Analysis Overview
SHA256
4d0d7a1816edb5ec2d4dfd7d167db96502eb38752fe0dd3c1aceca7fd090b333
Threat Level: No (potentially) malicious behavior was detected
The file 7063dd810582d6f66e885d2cf9b6c276_JaffaCakes118 was found to be: No (potentially) malicious behavior was detected.
Malicious Activity Summary
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-25 01:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 01:10
Reported
2024-05-25 01:13
Platform
win7-20240508-en
Max time kernel
134s
Max time network
141s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422761305" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{98E9E3B1-1A33-11EF-906B-FA9381F5F0AB} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1692 wrote to memory of 2456 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1692 wrote to memory of 2456 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1692 wrote to memory of 2456 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1692 wrote to memory of 2456 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\7063dd810582d6f66e885d2cf9b6c276_JaffaCakes118.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1692 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | latuagrandesfida2014.polasesport.it | udp |
| GB | 216.58.204.74:80 | fonts.googleapis.com | tcp |
| GB | 216.58.204.74:80 | fonts.googleapis.com | tcp |
| GB | 216.58.204.74:80 | fonts.googleapis.com | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab206D.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar20CF.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8d6fe76d0ea14d530f77563b0c3e204a |
| SHA1 | e4cbd49edbbf4bb3281d0e57667128ebe685f5ac |
| SHA256 | 9557a8655ff7094a07b511f0aa16f7d5b70c90b9f713d7426135b35d9f6143cb |
| SHA512 | 85ead947cce44cefbb60d875384ca0d34f12d30c8718abbf2f90db19c6fefc0d88664bb2b8738860cfabc766acaa1708b9cf5a712e638e8bada6db5751dd4524 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 481cf8e2bf10591e84d6bd9910001030 |
| SHA1 | 445119ed86f7dc90b5e7fb97c97f1f245482728a |
| SHA256 | 6cc85d5c7a5f53004905bdff52e243c7cf78e3959101fe32717ad0c999d89b66 |
| SHA512 | afda717d29f886d3c46e1613d7d7e495dbfd2861c1f9085844d027fd186601df7da93be733b1f7c7ba7358d850f84da0c320c106464d7d101f8db1a78db85f58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ce6abd63df92cb2515b81b119a004c94 |
| SHA1 | c9c0d2247e6694667ceb136d63ea5431c5785503 |
| SHA256 | 3c7eed3a37a1d9cd3630957d74b449090ae48725c826eb90c8bca0fe2a62bee8 |
| SHA512 | d34efb6e2e3b67e4d29697ac9f13ac6665f6fdee2f276d884d85fc6363340798cd63d9c95fbdaffe47261a035f03271855c08f79556bb2dba7e76b16948e7244 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 869f3ae7528ef3505f9e91938ca3c478 |
| SHA1 | 9e37031b16aadfbb52f1aa911748d278935c6937 |
| SHA256 | 18734dcdf5fad8e025773b4d9a424fa345f3d0649014588bbfcedab588f3e058 |
| SHA512 | 1362e18acb567d02390b1ac63d8c39de3c53853fd13b31d443146921f2a8ecdbd4fbc71695779c6ec968a12b4541b0d4fe4da3fa451a4a8e689fe1e38394a9b4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e67f950433b37a5fa6cf2e8d66b96361 |
| SHA1 | 0acc9deb41618a995780cba6af806b8735db4b77 |
| SHA256 | 4342bc0031151b85ca112bba414e460146b83abb9442c63b6886fdacccf174fc |
| SHA512 | 6e2939111323238532d50965caa1a103fb04f8bef306684af5b04416cc5bffd390693320879cd814100ce292a8901bc18a9784bb8c4f985428177e493975ccfc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b614d770a3394dffcd0725778a6426fd |
| SHA1 | fed673c0b49da050f111941a14a197f0f8a0cb41 |
| SHA256 | 99f682dcf93b9b649cfca1905cee26e1eef05e5768e92deaf4aa36b2f6811ef4 |
| SHA512 | 2577c10cb6516dbb1bbec0ef6ac022ad722cb1bff27518889c405066df9aa3304e8c43a6362a46637897a730e3699933819efbfc07e7bc8e7354272a51d0fb91 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fc41432d4cc1231b49de935e18514f1c |
| SHA1 | cebafa37397546b8fd7db690faf9c2c38d16814b |
| SHA256 | cd5c8587c5d98108737879fd60336ebd7356da07937ff5138cc049cd6f1e7577 |
| SHA512 | 13ebd39ed46c1f5de734fb99c6427c9c359a088b32c1b605c72dbcfe69e5b7c250d0487da036c6094416141b1783147bd3bf7a04c128e595023216ce8fb44b1d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c0864515501bc4dcd2e15460af14de55 |
| SHA1 | 32cdf2816965913b547d93688527307b40e14f9c |
| SHA256 | 9f35194e4d2ebee7ecfde09ca5a3b026dabd6c958539949de2ff6a4998e5406b |
| SHA512 | 053f179fbd421a0b75c88881ae69e79ae5e0c531e994337c73bf77ce3fb8a88496ec56488e6260a4c7ccbac1e4b237ed6553af4308ff73b7cca35a3399857724 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 61f9a5f645e9ee0e9b6f43ee29f8472a |
| SHA1 | aa3e847b83c2234eb1f2c267aef0a92cad0c1ec8 |
| SHA256 | 584fb7cbe1111410c8178802e169f05434cb1782e0636d778724294e2385f187 |
| SHA512 | 7863025832cc80f77634f3e29821b26c2aea7efc0e157f2e670abecf7d1ca6e99cf02a2cddf3df7b5ca49ba90d260113904ffd1cef5a098db08147ccd4febb15 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 01:10
Reported
2024-05-25 01:13
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\7063dd810582d6f66e885d2cf9b6c276_JaffaCakes118.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffccfeb46f8,0x7ffccfeb4708,0x7ffccfeb4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,17736237336785096031,17515241383284436699,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,17736237336785096031,17515241383284436699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,17736237336785096031,17515241383284436699,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17736237336785096031,17515241383284436699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17736237336785096031,17515241383284436699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,17736237336785096031,17515241383284436699,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4864 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,17736237336785096031,17515241383284436699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3148 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,17736237336785096031,17515241383284436699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3148 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17736237336785096031,17515241383284436699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17736237336785096031,17515241383284436699,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17736237336785096031,17515241383284436699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17736237336785096031,17515241383284436699,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | s7.addthis.com | udp |
| BE | 104.68.81.91:445 | s7.addthis.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | latuagrandesfida2014.polasesport.it | udp |
| GB | 216.58.204.74:80 | fonts.googleapis.com | tcp |
| GB | 216.58.204.74:80 | fonts.googleapis.com | tcp |
| GB | 216.58.204.74:80 | fonts.googleapis.com | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| GB | 216.58.201.99:80 | fonts.gstatic.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s7.addthis.com | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| GB | 216.58.201.99:80 | fonts.gstatic.com | tcp |
| GB | 216.58.213.14:445 | www.google-analytics.com | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| GB | 216.58.213.14:139 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
| IT | 81.29.196.71:80 | latuagrandesfida2014.polasesport.it | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8b167567021ccb1a9fdf073fa9112ef0 |
| SHA1 | 3baf293fbfaa7c1e7cdacb5f2975737f4ef69898 |
| SHA256 | 26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513 |
| SHA512 | 726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54 |
\??\pipe\LOCAL\crashpad_1224_LWGSMZZSJRTEAZGO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 537815e7cc5c694912ac0308147852e4 |
| SHA1 | 2ccdd9d9dc637db5462fe8119c0df261146c363c |
| SHA256 | b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f |
| SHA512 | 63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a029ade0c7352fa93545a353b17ff1c1 |
| SHA1 | 8d4abe1c2706fd5532b19ce9495b99861adf8cb1 |
| SHA256 | 6a9a03c67c68243400f371eb9511b16a7e76b73513edb5e5ebfe4114e0d12efa |
| SHA512 | e4f2b0f52d14b2e0a4206e4922f8e8857c81d375f5f836db86dc44cdcccd8b787da716dd20bd02dc36dba10bdc20f6a1a5626262d8ba9e241b2002d738e7a824 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ae4aa8eaef26cdc515af27e32ecb5872 |
| SHA1 | 34c90317c4aad964a22bade9837d9a9059a55e47 |
| SHA256 | 5a319bb1ea6146b29ffedad418d0a839838909d8d398bf488c1506f60ebc3a58 |
| SHA512 | 21fa34bf73a71fa1f58dd3f5b4cf3bb68156f2678079fa6b2c2e88fc5b1059d99a925d7e309e75d35150bf502a433f0eaf419aa7ccd8bb49c1d5504a1aa3e3e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1966725d26e1e692b7beb762af135906 |
| SHA1 | 96bd1e42c9955ae60b2897add5fa4efdefaef384 |
| SHA256 | 7a1cb42bcf0d7562796f1f40d3ce8d0c9e969e7daf1361ffd3be8ad4a5c7bc0d |
| SHA512 | 1b466f0274e29d82e971073ddc657f5af1da8c52caa16da733e4c61c618bc45d1758f61c1c9e2a60719004defa998f8edb62ace4f6587f13708b89d15f6d51b2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 026acdafe325d05d0faee56956bbc2e4 |
| SHA1 | 5bd3b0980b1694604d6accec9007e9cb84dc2e4e |
| SHA256 | 7f6b02ccb3c6233d13708cb4e7b49e3a2c21b9bc41cdb07fea37186a0e40af3f |
| SHA512 | a665769bebf2384d41595b4f4920cc22a57c7fa3321394dadfd1d3aca942f39da98f06f795ca9b8652ac8afe7ddc106a57dd91afc671eecb0efa99ba8d768d71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |