Analysis Overview
Threat Level: No (potentially) malicious behavior was detected
The file https://www.123greetings.com/events/sunscreen_day/?utm_source=emay_sunscreenday_email was found to be: No (potentially) malicious behavior was detected.
Malicious Activity Summary
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 12:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 12:13
Reported
2024-05-27 12:13
Platform
win10v2004-20240508-en
Max time kernel
1s
Max time network
13s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.123greetings.com/events/sunscreen_day/?utm_source=emay_sunscreenday_email
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff0a6a46f8,0x7fff0a6a4708,0x7fff0a6a4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,15437700009343930126,2711662377783760879,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,15437700009343930126,2711662377783760879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,15437700009343930126,2711662377783760879,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15437700009343930126,2711662377783760879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15437700009343930126,2711662377783760879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15437700009343930126,2711662377783760879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15437700009343930126,2711662377783760879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15437700009343930126,2711662377783760879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,15437700009343930126,2711662377783760879,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6480 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418 0x304
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.123greetings.com | udp |
| US | 184.72.245.68:443 | www.123greetings.com | tcp |
| US | 8.8.8.8:53 | 68.245.72.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.123g.us | udp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| FR | 99.86.91.87:443 | c.123g.us | tcp |
| FR | 99.86.91.87:443 | c.123g.us | tcp |
| FR | 142.250.201.162:443 | securepubads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | i.123g.us | udp |
| US | 18.239.208.95:443 | i.123g.us | tcp |
| FR | 142.250.201.162:443 | securepubads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| FR | 216.58.214.86:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| FR | 216.58.214.86:443 | i.ytimg.com | tcp |
| FR | 216.58.214.86:443 | i.ytimg.com | tcp |
| FR | 216.58.214.86:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| FR | 142.250.179.78:443 | fundingchoicesmessages.google.com | tcp |
| GB | 163.70.151.21:443 | connect.facebook.net | tcp |
| US | 8.8.8.8:53 | 87.91.86.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.201.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.208.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| FR | 142.250.179.78:443 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| FR | 172.217.20.194:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 5f7feed3d96db53a0feb6f4b62341808.safeframe.googlesyndication.com | udp |
| FR | 216.58.214.161:443 | 5f7feed3d96db53a0feb6f4b62341808.safeframe.googlesyndication.com | tcp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| BE | 64.233.166.155:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 161.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.166.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| FR | 142.250.179.97:443 | tpc.googlesyndication.com | tcp |
| FR | 142.250.179.97:443 | tpc.googlesyndication.com | tcp |
| FR | 142.250.179.97:443 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | cdn.saambaa.com | udp |
| US | 8.8.8.8:53 | sm1.selectmedia.asia | udp |
| US | 152.199.21.175:443 | cdn.saambaa.com | tcp |
| US | 34.107.214.50:443 | sm1.selectmedia.asia | tcp |
| FR | 172.217.20.194:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 97.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.21.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.214.107.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ccca65627bda057d1879b2a0e8eba58f.safeframe.googlesyndication.com | udp |
| US | 8.8.8.8:53 | 2510c3b323514aec06f9b5d3eb1c71df.safeframe.googlesyndication.com | udp |
| US | 8.8.8.8:53 | 0f2770af506767be4cbe59955ead8ec3.safeframe.googlesyndication.com | udp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 8.8.8.8:53 | api.saambaa.com | udp |
| US | 8.8.8.8:53 | track-selectmedia.com | udp |
| US | 8.8.8.8:53 | c.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | serv-selectmedia.com | udp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 161.47.17.28:443 | api.saambaa.com | tcp |
| US | 161.47.17.28:443 | api.saambaa.com | tcp |
| US | 18.245.194.122:443 | c.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 34.117.33.6:443 | track-selectmedia.com | tcp |
| US | 34.107.214.50:443 | serv-selectmedia.com | tcp |
| US | 8.8.8.8:53 | 42.215.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | media.123greetings.com | udp |
| FR | 172.217.20.196:443 | www.google.com | tcp |
| US | 107.20.254.248:443 | media.123greetings.com | tcp |
| FR | 172.217.20.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 229.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.194.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.17.47.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.33.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.254.20.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.201.222.52.in-addr.arpa | udp |
| US | 34.107.214.50:443 | serv-selectmedia.com | udp |
| US | 8.8.8.8:53 | secure.quantserve.com | udp |
| DE | 91.228.74.200:443 | secure.quantserve.com | tcp |
| US | 8.8.8.8:53 | ap.lijit.com | udp |
| US | 8.8.8.8:53 | config.aps.amazon-adsystem.com | udp |
| US | 34.107.214.50:443 | serv-selectmedia.com | udp |
| US | 8.8.8.8:53 | cdn-ima.33across.com | udp |
| US | 8.8.8.8:53 | imasdk.googleapis.com | udp |
| US | 172.64.152.89:443 | cdn-ima.33across.com | tcp |
| IE | 52.48.211.135:443 | ap.lijit.com | tcp |
| FR | 52.84.174.6:443 | config.aps.amazon-adsystem.com | tcp |
| FR | 142.250.178.138:443 | imasdk.googleapis.com | tcp |
| US | 8.8.8.8:53 | 200.74.228.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.152.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.174.84.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.211.48.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | player.hb.selectmedia.asia | udp |
| US | 8.8.8.8:53 | cdn.lijit.com | udp |
| NL | 45.133.44.4:443 | player.hb.selectmedia.asia | tcp |
| NL | 45.133.44.4:443 | player.hb.selectmedia.asia | tcp |
| FR | 52.84.174.128:443 | cdn.lijit.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | rules.quantcount.com | udp |
| FR | 18.244.28.79:443 | rules.quantcount.com | tcp |
| US | 8.8.8.8:53 | 4.44.133.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.174.84.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.28.244.18.in-addr.arpa | udp |
| US | 161.47.17.28:443 | api.saambaa.com | tcp |
| US | 8.8.8.8:53 | saambaa.com | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 439b5e04ca18c7fb02cf406e6eb24167 |
| SHA1 | e0c5bb6216903934726e3570b7d63295b9d28987 |
| SHA256 | 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654 |
| SHA512 | d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2 |
\??\pipe\LOCAL\crashpad_632_QXEIWZKXLDNNDEWD
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a8e767fd33edd97d306efb6905f93252 |
| SHA1 | a6f80ace2b57599f64b0ae3c7381f34e9456f9d3 |
| SHA256 | c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb |
| SHA512 | 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6d593dbbf397815c3c23d84a4a6917a8 |
| SHA1 | 56d4446fde1e05deaa6233129cd0e089fb1bfc5f |
| SHA256 | b99bc4724a31cbf816a9ad0a7d91d7c4addd23d2cfe57731032b47baa70bf124 |
| SHA512 | 179b953bcb8c413658987c4cd7719e2a3d69290deadeed2bc94b5931a0f5e5f7b185b28a482a63d36cd1ded321acfd15c551e2e8b1d863dc779179c947d8ab7f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c
| MD5 | d84862513956cbe61aeb4ebbfdd3355a |
| SHA1 | 14ab269df17cb0333b1556ce120d587324479f6b |
| SHA256 | a18b26912ab9e034923cc64fbfdb59d682500f2c556456930e480b6bd69e33b5 |
| SHA512 | d04ca96d72595f1e291a6ce96f092c1707064800103cde733512a186c1b22e089b63690a0c53965c97248dd782731b22fa2d27b8ee3ae112647382f1c06d1a9d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e
| MD5 | 2b845c3bbfbcb4e28ffbd1838368decd |
| SHA1 | 4414c101a651bbc06ab2d1eced6932338278e7fb |
| SHA256 | addd85cdf92ff6c8fe37ab271bbaf49b204ebb8f0e0782ff412959c1e9ac57e4 |
| SHA512 | c6a374402b6b038387d385b81040d0d6ae83b2a503be91335b4b641e9eaecace2696871b7ac79af7e78e526212de77f128738cd47142c8ff1494a11bc3a4548d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c
| MD5 | 4bf8d317d5f71b2f96f427de8d9541cf |
| SHA1 | bc56555e40ed0caea5836ab3b12ea5246918c062 |
| SHA256 | c91096817f292946f570d1f2bb1603c5427ce02b7fef1bff014107d45d997567 |
| SHA512 | 01c814a24f36e1d82a965f41b93ec5aa53c3787b648ec7afec88c01b47cd3e481c0e112b22e51ba88687adc06e5c24f9bd44e3bf854fabed9fed21996d3feea6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\21e023110db15901_0
| MD5 | 73c4e735c56be6e0f60f88ee504eec28 |
| SHA1 | 168d214ccc372d9a515f3d673fc2b0ddc16651ed |
| SHA256 | c2d79e3395219bc9e6599870dbf3b2d32296b55c3dacb9f1735f5522d6762c94 |
| SHA512 | 6d3da0969ba25eeeaffcd52c128e597edc11a5e666b9549d7fabd59471e656d3e36390950a2fa2b3589cdc6fa16f5149827bf4ba63325f970ed497ec584f977b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
| MD5 | f6b22c76324ba65e715173ab3415eacf |
| SHA1 | 083b2f492b27a0408ffc81dbe89fb306a2e68cbd |
| SHA256 | 71b06b2887601583c791a2675a21d2aa8305d8456ecde4e292b4233edd7f7d30 |
| SHA512 | 3acc4caa5c75d6fc93b07b3bd3d4274a3ec85820c7a37754d0f1b210803541232c791cb6eb1fee96ffd08a8aa6dea2f890de7f946a8352582387f910caf309f3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\af7bcc4c2d17ddcb_0
| MD5 | fe0583f34c2f93c8560a12e30096e047 |
| SHA1 | c8bcfe3681ff3522fae4834f4c0cfa9f6227d681 |
| SHA256 | ff89851c2b650d164d50366860fc1c15812753b1f6ffbfa674ded1030f7915f8 |
| SHA512 | 7bf133ad1d012a62626cbbab3c78b77cb4a39a0cba8b1d6951a0a430e3f2054a1b6e5b9ac0e3584c238d3c5979648bf92c9bdd4f8b543d3f60eebb8c1ab1c3d5 |