Analysis Overview
SHA256
86964c2eb668438d828b0a5ddc4c47e526c20719af11581910a193e5d30f6788
Threat Level: Shows suspicious behavior
The file 41beb012de8a5901e81c188223f0ac76_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-14 13:57
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-14 13:57
Reported
2024-05-14 14:00
Platform
win7-20240215-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c6000000000200000000001066000000010000200000006bd7e62447172cc3ae5c04e2da637e7f4dd2c268c55627d57387ef9f6f312ce7000000000e8000000002000020000000fbcb601b3923455fa215dedf30cf59e0ff57e643d61905fb804b09f515be35ad20000000f924073f46c2c999531e864d2b553c57c4875c3374d06da3029850dc91ad836a40000000449a58f318356b7d685634bf83f40e41307d7f592247a09a98e67f42cfd132fb38eddd063fb25f7d028cc79da6fe8c8bba85bb6d938c430b9753667049d821c9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ED07D891-11F9-11EF-9907-E698D2733004} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a069b0da06a6da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000a18e0687a456c79915b23149f47573f336cc954f10af428d9d635bebb798a6ee000000000e8000000002000020000000aa677c50179f3a3f2f9d846a207c220ca89791aa92acd8ad1b3b04bc968df6199000000031df285fcd53688551e066e421c24932a9f5032dbbbde100110027adb14d2be4718ee54d38a0c99cb494d8a3d78dbfaa96fed0db0779b82045d783365199b6566e4d15f3406f91a28b5d47d9e28374488db187c9823703a54c6929fe93c00af125f7e9751e762e7713683f2a1456b728eccccddfe64ac6971be346a16513da2aa5e68737caed88c5ff9fbc79e308b3cf400000007f47bc0918102a3437464ab37f01550efe8a125a05b6f3a070fb2bf183ad26bd25d2a5860f9c2d6b3b8e4dd6907ea3275594d0ee560c43a84d334b427a3ded9b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\International\CpMRU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421856927" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1724 wrote to memory of 2976 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1724 wrote to memory of 2976 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1724 wrote to memory of 2976 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1724 wrote to memory of 2976 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\提示说明.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1724 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dx.bibiwg.com | udp |
| US | 103.224.212.214:86 | dx.bibiwg.com | tcp |
| US | 103.224.212.214:86 | dx.bibiwg.com | tcp |
| US | 103.224.212.214:86 | dx.bibiwg.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabD3F5.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\TarD4D6.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6d9ca32c2360c0cf9763f0493b1734fd |
| SHA1 | 84354c58da19a56b541c3770f2fd5aa7b9f0f75a |
| SHA256 | 6c8e2c7f281f78314a3df75d349ced30930de414771428199f5b251b51eacbf5 |
| SHA512 | f1cc641db2d104e1a0fd07eafc3029e943d22c97cfe40dce2963ac8da366ba25855696cb11defd63c5c5120092208888fcf8d00e00ffc071b3b0b88d0f167558 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5db4d482adf5da68022cf7a4dc1cf9be |
| SHA1 | 5f69fbb10d644676887fcb846d39a4c9c390b2b9 |
| SHA256 | 800a2418a216c74466c4819334a9aaa9aca100acad143379e28a47c6df649aaa |
| SHA512 | 5ca1745c622678d8fb514e040e330b9c357c15fbb55a175a08c9b76fd9b45963920426cd6984bde4593d30793ac13f9069b28798169ac167a31405bcb0ab57b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d6f6cb511409950f76af0e67e1b26c34 |
| SHA1 | a9ddd008af4e8c8492c24744bfb44be8122f7f8b |
| SHA256 | 19c1b50f11c1bdf09dbed80c0bf2a6ae8acf15144661c4516cbf85656821e269 |
| SHA512 | 581d0f3d89d2c119d9b7609c25421fef5e94b0f409003a5168636eb575e77906a4b1097f8e2af115b7573b6ca76fc9fe5ebc39641c6b567b43c5822829ad9ee5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 58d43d775803376737122cdba24ec1d0 |
| SHA1 | ca8f2c2f4c942b172d599ca341900b4559eb2b48 |
| SHA256 | 0445ff67c636837aa8d50332232fad76ec97389c7a1a47055305431c403e2c0b |
| SHA512 | d2a38d43faa00fd35fa55d1d766014aafe86625a34f28cf02eeb4b0e0774ee4023e25a662bbba4a5bc4db388cd5e8a08b4b2ff9abed5d1bbbdcf3e27127f203f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 98d3ded5b714ccfac8608d8d8246d980 |
| SHA1 | 979a81b6164c984ef34d512d2d9b96a977d569b3 |
| SHA256 | 00986509a54d91ea81ae0d4c1c4633f4f7212bdc1125206c7ec3d6b155bcfa5a |
| SHA512 | ea215b3086b2c3eed56aba8b3ff7d2ccd740f11f8ceb9316e90bd3beffbb6bc7081682b70f0cc8ba9fe257b8d9bb6798d4631e92e5be6e7b46a3c3d20e3c5849 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0ae5af489ee733570b8f7d4bfffa00e0 |
| SHA1 | aae3ead09a4e386d0d2381204de51da6e2af3610 |
| SHA256 | ca14088fc1b8b736f7e5fccdb269d0be10520af2261140db48440b463d01d137 |
| SHA512 | 8f320bd513f202285cdfc75a51d5e576497a4387818920cd2b61b7a83056589db09612ddf60b4741825949adf4b7f409f241c2d2ef512771307aaad591de50b8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fbe9ef7154a24a94cbeb6ed3366aa4ff |
| SHA1 | 984dc14dd55840ea9446b01c48a02f29be72e1d8 |
| SHA256 | 3ddf2f551d18186d17c5c0484b0cbd7f5dea24a5e203ee920118f27ea5c5f986 |
| SHA512 | c9e9de98a9d370cfc1d489c626e9f47340a7e3cdc3f7f51ca62180aaacf2688f941378b0ed8c296ee52f2d0275c79e28d157ec42052e047612c18595188dd2db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 213b30ae66545b6ca6599117fb80af25 |
| SHA1 | 2e940d3ae0bfb43ff4900d286287d6e841d07cbf |
| SHA256 | 4f240c37f33c01fb6a0af55a084b456518e8b991dec7bdc2920074a6888e3af0 |
| SHA512 | d316f9aeb19afc384bf5cca8c46e8bb4fbd44ed2d7a10746e69c1f81312c4617a32ac55c587262716c98302a575cd06f270b7aba80daaf0cc15394d8c1c8d053 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e7afec06446860e82b750780314f409b |
| SHA1 | 6156cbe7ef5bc61e78a309bb4e7cc079b3ad0deb |
| SHA256 | 1c90ff48ba757cd15770ee3bf1dde5522774c071692ef4e664d4ff1123e7650b |
| SHA512 | 3b50fbeca1b1b060159952d543158c60112836e96890903fa6f30480ce5eda8c9d21fded0ff126180d631ac165ae7871a65cbb2f2d63b0b7a47e905732caef3e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4946c2b9c2681b59e6e63b1079999314 |
| SHA1 | 776d30792e96848b2f2bfa558c262013ba94b02d |
| SHA256 | e2f2377748809e6dd842ab89536389e84af5bf2df5e1cb680716e180c80004d4 |
| SHA512 | 8501cdfd57f65606567e77467ba19bd09fc40b6a361a49e5ab5ef8d30a13642cd7407ff2e35c02907a131d1ceb126ae9d4d2c6f98026ca4d27a02d2f43d9b717 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 362e7e90aef019efb841764b9cfbdda6 |
| SHA1 | cc4d76755272b809ee48e3a6404cd6b36f5b5afc |
| SHA256 | 5532d96af08df7d9525ed8bb605540c427e03913e639db1f2a31ce39723a0c83 |
| SHA512 | 3c7c0e88c1735a7a9812a284959b77e1312482946a588e47d759787e317db013534c67d8a34b4d70ecb08cc6eefa72954277de207285f78aa998b7d579c4edcb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 09089080b68ef253f0d5e44af080cd54 |
| SHA1 | 45d4def381886e80ba0e4cf2452e8503fe9ba138 |
| SHA256 | 0fa51f68673836a8c255337f0cec4c32474ebb76d96c544d1e8609daa310971d |
| SHA512 | 9f93da5b460a64c9e29d816aae50706cce9aaa1a1a90e5728275f37af7351a313e394681d8b292f822a2148842c3106c1c04dfd88e5ccd2f5a4384db9ac41a72 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0cc8045cf9d46170178aa426298fc7bc |
| SHA1 | 72c07b1343134d114f7a2141e28abfb29d1bcaca |
| SHA256 | 2c684f662db0c1d7fb31f9697ff125604372c1b5143083e3d59c85d5ee25cfff |
| SHA512 | d626183e12d88d4175f1bd0f55bf5392ff53ecb8f58b4ecff9625dfa1c0237679c76d239545125ace81868d6d43a1e91a59dfd3c2a2ab8b7a6603bb5a1c25e94 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5213bcd7bc544465f663d9d5cba692e7 |
| SHA1 | c58ed7188d0ece3f4498701376bebc7a16380ca0 |
| SHA256 | cd1e703b6bd417524ac1125c98d2b7edab8c41cce21c737162e33a5c9ac3d33e |
| SHA512 | 442f45ca98037ce0f48a889009cdb81060fed519c27ce19deaf0bff1267c1012e7bcf23a94af3b4ce084976dd177d412fa805ee079191983cef0b12ffa5af39c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9e02d44f3271e07841799f2c078b0f50 |
| SHA1 | 8c1d7ba89dacfb8fd042fa1fb2811d5c00519a1c |
| SHA256 | e6c8807b1774f0eee17ff49ee8cee61097a184203b6b041e5ac29e633380b4d2 |
| SHA512 | 2e48e870e2ed5f4c6f89365d1ff62d0111e681971b06d99e993728f97cb0a6b264f32d9c9da9faf1fd76c25ac9e1d5f1aa548efa490cad6fb5dbcff1a8a641eb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0e779d8c8a6c0084961db0411045f8a8 |
| SHA1 | 83365abc2aea3f14b26b33d4612491f14c97fae8 |
| SHA256 | cf7e1a80dff39f622f3c7a2d5dc8d36462697dbd01f6961afd17139ce3d60d6c |
| SHA512 | 943cf89c45d0ae06edbfcaeaa16f2311342701fbf7a523a65dc1826f5660686a0716304140a9b63c89837d409106cc43e12db2aa8d237544a97ca8e6ad29965b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 228503a16c94ac01d23882a87ef08880 |
| SHA1 | 8ba36617b23ad4012a24757085a33be7d753a9b7 |
| SHA256 | 41c80d9924b1eaa04ec684fa46de5af5081c481ff2fd79cc246f40fcd17365df |
| SHA512 | 3f0116103f5ae304c7f39a186295febf1e5283df9ce6d2ced69ba04b393d1c9191f59bf51052f781fecc8a8e68beadb8fa7a06fc85d585dcaf7a0dd53e2692cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 33058bce317403a4010e09b6112dcfb6 |
| SHA1 | ce3ebbb734316e99430a9a424016704ed6f88252 |
| SHA256 | fd2ca7ada9d4e371821abc84da6de81c7aaef6c735056dcd5df0a5d12dacf98a |
| SHA512 | 1a13a0bf02cf898a07e4d2b87967f6e7c65c338998c57517683b377ebc726170426dfb24f4cc5baa57b4c8b31b3f400af1b879e2c0b9caf0243ee92fd26196da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7468a9ba42583200f9d03c5eb74dbe45 |
| SHA1 | 6df4397ac99c45e28fb0547acc37fbd66bb6ac69 |
| SHA256 | de4fb605057117e9c1535e47d1be8eac245e52436198b5ad07c535bf372785d5 |
| SHA512 | 7aa79ea1e0644afd97d676d92081164dad2bb1ca40724a944fbd4ff480cbaa0ad75abe8b6a77f4f428d5db69537d5819d638620bac8fe96676c4a38c0d2938ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ef4e7811741195fdbf687dda57f06cc6 |
| SHA1 | 29278e5536958600ad2568248b3e449b1e998923 |
| SHA256 | 2f745e8359e760b0819123a3f11c28adc394a964e1b7792fd17cfbb03317efef |
| SHA512 | 7a478ba85dd6183b2b033b36ae75ef744fbae262f0032d6fd4c761b5e4643ed873fca15b697ff476772d7c4cbcf1fcc7e96a0d3242315fa10fed9ff190c1f8c2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-14 13:57
Reported
2024-05-14 14:00
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\提示说明.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc113e46f8,0x7ffc113e4708,0x7ffc113e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,6430665162945323092,7291994732850929045,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,6430665162945323092,7291994732850929045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,6430665162945323092,7291994732850929045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6430665162945323092,7291994732850929045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6430665162945323092,7291994732850929045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,6430665162945323092,7291994732850929045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,6430665162945323092,7291994732850929045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6430665162945323092,7291994732850929045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6430665162945323092,7291994732850929045,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6430665162945323092,7291994732850929045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6430665162945323092,7291994732850929045,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,6430665162945323092,7291994732850929045,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3260 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dx.bibiwg.com | udp |
| US | 103.224.212.214:86 | dx.bibiwg.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 103.224.212.214:86 | dx.bibiwg.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.128:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.196.17.2.in-addr.arpa | udp |
| BE | 2.17.196.128:443 | www.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.23.48.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ecdc2754d7d2ae862272153aa9b9ca6e |
| SHA1 | c19bed1c6e1c998b9fa93298639ad7961339147d |
| SHA256 | a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7 |
| SHA512 | cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2 |
\??\pipe\LOCAL\crashpad_3328_SZTNCUTZJDVHHTFE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 2daa93382bba07cbc40af372d30ec576 |
| SHA1 | c5e709dc3e2e4df2ff841fbde3e30170e7428a94 |
| SHA256 | 1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30 |
| SHA512 | 65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d3ae6349-5133-45d7-822a-eef0585d1f25.tmp
| MD5 | 70ab5a884bfe28c6b02faba1b615316c |
| SHA1 | a953ee146d06693d31b40a5394b772f6087616d9 |
| SHA256 | a18ee5b63aca9ea001181cbe96691fd157288f7374c3bb1f83c2de59f5dbb8fb |
| SHA512 | ef0b7f5bb87d27038617f7520a351df45cf1b588f951af4a74fbb74039ff14531ea669d6a8ccfb7bf426f5eb828e58ebb725a005a0fdd19ff0682785d82d974d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b7e560a28c74cc0b79e0e86601083e23 |
| SHA1 | 25111976e55d7fc7883fe5e54b3492212f15d8a6 |
| SHA256 | 796bacbf781370b9003876f4e892d1f9b7b70978bd7baefd4af07f147d048dc1 |
| SHA512 | aa8b50debd66d413f18c8d8c8830d28733163318c161398490b3cb058e661d2b4a2337f80603375d62e5ee1e49e49c27c136c61d6f418c46819187bbe312e008 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cfbd6096e619a837b0c6f817eb2b84a1 |
| SHA1 | b4d6f4c685aafbb95ada3a623138f32849da5a8c |
| SHA256 | ecc93a59b9128ca442938d57d8853e61ee78a9b81ce9842b4d9f7ded08d4aac4 |
| SHA512 | 26f52003be1ba21395487095b99eebf9bd845bef26c0d728fe7b306c0b21eb3320587e7bc6ba7665f8792cabe73da8e88892a8c802156e6ab4217692764cf1ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-14 13:57
Reported
2024-05-14 14:00
Platform
win7-20240508-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe
"C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe"
Network
Files
memory/2184-0-0x0000000000400000-0x0000000000673000-memory.dmp
memory/2184-1-0x0000000000400000-0x0000000000673000-memory.dmp
memory/2184-13-0x0000000000415000-0x0000000000416000-memory.dmp
memory/2184-14-0x0000000000400000-0x0000000000673000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-14 13:57
Reported
2024-05-14 14:00
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
154s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe
"C:\Users\Admin\AppData\Local\Temp\蝴蝶透视瞬移遁地0301\蝴蝶0301.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.23.48.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/3632-1-0x000000000059D000-0x000000000059E000-memory.dmp
memory/3632-0-0x0000000000400000-0x0000000000673000-memory.dmp
memory/3632-2-0x0000000000400000-0x0000000000673000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e574183.tmp
| MD5 | 4f3387277ccbd6d1f21ac5c07fe4ca68 |
| SHA1 | e16506f662dc92023bf82def1d621497c8ab5890 |
| SHA256 | 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac |
| SHA512 | 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219 |
C:\Users\Admin\AppData\Local\Temp\e574194.tmp
| MD5 | 5870ea0d6ba8dd6e2008466bdd00e0f4 |
| SHA1 | d41bf60d0dedff90e3cfc1b41b7e1a73df39a7d5 |
| SHA256 | 5a7dac8c8b5d7cf1115246dfaf994e7f50e16a7eac1488642396f5e23fddfe0d |
| SHA512 | 0c620d5e7383adcf979feccc3b1bad584a5cec8b3d74d0ace8bb786f1f04ba87fa70d59d041dc3833977d44a75f2070181d4054c7c0b9c4ce2d66249b4b3c837 |
C:\Users\Admin\AppData\Local\Temp\e574195.tmp
| MD5 | f6b847a54cfb804a25b8842b45fd1d50 |
| SHA1 | bb22fef07ce1577c8a7fa057d8cf05502c013bfc |
| SHA256 | 5dd2f5a957946e0b6f63660ebd897851aad4795d4c847396c47ddbb647715583 |
| SHA512 | dd08a55f538e2a33e6a0c496dc97ae9045594cbbf62f7894ae8ded63f4dc0b2e89c5935269adfd1c19607b1d2474bddc49f6acb955e6dc53a55560663ca2137a |
memory/3632-41-0x0000000000400000-0x0000000000673000-memory.dmp