Analysis Overview
SHA256
17c1882b9201a4145a4fa8db895ad8e69a415886e2c8866391ae3e6beeabbe50
Threat Level: Known bad
The file cab58cc08dbbfef550b2377f053505a5 was found to be: Known bad.
Malicious Activity Summary
Medusalocker family
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-15 06:26
Signatures
Medusalocker family
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-15 06:26
Reported
2024-03-15 06:29
Platform
win7-20240220-en
Max time kernel
118s
Max time network
127s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e03a2bcfa176da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000bfd040cc3fc50afb8c18baf6327a5f697186b9987a2662dc75b6f6756f465b98000000000e80000000020000200000003012cccee0396c374c6b0e4c0ae73bb22600a7e3526289e87895bb937b603f2590000000874d5a818372480b3c6db5fd57a4851619b0b4f308643a5834b7551402cf0126aecb2d8686ee1880a47899d6833991a365ed806631273aed8bf5c6d4bdf062fd64344b747825a4eb0aa12363f14263f681c9be5ddb746d86bad73cdf57139e7d653ae2800157a26e61c3e8a60f1fb4cecb3222f0067db66e39491c481a01a13a73c1d65ed0955e96f3fc44f2a60b7f2d40000000c3cc923b16f1b04175b6620f2461c480c237cb670b1ffa4a671701bb2b3d08ff1ff861c322c9f2d29cdd14b888e30f0512ed44d601927fb9b637344b3d7f5b4b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416645866" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc2330000000002000000000010660000000100002000000059530480383e6f70a7b19e96ad748ee1da7230112aa9bb44cb40c63746031f60000000000e800000000200002000000023d01d01a498a4c31a1407cfd5788a042f7a50c0d2bfae90935a6ef216c47359200000007cf835ceb525ee159ff8689387b4a507088172292cfe9e1341acaeaec073bcd94000000033fa1978b37703bb02a311341b2dfc6580662582b6cbd95fef2addcec0f8b2f9a1a2e857ac8cd7dd85d1dc514bb80980b12840502245f81278c9dcf78d15b721 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FAA226C1-E294-11EE-A5A7-5A32F786089A} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2968 wrote to memory of 2848 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2968 wrote to memory of 2848 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2968 wrote to memory of 2848 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2968 wrote to memory of 2848 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\cab58cc08dbbfef550b2377f053505a5.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab26D4.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar27E5.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 49dbc8e78acb7b52ba7e95918319bd95 |
| SHA1 | 6450d48802d9149bf0bcd4bbb2d44ab19244210e |
| SHA256 | 315621d7bb4576c5969a8de70c4db5cd0a1851c0b63f8318f2c892bdcc8374ec |
| SHA512 | 909994f576a5cb197747a79a9e37d8a04e80f5ee4e03c1afc114ff22402fbed31a2fc57cf39b73bd7c98cabe3ca0c6fe0f3d5e0431da8863d31e33610d2b1c76 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65e35fbf26484ccc017b02c9ba23a303 |
| SHA1 | e153c7145802b106b97394b5732a0a90d5e56686 |
| SHA256 | 03706bb47e2a7b6233fb6230101cbd288765aaf75e328ce0d6dd96a2ea92a871 |
| SHA512 | 92ae82b7702055da7e39adbdd97efba26eaa5564a89628e306cf976ba97b894c11eeb52edf8c6a3f95fc51792af787f7606efcf1737e635cfd826d8cb65e7a12 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e1fa42a9aefc10005343ed7ede927d6 |
| SHA1 | c1d8bb649c1c4f7041f9cea8b1642cdd7008557c |
| SHA256 | 1aac7adf93af35a048257d2dd28ace65d0c1cad8f8f07fd823e30e41226e4526 |
| SHA512 | 5787d54397f7c32241253f38e68cac08d031624c6f3c43f8846faa86857d70737ebbf25c50574d52210a8f4eae6fef523eebb71bf4d5879e4094de5ef3d76dd2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 27e1b9a6cce733f27543f9edc326fcb8 |
| SHA1 | cbd1b809be42aa1d697965f9ba54b4f90c9ab335 |
| SHA256 | 1bd18fb12f6d8b85abebc6c3d3f09cc230e5df5bbe60d25fef52d7e638c09611 |
| SHA512 | 649d72f632b3faf273ab708026d8bc84ec1e88f4b98084791936d9b889a4b6cefd63b1913daacab5b3a3e8c3e1d1aaa39709ecbe086a28818a8aeef17f6ec0c1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 75b44a021a359fc13dbb982755507877 |
| SHA1 | 628d15d3df29f6c193a34cb7d5f1638ede238e25 |
| SHA256 | 32beaa866d7a1da5f97459edbf2c052d4481247cc24e036ee1e292991e8dfbc1 |
| SHA512 | 6e79d7d77f7476b314e716663da4ab32a5c52c428c4ff3ffb39f39e2112ce70cfbf2e16006a873cf1bc5704f2b2e6282bfb636d19f21ccb61b7fc9452d8601de |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c6403360112fd73105dad73c4110559 |
| SHA1 | 572d88e508d27cb4ab21a14051551c752ec7a0ec |
| SHA256 | f1845e38d27c959e8682f36d7a049c321969d57ff5bfe0fdc401d50e5d081244 |
| SHA512 | 3468271ae79fc7cf5a9f4ce8912fa90cb0ff0da01cd0f8fde5931a59fe7170189158a9cb225cc2becc95f48650b725f9d9a8ce68c7b2a9dc331ee0c27bbb7860 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3eb519a99bccfa152f38be75b2242858 |
| SHA1 | 2603c3cce69613fb63a69bdefe084f30cbd5f510 |
| SHA256 | ca33ad5c5e5aef629dd07114fd1aeba8b89ba682c7e90c9ff88621462630a5ac |
| SHA512 | 6bfac36dff2d42c73b6b05a36290719a662e8143409a2af4b9aada546a9af71acfb003626b0768ae14969a9c9bd42af5d703f4b177b68ee34a347867fa3f217c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d4cba94c97165ac4f070b4db5271633f |
| SHA1 | c7b0f5975ab0aa6c39a72812897878991d7cfd04 |
| SHA256 | cfcecd588d5a34d99e00949c2da523139b9a9ba9ccc07f281785ef48a18b5a87 |
| SHA512 | 833d45cca9a2db611c0685ceca7418606597d361f349c743fc288e762936de4495712e7bc07945687223b15f0b6509082326531351a6ea174e3ca4c24068fa92 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f610cb60f54ec5320ed4d4f39f7bda0 |
| SHA1 | 080e5f485bf083d2c842d9de9556dabf786636d5 |
| SHA256 | e87f6f76ded35d4cff2356e3814d8758f5837e7524569bcb46fb588927d4166d |
| SHA512 | 97073730f3e3e0d7291e5eb42294f404e97a4d5c3861f68881256e84d46f3efb9c57f28cd8b5e5e15794432c2bca32ee7cd10bc32c60cc1343feb5fcc28cd3f6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b63b5ec219e436146767e103a1f19075 |
| SHA1 | 245f62b3db7463daaf0c076eb50bdc5faa3be904 |
| SHA256 | d21b86790e4fcf68fbeabcf1e806784a9647bd0f3b2e9c5b462e99772a533484 |
| SHA512 | a98cae2a1dbc64c3a2467e5005f3363a587b2ef0e8391d89f28d9509b105c81456f14ed8087e36b192c6f8fd321d25545a9209c63f3acf38277beaeea3f746ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4a8b72bafcfcd38e71b336d301e297be |
| SHA1 | e3f031557d24aa1d38f490ccb47f984bbd62df03 |
| SHA256 | 09eb8ef2e026807c34b549637f44418150f6461566f5d5b5943e14415800764b |
| SHA512 | 4d8eed85c586ae2338cd1224e3c8866a61c41c8790b1165a3a5ee9f682335825e6248dcee2c56dd53c9028b7a66fbf128ea735ccc7a3bd2346be3ac9d29fd163 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 500804ae22ffc87393600176cc1f9c12 |
| SHA1 | 5444d8acc40d22580c79f0dde3a0401a9e0dfa2c |
| SHA256 | e84a62c37a14b9896063ca75360e1a8c2c400dd432bfa4edd9c65d1ae8c154b9 |
| SHA512 | 5a8e3dfaf81a8e0e7b7ff7c28d43643a43df5ba70eed245f37565aa9c119b6694d9551097d0abfd7c2593cef9e2eb34d8e2a734d32d06d908fdc857b8a0ce7cf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4b7717938e8c67e0a50ad11673464ee6 |
| SHA1 | 1bbb43b3d0e82fcb35dd5a86a17530009aad7919 |
| SHA256 | a175a9a3db2db9c74d01b76b3be0c38cd165ce13b64c12969bd368522cdc7078 |
| SHA512 | 03aa0725bb58191fedc820eaf18735727982fa58011ff62c5cb544dd51402c1b4529f1a2e3ab8f81e75fc89a0bd5c088876260d39086463ad3bd3a3aa3ebb6bf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3a680e2a7f83b1443412e18ec9191562 |
| SHA1 | 2bd1ec2681923a0eaf22e31f0b958768f560c530 |
| SHA256 | 32ea4d6982555cab79d13800f9501dbd3b30b233cdfd91ece854013eaf1908b7 |
| SHA512 | 08216add652c7a1f44b200851816078ddea8a8fab3c17926eaeb20f81ce8e075116da18e5f8c87d1818408f920d768f5c7ec7df04cf2542f8882bfa4e3f71988 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e6f2b565e8420aeeb74b18e36ce6fa61 |
| SHA1 | df972de6ba68d0648e4080e55b9d85295973d03c |
| SHA256 | 1d09a146ba4dc8f71b4e533dc5bb0abb6dc82d4413296a5e5976a9cfe6c1da34 |
| SHA512 | c077524588a1ff1e2a8922602a03941ec7dcdc4f5a972fdb9fedc8c17a786e6741aa6e1eca6429a8c4d41b9fc6e79fd7ae4624c448c5f93c29bbfef3e7a0bd0c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c32a14db24cec27c5bd1689810c131b6 |
| SHA1 | 23b175626fe566a118b44569da6c43f91363b2ad |
| SHA256 | 5a5750f3a58e280336f14568f5e56e63f1b51e7f50a9bc9f85a71e944110a03f |
| SHA512 | cb966dd1d5aca3220bbac822535d09c61eab5158b7c31fcc2befbc5b920107e46320c99e4ea04308cbe77a881ea8b512c281f596e676775daaeda8bf482b18f7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4bcc6cef48f8510840e2b2e85a89926f |
| SHA1 | ee525aed9850dee2453d36d0e93b226e0db861f6 |
| SHA256 | 1046f0eace5f985471471db1a8dd76403e75d062263c863bf20b5e77796bbfa7 |
| SHA512 | b6e1ae41ae48c6b4d2162a00e5bd095235b69f4f54e23522cc433311e1588facb3e63a3ce1c11c69077788b6681704c2d7ed4bb3c6f79233d9b9b8a57e8b407a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 84d20ab8d1f280189e6f6a41c0616cf7 |
| SHA1 | d428c9efdbe6af66131178bfc983b03019dc8940 |
| SHA256 | 2b966cce7d56112bcbac0c61ca39e0c1c99d5393f16239a842d67b2a49cb9083 |
| SHA512 | 5926f38f36d3532b5b330aab5240ac17ea627a5350520afa6a1005561b7ff50a5f4ccd9d3d9c0c4daca6b66ed505fdb1637763eeb4b10763d28acd338a2513c2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bd989f053eeb12dae3786b08571ef934 |
| SHA1 | fd528d9be8ad813170ea86b07e91f49ffdd0442a |
| SHA256 | 398d120634bcacb1b26ebdbf8a898fb2bfd9c056f4b92841de09f0c9e37abd86 |
| SHA512 | 180eee77c3121f4a09f7d734966cf7556496d9aaf7df488a73b1b9eb7121176c98c9845b47d7a3d0744b663eb31e42469e02bd8cf04d7c9c5090b06eca7ac830 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-15 06:26
Reported
2024-03-15 06:29
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\cab58cc08dbbfef550b2377f053505a5.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6f5e46f8,0x7ffa6f5e4708,0x7ffa6f5e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,3018423716757419016,10821646136177501352,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,3018423716757419016,10821646136177501352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,3018423716757419016,10821646136177501352,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,3018423716757419016,10821646136177501352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,3018423716757419016,10821646136177501352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,3018423716757419016,10821646136177501352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,3018423716757419016,10821646136177501352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,3018423716757419016,10821646136177501352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,3018423716757419016,10821646136177501352,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,3018423716757419016,10821646136177501352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,3018423716757419016,10821646136177501352,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,3018423716757419016,10821646136177501352,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3896 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e1b45169ebca0dceadb0f45697799d62 |
| SHA1 | 803604277318898e6f5c6fb92270ca83b5609cd5 |
| SHA256 | 4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60 |
| SHA512 | 357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e |
\??\pipe\LOCAL\crashpad_4432_ATBPQZKTGIKEZIJJ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9ffb5f81e8eccd0963c46cbfea1abc20 |
| SHA1 | a02a610afd3543de215565bc488a4343bb5c1a59 |
| SHA256 | 3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc |
| SHA512 | 2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0777182a66d4b049d899f336a74c832e |
| SHA1 | e101d43ae0bd4126b5663529ad4f517fe8297e5f |
| SHA256 | f674eadafa101c93e8848ca71c74756e01a9212ff8bec563d106f4deea4a06a3 |
| SHA512 | 728b9608df05e3c0b3dc01ece22bcafd7567079cebbf9511ca39823b455fce33a0ce28c7b39964512636f9065de681e1cac0a82a4fc3a73d9854080ad65b0a34 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | cbb89c9a66ff148eb5dbcab1e0495740 |
| SHA1 | e2b73623b65ab7fb70920e472942383fb966c3ad |
| SHA256 | e8567853e8ff138fdf2096c46675d7e012e347b1c90f745dfc0e5a302a9119d4 |
| SHA512 | 38fcdaf0f1f37b21cc7a09f5645cc3f630ccbbf77620c7ef6d0c6f5a71b774e3e9390a3d2f9e6341b858b7a2fc81366f253a399f9d8690e3006e08ad6da10a53 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | edd6f42f00c73196e6bdb637c957cd1c |
| SHA1 | d7646c2852df2d6816dcc6f33dec7be5e7362b0f |
| SHA256 | d1160eca1fb4ce94a37cb835270948153c3484a7c973a8712e57481fa2ea7c7a |
| SHA512 | b58d93cf7b74c071056fb8de3b4def9abd727e8ce5a4766492e25da9bb7b9dfc9edc0fd67c93705876b7b893c4653197246e497590ce6e792f4cb692e6f1202c |