Analysis Overview
SHA256
a93847595563b1c2ddebd5adbae1a949fd0d9745dd0cbaa757a47d2d8fff8f23
Threat Level: No (potentially) malicious behavior was detected
The file 743df7645fdd95302838991c7613c7a3_JaffaCakes118 was found to be: No (potentially) malicious behavior was detected.
Malicious Activity Summary
Modifies Internet Explorer settings
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 03:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 03:50
Reported
2024-05-26 03:52
Platform
win7-20240221-en
Max time kernel
143s
Max time network
122s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07ED5691-1B13-11EF-BEEC-D20227E6D795} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422857270" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008adac2d7b11200408675472cd8ce336e00000000020000000000106600000001000020000000604c926ee0c824f62b1fcd656ee8c0324cf9418fdaa20d6d9ede8371fde51c9b000000000e8000000002000020000000749f50bc57608db92e3c74145a6f2e12fa3321e273ad01039889fddb6efa911f900000000767a525ec6febedd6b30592805c5545938bbad151aee022fa1ed774c4f94fd690fabf2a96683fef2abd895b3903e9fbc08ee566d5c83ce929d0ada1e98bbecc946b5f856c6b9629bfb1a41bbe0ccbd4307803a310a096b64c2f04c2d003fcd884f598a3ef379d7fe94e69da8465771ef7274c277ea9054926f57bd08b680f492ce7d15c2402cc780c96b63e04cab55d40000000a914fcb9f369808127370056d5d923839c8fa1485e7c22786e8a0abc97f75ea4df48d080bd0e7ecff8628416d8feb9a8f0ff0007064ac9a2bcc1e3d684176690 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008adac2d7b11200408675472cd8ce336e00000000020000000000106600000001000020000000f7b02418887fc4783d983685010c3de102b0e4d7c682be5132257cb5806d587d000000000e8000000002000020000000c6d2ae967c496b6f6fe088e46f743f2065063bb9f16c89083da8bfc4b3978d6820000000573c7a4c4c1659b86f5b9602bc313e1aecd48f0dfaf5d0e0952ba5ab8f44c66a4000000093ee652e6422284594ca6b02f701e634b126eafdb5fd771f127b465a01a166753184c5953c6fe38884a7a6e9b3dcb7df5d64d8bb362d67a0f85053356d7fa9fb | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4034751f20afda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\International\CpMRU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2472 wrote to memory of 3024 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2472 wrote to memory of 3024 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2472 wrote to memory of 3024 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2472 wrote to memory of 3024 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\sample.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2472 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vn9.clftx.cn | udp |
| US | 8.8.8.8:53 | push.zhanzhang.baidu.com | udp |
| CN | 39.156.68.163:80 | push.zhanzhang.baidu.com | tcp |
| CN | 39.156.68.163:80 | push.zhanzhang.baidu.com | tcp |
| CN | 112.34.113.148:80 | push.zhanzhang.baidu.com | tcp |
| CN | 112.34.113.148:80 | push.zhanzhang.baidu.com | tcp |
| CN | 163.177.17.97:80 | push.zhanzhang.baidu.com | tcp |
| CN | 163.177.17.97:80 | push.zhanzhang.baidu.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| CN | 180.101.212.103:80 | push.zhanzhang.baidu.com | tcp |
| CN | 180.101.212.103:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.201.93:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.201.93:80 | push.zhanzhang.baidu.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab1518.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar1619.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 048a754b2a039c0c7663907c30744ee2 |
| SHA1 | 81cd18dec2a3b797d564acc8f3ad805d906a5dff |
| SHA256 | e7294ebb5c39f132dcdc5be7c2d7ba9a2762a360e51be8b1a05476130f0c62ba |
| SHA512 | 6ac84365946adc5e009f2fe306325aecea9c621640eddd295cfd9fa2d4e706fef13a620ff42f58bacf75cba2b427471973f314d2c7c3317af7c094dd0db23f8f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 89bc08e30a849de93ed2e7f2f3680457 |
| SHA1 | 982b6a619acb95b31ec7141baf6783cd3f95881c |
| SHA256 | c04d535c10ac0622e83022ccc51eafad557bdfa7427e0e727e971dc668ba99b3 |
| SHA512 | df5c01d056c509415436f288d947b94222f7602bc8ca40be6a60a0c401bab58dd9e522ac0da9522cd2aab096d6a1280d1bb33f5dd33b53717c74d26226079f59 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4d324d75209c9649282e700939361fe2 |
| SHA1 | 22dba4cbfa9763b0e55b48d0ecbe072dfd4bbb0a |
| SHA256 | 35ef03b348169a452aefe8dfb6efb16d4cad7a2195139c2088b447e1786aef9e |
| SHA512 | 2b8c02e1064ac03a0ce0a4e92902a7eaeebc1e0d81beaa47495fdbb69c130b0d6a30643cf737c5ff19550d577a343ef802a0ab0a2edd022aec9a4ea6c1a7d074 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 79aecb9fc6579fc465ef33cf49d523e8 |
| SHA1 | 1e32bb29bd4ccbcf5f4159e9c797d076e72d1211 |
| SHA256 | ff56265f3ceffb9310aabff53d0814d1479e9ebcb6261a38ae9c70ce9284b281 |
| SHA512 | 2fd45579ded84561a357d4187edc2116d0fb12c2bf29a4d68f9d77bb00feb1bf5d8c965abdafa77921465c8d97b8c13014e71ba23bf7a252e0c548fafb9d8a4a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2bc709ff9cdfc098b1b7ab157a10d802 |
| SHA1 | dc8f24b2fbbcce7b3f69bc0659afab256c4a2418 |
| SHA256 | 4b215321d558d23cf19e7ffa3a501fc2d7968de4182a173c7a8bfdd9ea1037c0 |
| SHA512 | 87d6a9be76ab2919141116e82e2925ff15cc5ebdca7438ac2d3e0c55b3d7c284eca1605703e29e2d7b7e9b42a390b8d1654f92710fa33b76e9b9b3410b307403 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6bf14e586a7a414ac9b204f7dd7696a4 |
| SHA1 | d1ae093442f9ffcc1dd65440ad25abdd9256ba53 |
| SHA256 | 20c2ee0119c7d4610729b371a27a08d6960c7676a395f8963d80d404d7caff86 |
| SHA512 | 0dd0c266e71161907a47933bd1abcab582a180582dac8fff656e0a010b3de32ac1cf93e22cd571c3e01cd7697dcde01cd90e25585021cc70ea0837100d8d2f67 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f934bf7ef73d446f890c0de75e079625 |
| SHA1 | 18e3f3325bb234418774a9ef69d37e65a1a9e135 |
| SHA256 | a98781b0c076f52f67a30f55c2fa419ae2d164afb50ed2ae3ad7d5de2b1ca15b |
| SHA512 | 26cfc9b8ee4e354ce64a63b304f5db095427a2e00141f6ce1d5b30f56c564252cbedb206596aea4301099e4667f11e70ccc6aa4fcc4d090c6a53faeb6f5738f0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 830346e627885e8f4dd015b12685a789 |
| SHA1 | 8b609c7abdb743eddb16afd20d2964d57cf49aa3 |
| SHA256 | 605b04d649dcd2eb971f930713fe7ac58ede331e4a68a97e1e2e18422598ea02 |
| SHA512 | d337e4cebf5b586f1af39416a86d2b347d6641aa74ff5b98bc22b66ebb10c06d334943141ccc6aa496c928ea0e4ed6b021ed1b4bcba0a3730136f8eb81c2c55e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e6c0af6638c7cbe059f7d3b277e9abc4 |
| SHA1 | bb6bc773b821278d06ff191f16f9b6173b68a30a |
| SHA256 | fa425cc629ef5cde65253c8b1c2195667f5e74beec65edd9a86dfb92dabf62fc |
| SHA512 | 4cb38e6fe0af8559f71c717a51d00a889df90c5986cba5767e2a1fe41ca7e309064a7f7ecbef2528c8e57c208e9c4f81e63f13717bb568e2644a1e45cd4ccd4c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4cc1063be6c0b2f5fa1d97f8830092d5 |
| SHA1 | b63de665e5c9f91f977772e350ad9e3902372050 |
| SHA256 | 74e0be1ae86d524f7b291ef236dd1ce8ef2bc44592acf5ac7bf216dd52f6fcb3 |
| SHA512 | e8cbc90c746a3fde804f5fda0a6bdd7758a9e4b1d6c5b95ee8b63431d5a8d5559f631f4d24bf8d7e0c24253ece6f08b331803b45c4d210a3acaf91f942325d9d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3d35de1f9cde54ce7dae9a41228c6569 |
| SHA1 | 966cb4bb320023a446facabfc54b88bf93cd9142 |
| SHA256 | 23824fd7f83399266cc0149a3c350a31b953e2e94f48f7f62829efae5a41198f |
| SHA512 | ded563c5925b84cf87bf312760702f00b45dc881164afba84e23f7b212eacbbca0bcb3a29319b4c394a50efe0db97bf62c674101e81efadfdf6b85ba7b727bc0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 81239b3ec445d9da5ff586ae84b7f1ea |
| SHA1 | 1966e921d1cc2eab55cfd66ef586a4317c9b74ef |
| SHA256 | 8474f839385b82a6d0bb40c1366260b158cdc15a6efb361ebb6f1805a01e9d78 |
| SHA512 | 06784273e7c59adfc73c26443790cef77f1e4a314349d12bce6c8ce70d1206c6085ce969acf9b82c99b77db89c7fa4f89b8c3fe8bee6d12bc7f2b28cd85095df |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3c74f31b9a3a734719ae848c7efd6321 |
| SHA1 | d236adc9846409844a9fb822f24ca346cf0530b8 |
| SHA256 | b4495dbb2bf35891508e944cbed19d95553747be1c9629d522a3fb863a6c2753 |
| SHA512 | 371f3492a5591e9ed6c9412c8e3516d283896bbed87abb7e371df3ed4792b39ae8a41ec7eb1dfbd3ddce5114b7758e69bf0c1d522adce2b855722dc37905f82f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb675d2a595f53afcd95344fc3badf1e |
| SHA1 | 89e2cbaa62622c7ae418294f7927d56ca3b362ae |
| SHA256 | b3c152b1fe07cb2e6c3cbe7d488062ac91c78c5eb9dbcc1a30e4e98d0ebe8919 |
| SHA512 | 86c71ed31fcf779f366de79bbd562d61f442e89a5d8cf4c0053f9f7fb31ebd512cb11961706c435b5a29647c7f93dfc50a2e60be94ed20f8b229b1c8379f6827 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 687d5d65ede1a219c96368a80be39cac |
| SHA1 | be403bf8d631e4171e8a10b2b574e29c8ec67afc |
| SHA256 | 0b24b3ceea9ca34ecf8af25dd19ce78c5fbf4f8202f02fde2bf595e0d6626493 |
| SHA512 | 1dcf33ed82c35e5ff4820029da7dc8b89dd9f8a80f60171383e12aaf18940e6f873d311bae964d709f791c8d8fb4a18ad3f6c4822d0b59e132c0b3f093c443a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d1db34a97d321e5e9c9d939b1fe88fb |
| SHA1 | 0ee0390fe61821f79a7210c4a9518e2b60cbb586 |
| SHA256 | 8eb3475faa0178f733959f63ba2cbd2b5066b68a56bb2d970da3ca362d771b41 |
| SHA512 | ca8e77d29c8d2e81e064da274a7916c8d8dab36ce33f8f4c9d0437c1e3118b01a40a0fdf814726b77e132d1fcf233dce611f398969b30382fb50f857768571ab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 158d63579e0c205163e33b646b4cb969 |
| SHA1 | ec01b035d3bfb4905be846534f886830349a26b8 |
| SHA256 | 0c69fc9bf70d2883f40a70220ea9c477a3266ac3b63debde4458fe703515b2d0 |
| SHA512 | 27237e450289df423f67a307b08e32b8287b933a123838adffe175fbe29755ea2e6edb82105531a8bf788525f1d5d7e615c9f2cf0c4ab27f22a227a9b6b11fb5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e642709596a115bb7f4b7f0edd98056a |
| SHA1 | 219f7d5901c6cc7112cba8f935f7ddf378604ee3 |
| SHA256 | 9dd3df26f5c95533c6d9321fb09faa42427a4e6376b952417e10f7772e70ccf8 |
| SHA512 | b72d4eb8fa4092db315ca44f7c89eb2d65b960daac5c7e037d0bb27eea1da1b037f1cdfa71ca361aa4c58644712d816f7512ee7689c9e3fefdaf30123ea40be7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 03:50
Reported
2024-05-26 03:52
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9aa2a46f8,0x7ff9aa2a4708,0x7ff9aa2a4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,12133719156172176780,412699617314722954,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,12133719156172176780,412699617314722954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,12133719156172176780,412699617314722954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12133719156172176780,412699617314722954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12133719156172176780,412699617314722954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,12133719156172176780,412699617314722954,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1304 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vn9.clftx.cn | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | push.zhanzhang.baidu.com | udp |
| CN | 180.101.212.103:80 | push.zhanzhang.baidu.com | tcp |
| CN | 180.101.212.103:80 | push.zhanzhang.baidu.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| CN | 182.61.201.93:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.201.93:80 | push.zhanzhang.baidu.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| CN | 182.61.201.94:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.201.94:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.244.229:80 | push.zhanzhang.baidu.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| CN | 182.61.244.229:80 | push.zhanzhang.baidu.com | tcp |
| US | 52.111.229.48:443 | tcp | |
| CN | 14.215.182.161:80 | push.zhanzhang.baidu.com | tcp |
| CN | 14.215.182.161:80 | push.zhanzhang.baidu.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| CN | 39.156.68.163:80 | push.zhanzhang.baidu.com | tcp |
| CN | 39.156.68.163:80 | push.zhanzhang.baidu.com | tcp |
| CN | 112.34.113.148:80 | push.zhanzhang.baidu.com | tcp |
| CN | 112.34.113.148:80 | push.zhanzhang.baidu.com | tcp |
| CN | 163.177.17.97:80 | push.zhanzhang.baidu.com | tcp |
| CN | 163.177.17.97:80 | push.zhanzhang.baidu.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 87f7abeb82600e1e640b843ad50fe0a1 |
| SHA1 | 045bbada3f23fc59941bf7d0210fb160cb78ae87 |
| SHA256 | b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262 |
| SHA512 | ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618 |
\??\pipe\LOCAL\crashpad_3080_YJPKBNOZRWJCIIZL
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f61fa5143fe872d1d8f1e9f8dc6544f9 |
| SHA1 | df44bab94d7388fb38c63085ec4db80cfc5eb009 |
| SHA256 | 284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64 |
| SHA512 | 971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b6654f1d50e0dfc512efe15685025685 |
| SHA1 | 88169db5c429fe3a368f0bf17187823c1ce64fb7 |
| SHA256 | 598ca53480c784ff0fa2affe4f94144d652ffda54c5efdf3742a93bb52a6e4a9 |
| SHA512 | 51fb9724ab50ba55c0b8f6c22ae74cd61750bdac1b756abf0370a71d2d920fe5a1b5273de69ff98d3e2fb5e4d0a9e430795ea8e8869c424a7bc25fd19e3265df |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0c0ad7b2c18726334009c4e05bc2acb9 |
| SHA1 | a298dc7dea5a83a5fef4562a323a51902b8ef6d7 |
| SHA256 | 3956d1f4e6f9c38a2756457d71c2ac505d1c3742a6c5a3359cf67484e3108aea |
| SHA512 | 376406b408f1262b65ec3bae118ea91664881f671358acb58766387741b5c93c153ef2129fa6fd83ada9236ff41e65126d45d3856a6319b4da646f8bd8ac4974 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5318f5096763922ef39d74a86bf086e0 |
| SHA1 | 2ef590a251d0775c3297625a8a4445dc3ca1585b |
| SHA256 | 833fbaf6d97bfb5b38fb9f2cee8ea130aa995e9a00a99cdfa8224050d97f25f0 |
| SHA512 | af13f242510fd4a235ade2371a109814445e95cf39e01725820765e337dbfada16254fb0a78d9d8d0f66717f84083ac8d5874d3e2f586bacdcd7d6acfa78719a |