977924c2451c051dcd1e04000000054480b5f6aea6a9b9674c49f1dc30671bd4c2ddcbf45ac41773988d4c12fbd75d89fd1e75115a465c579367e9c0609c18189102194a3d075d81be1ce2d57d540 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 208a65c5fc10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405469915" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2236 wrote to memory of 1764 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2236 wrote to memory of 1764 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2236 wrote to memory of 1764 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2236 wrote to memory of 1764 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Derivatives_en.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab513F.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar5190.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb877af8bfc5e498525345ea614d9ad2 |
| SHA1 | a0f6203d5095bfb343fa221c933f085fd061190f |
| SHA256 | b17e08c1ee6f00604d7ec559c2a2912fbb9b2e8696b36cc3e3689e1692218911 |
| SHA512 | eb4e25ad0b44170ef97f412e1a321b96aff1e46318c913e270bc5a0bdef8264bc7414ad99195a518dfbaaf00d3ccdb453ef6c33364bb37d2bc14651c7b7903e1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 374742bd2be7fbcac89283b57efa8066 |
| SHA1 | 8402490edeb43a085f3a971f22aef32f6e8edc4e |
| SHA256 | cbd71f6e03a6c65d17e959e608ebe4767f30c29b9a4a723ec6a230cd392c71b9 |
| SHA512 | beac5fef1d55a53e010be8cc8cd6a40cc1e865f108024fa717e1cb2d30c87356098189253736df8107cdf2501ebd3b23837eb47e4abf4cbf07e02b4c4463efb0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b4cfb93f795257500574bc630ee03bc8 |
| SHA1 | f639840e6498f8857b22dd523d624acd596f488c |
| SHA256 | 875c1c95338297904edc60a62d11dcf7fe155512a64cc4617a341bee8c43da90 |
| SHA512 | 4c3bbf3978b7b127ad10e3bbb829c1025b80295e799fc534836c38f1d77e6371ee7024f0b942acdc6f06151cf5029856d0bbc3d023a90fd81bbb3483bbe23b7d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5c5e3178383e03885f19b079a44e9e2e |
| SHA1 | a2a2364cdad08874cd2452ce148219a74137b78b |
| SHA256 | 1b0cf562e541715a5181a7c61edce99b84924ab44f66cc92bbe57a6cefc62524 |
| SHA512 | 6e93395aa1f09e93e409653da07318e5c8b17cdd4a385566e1e83ba96f3824340ebf787f40d73bda3ef1b0cd584b4394c8ab137624ebf38945fbf17e451671be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b174fc83fc2e2e969f631099305aa32e |
| SHA1 | c6c2508b2e53438da221c4e891e492c97a5dfc1f |
| SHA256 | 8b426f7c452ae2c33b0075c5cbc4de84d81e8af7b77f4f7c57b6346c7c4fcf94 |
| SHA512 | 92561fd729489a7aa0a8bda90d15fea41ca53d940a8ccd5dbaa65babe71dc8fc08386939a3755e37e03830a74ae4836c57697fcd1e1f20adb5b4357c70b81d37 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3615834fd5d8b0ec76e8ed21d3314f38 |
| SHA1 | b8ef14534ea9b5ed932a64b40fbd3a8f98229e4c |
| SHA256 | 05cce75d1bbb2b826c51b99af1f8bf7f6a96e64ff9d11cf0c6e4d7ef0ce8731d |
| SHA512 | 6b7fa5af7aea93a76a986e7848626e86ca8dd6e0d4da5a32519bd003cbb115ed4ee2aa7aa6715e5810d75bf32a912bc3c663e968930a16699726af1bf09feea1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 367bc7c31a2987791340c3e910722540 |
| SHA1 | 987d31a199b9080900dbcb158c212a78ea8d0c2d |
| SHA256 | a1bb0592fc837bbafc16de7ad4fff9bf9a9351d200d38bdffeb7c7c8711b5c50 |
| SHA512 | 95066e9e5153f290196d12b89747f4860be53d431de1cc134168550415b0a295a8817a44643430a7bf03fc0aea263a86da4c5a31f0a164f1bbc5c0ccb86669f8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5176e323f627823b60d8129fe420b497 |
| SHA1 | 5ec269ea3e7ba66da663cfd77233a50ad8f640aa |
| SHA256 | f83fd7e8adffd5bb43c4be9fbb157a679a7a8b5940a5788efb961ccbe316ba17 |
| SHA512 | dd598b8dbb174f771708cc81a99793aba2ed9af757ce76cce7d565d52229afdcdd3081020529efa8673abcc6f0eb1eda6abfa960251d7bdbdb8fb92908240ad9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 670bf6f8610891c0051d0222fd25f8dc |
| SHA1 | 04d0b1447e8ba8c828c3d820b3c7a11e25e9e82a |
| SHA256 | 395b36ef676816c74dd54bb2f26abc3b03a3e7a6b457312d42c1da06464a7c45 |
| SHA512 | a9338ccb4afa03327bae48e92250d826c59b39893f76e58b014c2b462496bb7566196650fee145d46ac9b499f814cbdc40bb208522d66338062339d808171829 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 102dcabe97080d9a9fd25599ac23192f |
| SHA1 | c397334da0ffbe58711467cf4a7ed5e8a7d635dc |
| SHA256 | ce1e12d1dfe5e7a760b84a13bbd6edc20e7107f1dbca80444a6bdde836b57ba1 |
| SHA512 | ee1113b2f017fd6b436d64920382cc00dd1c761abe06afb6c786c3a3564bdfa4c9f8c11edc41cee39af6f9d93bbb88ef23a7dedb05e123e2f2afd065a1a50e3c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 49291b73e91cd98c034a9d92ec0f4339 |
| SHA1 | b652f2417f3e7a6fc9ee04dfc89ad8dd4518b811 |
| SHA256 | e857384d0493d4b92aac95a2957538b58cf695132e5eac7a3944151c0a219f20 |
| SHA512 | 708f276e4371addde3e2a26d3a571665eeb103eeb59175a444b29c877ecffc03fa1565177ee75ddcb8aeeee09cb88531529ce28a35d6009339c004abd4bd9ff3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 50922754b3de22ebf33996e762f27feb |
| SHA1 | 33ae6e99c686be199b3e05d15cfc9f6b573ddf4c |
| SHA256 | b247550f5b97701b5152dd26b526a108e27d36447fdf60053284a0087394fba2 |
| SHA512 | fef2165e1e38d69868e11c32eee01981a687990bc16d2a7f6606ba350dbd6ada6ba85bd45cc01f6baab1ba760bc6d3e519f63976eecf702dda6738288028cb24 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 235765f3b95fc0a09f4b119cdd4943fc |
| SHA1 | 85006fdee48875db74387b9a497b4381ae6e0ee1 |
| SHA256 | 94c438f937967a22fbc588c7024c1525c9de7a4f30b0663f08e08a58636656ee |
| SHA512 | 9f894498c9a93d8500b505bfe3dd757c18189c4564f9026e498969640333277684bb22d2b57d0a179add11e1e5b88ed3a83294dbfe2e48873a800d287fa0ae53 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 661987baeb3266b0f76cffc9e2a5cacc |
| SHA1 | 45e4cd8d9b023ec0b79aa0e1041ae28c56a0fa7f |
| SHA256 | 09d38b20b11173ee01206150845383511d314d3e63117495b4a8d1c6a8012ff9 |
| SHA512 | 93c336f30ee0db18aba2abe8f51f9fa1731a82f90b1bae0c1241f344f9d9d21129e8cb05ec04687cb392a294162b5adee9e387b90e6cbe923a18ab90eb6edc0a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9dfb719940772f7bb2f925c8fe115ce6 |
| SHA1 | b5bc56288b1e384516ace5fcc680c2701a719c7d |
| SHA256 | e8be7f71a58de88c1a51432ecd156937fd4a051d4fbbe158a4045556ead15f73 |
| SHA512 | 2cfe36683cdcd7f0acc5695fc5a898e727d875de76553d5dfdde48f7d9fb0b0848fe66dbfb13dad65ac355516cdc5bf01a3172da1601adf2975e548032b46a26 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b263809266f2e9d70184ada47c814b46 |
| SHA1 | 7fbe79b02a46191e4aae69938ec4fbfa19354383 |
| SHA256 | f2daaa6758537f53451f19ccfd667554ade518418923fc44f6f425b12390a8ab |
| SHA512 | 0c7efc9934de7c9be03c043d803027d73afc32c9eb305ad12f93768f00a70c72f8277b676d9ebfd40ef995537e59e5b2e6c65d03b62f7e31d370cecc6e90b5e8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e5bcf46e256c576cc47367da5681f1e4 |
| SHA1 | d0bb07deb7a3895790599999844823501857abab |
| SHA256 | 5be411e7087f4adb8e8d8086fcb16f6288cc9d2a750388a129f708b84e9c24bd |
| SHA512 | 0cf870f04d7386370ca8aa4bea8ae66150be230c70a8d1ba9f1272225d6ae8a452fd2d7e0d706873065a9ce83c7ec1d9ad62a7dbd2f1ab1e0dd26c816f810026 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cb3b99ff329ffd687342d2f0da551928 |
| SHA1 | 9a72e96fa4f7bb6e9878d4241ce188845fcd8e62 |
| SHA256 | fd09d6c09bb7fdda6b47f67ce589bfadf6097af449be55e05279d665018a5b81 |
| SHA512 | 16185083680a9268b2befe0c44805f593489ccfd574441682d20d83e68ca3f4595f810b6ff2185659220fbc1fe51ef6d9af06dfe1ecf1aa39bc5f1cb8200a46a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 452d2874c7603c22a7f8f2122659a1c6 |
| SHA1 | 20fc16999d62e9bc4ba3c97ccf6bd3140595ccac |
| SHA256 | eb97615d5662ed5c706107d7dccee534e4c88c43b2dcdf52d81d321f1d278276 |
| SHA512 | cd87d6fabd574ba96da91703daae31b52690fadac75c0612cf08422c2163e1105f2b6833dd22e2be54effdfef8cd89cfcac6539ce11a8d78b1beb4b84051b166 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9b993c0615c545132ce813ca96784dd0 |
| SHA1 | 03bbb27a2889c419e54c1ba33a319dade68992a1 |
| SHA256 | 8fccb5ad944990c85429671e016dbfaa9fd4cf9a253f4ac1202907b6e2afc326 |
| SHA512 | b5b5bf42921fc8889ca46c8be87974d170fcf849241a7e51b80a9dd6ef3a3cca90347a6ea69135e74fe4607e42f2ca3155e7ea73036a42f2be6136842b88c252 |
Analysis: behavioral11
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:03
Platform
win10v2004-20231025-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\chartjs-plugin-zoom.min.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:04
Platform
win7-20231020-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\hammerjs.js
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:03
Platform
win10v2004-20231023-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 163.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:03
Platform
win7-20231023-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\chartjs-plugin-zoom.min.js
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:03
Platform
win10v2004-20231023-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a0c380f3628804cb3442a54a74494fd00000000020000000000106600000001000020000000b1b8ae6cbe9897ffa224303210858e48c7d850c08558859e6d5e87962be63953000000000e800000000200002000000097bcfb258c06ea14c385a663ee1d6bae13860e0b81230245a605c85d634919282000000050ee7ff4ea63baa5313ff02e71ac1728b194e5f5627e84381eeadf1eb77eee3940000000b5e073e2a8894ca8b3d49953fdc89819cf6fdcb2517b3fadfe3a865d9f7cd007179fbad4eade1094023b037f5fc3868df9673265759f2144aab9b1e5c4e3c3a0 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4094c9d2fc10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068412" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a0c380f3628804cb3442a54a74494fd000000000200000000001066000000010000200000002eee64f5e70161d96d0befec6844833ef249560d816a7812c955529cf34f2bf0000000000e80000000020000200000001853fd9fc6a39b9236b58af1b3f404129f18cd677828bdba7c97ace35d45032220000000e453775d8995b84f115163a0b91be087808876fd39995831b75428fb96a628f34000000059262bbc2ea1b65ab0f6f20466c1dd3fcf5daa5b500883e553182e710c8dcdc92a7d1b4827945dcac3a8feb79f673194391aeea86d50a8ba959a7f18d3c34b50 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406073043" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3460496096" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068412" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0a08bd2fc10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3460496096" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F9D96ACC-7CEF-11EE-B196-62262E857B52} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31068412" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3522370979" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4424 wrote to memory of 3008 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4424 wrote to memory of 3008 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4424 wrote to memory of 3008 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Derivatives_en.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4424 CREDAT:17410 /prefetch:2
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.144.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.211.247.8.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FNC8FKXQ\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
memory/8-16-0x0000023314EA0000-0x0000023314EB0000-memory.dmp
memory/8-32-0x0000023314FA0000-0x0000023314FB0000-memory.dmp
memory/8-48-0x000002331D310000-0x000002331D311000-memory.dmp
memory/8-50-0x000002331D340000-0x000002331D341000-memory.dmp
memory/8-51-0x000002331D340000-0x000002331D341000-memory.dmp
memory/8-52-0x000002331D450000-0x000002331D451000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:03
Platform
win7-20231023-en
Max time kernel
134s
Max time network
133s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EFA2DCC1-7CEF-11EE-AF89-7E017AD50F09} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099b8a3c6ff97044781f9dc0475faca4100000000020000000000106600000001000020000000965e9a2b8ac4b842686a2cf553857bbb40a5d08e27a8d23924fe0b531c009e44000000000e80000000020000200000006846d3fdf85b8c1067346b50dcf1aba1a44226e9e4f9f41df7cc767f952dbab5200000004346ac42410d8443959265626729a8c5210d9563c2e0f50dc1b69f0f05dc9adb400000009c6cbeb158222358c8a1b3d26cc60880de33d831012fa223090875bb7a2c55c7ade0cdd260ed183ddc95f52c68f4c9ac931b68deac994d004e0c1fddfba47e25 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7059e7c4fc10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099b8a3c6ff97044781f9dc0475faca4100000000020000000000106600000001000020000000684c36cf09b7ad51b1ad618f6c85968094b600de33a550765fd57793889a2a3d000000000e80000000020000200000009dcbe03e0b533ccdafde83a19f957ffdfecbf514a7f07b651489d2a7026be54d90000000a6f899ae7b35bc1ca9648d559b3c4b4a1ab757547ba501e6614e85edf6d84447882188cdfbb989331b2cc8aa662766f7440fb6d16b628d0c5a821605d4492ceb5f24d96926d24b989d7e85ddf7aeb025d4bd8e1f5e542c4c5c59ed19b80217e517431f66b67763be3fdf6bb36aa63f3acb57f854582e298c63f85d00d252aa56c638c33b9225058e102a1850188a9a3140000000756082fb5cf3405dc1579dc10c5ff0b129aedffc8583af74a5e8e374973cd078d848340704a9e4056b70ff0ca87dd852dd9df594b87b93224d5793d2c47bc785 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405469913" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2228 wrote to memory of 2444 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2228 wrote to memory of 2444 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2228 wrote to memory of 2444 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2228 wrote to memory of 2444 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Derivatives_zs.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2228 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabBB45.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarBB98.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7a33dc17dd6a82d9319cf12c836058d1 |
| SHA1 | d07ce12cc8ae74be3eec70f9b321f54bc7538942 |
| SHA256 | e92142d870fac937263db627833068e9b6d028397f06fdfe88b19461b9836b69 |
| SHA512 | 4d7d9be1af8d57423099b7fe69b87b30199de5120d3cfe009b3cfc16eb963061340161daf3ce23c9a0fa81936346c5a75c2c06945009d62e8848f4cd11a04d72 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1d1512202a2c839f73171f6d3a5f2f62 |
| SHA1 | 866d3c1f68123cca1658a6bedaee89a4c6a8d7ce |
| SHA256 | 336ac0acbe65c240f6b17e8251beb6b87501b5953f7a0f1fc5995fe9174821fe |
| SHA512 | 7a4cbd119fee1b36f8b47b560da6772bd9842b85a9e6511ec52b1454730e231dc955c7923f261706e4e66d93a6dea47ac64c06e383c2bab2141b5d5fc6c35a3d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0819c7274bbafc2bf52414de21a38cf2 |
| SHA1 | eccf35b5c436b8c194a1dc2a56bbe3818dc7c970 |
| SHA256 | c623741b69f92eb9d8e29c7ad4628c9bd77e7a71920735ccdb480ae3fd292d3c |
| SHA512 | 6836f227414aa8bc852badf82691637bd516e7c498903791690286887b1292b69b78eb4f45eaf7e807fdfaf009b7fab95fee11afe3421752e3db853762e8016a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c70badfa0d958eb009d26cd1ac66a691 |
| SHA1 | 5f97de4cd245d7154c548145620f8973488a9d1e |
| SHA256 | 33a0e954320ed9652b6717895e0848550dff0f8e5129c2c9bd04acb2bb232cad |
| SHA512 | 42fa817672610d7463fc2bd3f727ab07fa8e05376d02b24e0701328a6d4f7e0c856c143e9231e29f762116b3db1d708721de9470458d3733c5c63066f6e5f02c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cee906e85bc1cff097e9c758f55c9992 |
| SHA1 | b9a967114000d731de2704932420eb64b6701383 |
| SHA256 | 785f9d3620e63e725dc6121bf237528eb136a5ee3ceba2367771b05ebee16916 |
| SHA512 | da1402569ea1a52ab7e4ca9e1ea6a15b7ce32ec6f321ee6d73f84e48bfdf3b02211f2dcfd89ffe0ea5d869b0a51525be2654bf0520e1d544058f920c059acd5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 54852040b3a4729820f809aa977caab4 |
| SHA1 | 978f6fc8de5dc35c86e9f9409778886c193698cc |
| SHA256 | b123f8520fbb561c1a344cacf2c9b959ed10843cff845289e3832c5a3e049713 |
| SHA512 | 81e9eabe017b515ea052a4f1aeab6cb0a8d305b7bce3b79ed3887b646ee850cfa89fc876204d2a491e88cbf2bb37ba03da61a29833339edbe412934420a6a769 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8dfcae88842f018ec9c000f4118ad052 |
| SHA1 | edba873ced9c49421c32b7d31616ffba4b51e9c7 |
| SHA256 | 1ee8c70266433734f029e7c6123d785f5b2c20e8bb906f784234c680777017f8 |
| SHA512 | 4155bd3332b385371b82a2b711e421662fc514f99bd8e3cd6ae2a58cbc31f1953c138d989b8921a4898505842b6374dfff622a69c3ee27e3db0a19c5dd0827d8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0f89e485515147b9143201ba3bfb5647 |
| SHA1 | 54af25a1f00ccb912accd47ce290e4d7e3f3789f |
| SHA256 | d1f2b7e5e557355dc95f96c99e77899a7e03c090daf09f16722ac68a9f8e15c9 |
| SHA512 | 172e392a4af118b9a39f6b2ed017238074c9c0eb9b0b0ac42380787ec3bdeb203c752e1bce0f0d0d46a32a6e3985f009226a7ad167a08925e5e86f0a48027278 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a2dbe3726c09882143fcce3c10444468 |
| SHA1 | 1c0d46fe7c081ee0b289e84b6d8ad486469af68b |
| SHA256 | 10834cdcf1d670893500d26a33b14e982587d9b3665ff1b54f366de2c7a14018 |
| SHA512 | 688ad5b8ad22a0965073897fb3b49f08803c3b31cae7814ff12ad938e178c15e7885b91f6d02f68019e0ab5c566d9676dd2c3cc8bc74e9113c6220cf2a12a23b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3482fbda76ba26454804d8725db32e74 |
| SHA1 | 614fddd6ac67a0b03e947a83455cf08a83439680 |
| SHA256 | 0c2cd914a2c6ba33ddec3339e07a8ce74faa3eda6b3ec9fe7e118672d5f655e5 |
| SHA512 | 4336eedd65eb774151a8314c416a3bff7cc6bc4186668318fbfd5c56f17c61b87fcef21a8113a2cfde12ba33be3c0b59058ae7caea44fc65fd86c5e4d9ebdc6a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1986c1ccaec5e9f7d37c82419a3b77b9 |
| SHA1 | 5e00828e0cced4440d4027f8a2a06abb9e605299 |
| SHA256 | 3b3cbcfe25e3a56e1144c0ca4386c4c525be2bbea8b442d45f17e7b1429fc191 |
| SHA512 | f42499c62cebda1c068b06ac68ecbe4ea60636d8c8ac7e073c4d5ec68eb5eb137876d868cfc34a1f2ef6bcffa53d48ce65744f9e69d7a77ed33eadbff539350d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2cf8078faac3be82e2e0879fade2370a |
| SHA1 | 2e5e3aea23c3fc009e46dddf6d8c433809852768 |
| SHA256 | f93f6c7577f1415503827aec804b55a2efc4e4b67a90999ac1463e4e23f8af3e |
| SHA512 | d8eeb2a65cb0e018c3a8ef49dc7390afdf4d21b2e9a043b5027308e2d75a28e55298c4629d71a252ad69a838a6f6cd607c24220102b84aee1883fd7dbeddebe8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e3f46934422799a89d5a2567e5f5c5a8 |
| SHA1 | 93668407c2a9fdae31c55464f0966762429acb5a |
| SHA256 | d44b8a503798e12b6fd8aead5f7a67d45c597d633f033524f1ad8b4b02f56680 |
| SHA512 | e26296c0c276f9f9dd89d9d6e25dfd7a17d03b8eef8bf8fc505c2c67b76b7deb52be6887585542d9163468c0791e95b68b3ba2651c6b26ef84e41912d46ab49f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dad1386bc5eb9f261fbb34e1da88e004 |
| SHA1 | 87694e8778dc2fb10e4d2f805b4c11efa233f434 |
| SHA256 | 4e26dd0a6b2e70a54f4c9f33ac9a7beec4a0e6ce87d4ca760160789cd7c84020 |
| SHA512 | c8964c1e26ced1cced908b9e0fe379049b6efc0c95a9373f7059642fcf51306272621822f69e545cf0ebfedf936aab0d0d54126b1a1c2172dee32de83317b17f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8ac0efe6d6f67beb7d306e38d02dfb1f |
| SHA1 | 2a8ba8b167b554fead00c608622634a105fb9ab8 |
| SHA256 | 77990b937db82db673f6b8dda6ffe84045ac29d7183433e601e7feb62b703e60 |
| SHA512 | 46ebbf098a649f88ed8677be1102e3165e7878f7fddf2f9e8b0778461203bf582ca73f61ed7182904095081cb7ebde31e6aaab2a15eb2d6f5e43d0fdebff21e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 885258c424379c3730050afcc5fe432c |
| SHA1 | 58d6d1495d47e3f885867925a6f5a42847a4b3ae |
| SHA256 | a83304ebbaad25a2914f0e6fff37c9061aba9814cca6af36ccd7d66eb2d96936 |
| SHA512 | c7b8bb093164de3f9a1043b040535e179a15f592b745b70f7be67194b578e8a1e5cc323f06f43ae4bfcc3eef54126cee55f4ed9a50f5e30650de99a940678a2f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 958d918c225876563c956d2c460c432b |
| SHA1 | c225d3b97afd774a154fa57ce4e69ea234fc90f8 |
| SHA256 | 479f44959e6881188b86994eec12a0ffb889fb0e47849ed3fc84f71c4016c54e |
| SHA512 | 48d1495d560f30050516fcf6d5ff48b0cccacda2ea17505cd57c79988f08079793fca4e6372c4cd0a533f09ae74cca34f65c465615a969684c480816f1376e7c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4fcd98e69077802b974ea5a874565e9c |
| SHA1 | 312cd97f3fa91cc8b28a675e290869e5e92305e8 |
| SHA256 | 1ad1ae0922b39ee6cd40ad45c431bb079cec5d6b0059281fe8ad36bcdb768404 |
| SHA512 | 56ac76b24956176d79a3b81c9e8c44434c26ac3bc68f937df345b11ccbe031d4a4a4ac14878b156835659d40ad0ea38052691d859227c6c903c0464d562c882b |
Analysis: behavioral9
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:04
Platform
win10v2004-20231020-en
Max time kernel
73s
Max time network
138s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068412" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f79ee3fc10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0DBA9D39-7CF0-11EE-88E4-42A331C33A28} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3794944618" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3807914676" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31068412" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20c5b6e3fc10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3794944618" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068412" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c79fe21d651d6c4bb8d4cd4060a2fb9100000000020000000000106600000001000020000000c3148e180bf8ab0ddcfe636fa64f122540fda21a91438c4a30a2908fcacbc8d4000000000e80000000020000200000008978c6355a295d24edd33c00116a3074ff91b6da29b188e9f9edc13ebfcbd70320000000b61318537837994b2617d2aac21e2ea5fd8660da0e1c9f4e00c95f1a32b487eb400000004acd45bf7ac53a87f4f3b83409564eea2fba206f2948edacf013c0b30e7dfd1ab4a74bfdc9948dc0988e6a1f654037c84c639f4108f07617bdc4c51bd6b33f77 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c79fe21d651d6c4bb8d4cd4060a2fb9100000000020000000000106600000001000020000000147d47a3a7c4325716a9d31119866ef8a95515f6d64d26db4b9a273010f59a31000000000e8000000002000020000000cf5a115e882ed07c73fc5ebef51b0574f969958b67a5b5f0f4973d2814a72cf6200000006d11c012b15861a89974d54bc4ce08e3f52451ccb0fa58cc7fcbdb554828acff4000000015bc41abbdfa6cbad4a689284a7fc4e131c91fd6c459b0662f3003fcae91ab3ee23e82826a6521d39b210ece50884f1c64bc895aa3886fbd23ef9f504c372586 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406073071" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4032 wrote to memory of 2360 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4032 wrote to memory of 2360 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4032 wrote to memory of 2360 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Derivatives_zs.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4032 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\80UBY5GD\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral16
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:04
Platform
win7-20231023-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:07
Platform
android-x86-arm-20231023-en
Max time kernel
2796321s
Max time network
149s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json | N/A | N/A |
| N/A | /data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Processes
com.clip.shoulder
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.clip.shoulder/app_DynamicOptDex/oat/x86/xDrdtlu.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.250.179.138:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| DE | 172.217.23.202:443 | semanticlocation-pa.googleapis.com | tcp |
| GB | 216.58.208.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.36.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | jsonplaceholder.typicode.com | udp |
| US | 172.64.165.25:443 | jsonplaceholder.typicode.com | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
| TR | 37.148.210.173:80 | 37.148.210.173 | tcp |
Files
/data/data/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json
| MD5 | 966afdf8cdddbd6de72f0b2d30cde02e |
| SHA1 | 8c91f17f7cfe18fe684d7382cd098a2faf0b3fe8 |
| SHA256 | 6d8f35ca3d2875b7255dbef0d04df7697e884fbb2a5ca0fceef75a00c0375cbf |
| SHA512 | fc977a80e296af9e600ce511b0b4758b68072d52b7c40210249b26d97737c774d310a6d449f45555475c01e937d8def3485be5bbc325856cb0475ed9130832cb |
/data/data/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json
| MD5 | 033372e71cfe37afa161932ca1514575 |
| SHA1 | 6ab3eb0a97fefa13be0a0ae2c40d87072e3e28a2 |
| SHA256 | 080a2ace0567038838d754063aea5a7dc60bae013698e9152683247917842841 |
| SHA512 | c556ab68d506ec2bf107f2f1b65d22634c12d2ebb54652db8941d511d864936c316a41437d47db13be2648e131151f9fbaef44c313ae006108e33c9175d42374 |
/data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json
| MD5 | fef861697d6e865ffd0ac495bba92bc3 |
| SHA1 | 796094bd56f01b637c0165d8d734dc00a9481e4b |
| SHA256 | 9f81917c797bec5a26abf4ed12dd81f7b22837883182dea970398332af763f42 |
| SHA512 | fef90c111d11b58dc3a3ef8e50ba362a5d0307adc7d22b83dedbcab765b0926bbf074d7fe6d2a0f36177578432deee6c030b1696492b33b3d5685535d18fa7a8 |
/data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json
| MD5 | 57774766cbc43d889a671b7d57da2d0b |
| SHA1 | b95248e49b4aebb8464be87c39bdec4fc099dc9c |
| SHA256 | 88b593e978070be1838d17a5a09c45af416bbf02319aa28c6f2ec90873f1cdc0 |
| SHA512 | eaca6b647a38f38e2d097f4d18c461740fe1763ffdedb4d25c75b4dee8c3aade8c4c68411fbc99590b6aca4f354fbedafd8b862a219279d3397e27c9a773f4de |
/data/data/com.clip.shoulder/app_DynamicOptDex/oat/xDrdtlu.json.cur.prof
| MD5 | ba0c7e8332a70b24d46fb2fab5e39b4d |
| SHA1 | 3425622ff8edc3c464eee84c986052e6e2d09160 |
| SHA256 | 03fb29e3c692c305d81a51eae346c2b71ce275c667a9e5dac850bd61b6b8be49 |
| SHA512 | aa9db84026613ae4144c9babdabf6d0145ac8fe1effa2121eb20a5b480b35b4fe5583a7efc0c8c967873e147a9e79cab863ce015f872865acb825baeb1fffca8 |