Analysis Overview
SHA256
d1be270c73073f46b07eef477ca15e81df050aafa15c225bfbe1b8fdaa107026
Threat Level: No (potentially) malicious behavior was detected
The file XyB1Uc was found to be: No (potentially) malicious behavior was detected.
Malicious Activity Summary
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-09 02:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 02:24
Reported
2024-06-09 02:28
Platform
win7-20240215-en
Max time kernel
133s
Max time network
128s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c73133b66f2acc4dbc69211227f73b120000000002000000000010660000000100002000000099e352995c9460359a4fdabe2d67cb7a1c534238375bc437a7ab4f7c21fdc451000000000e8000000002000020000000edf56085e64df4aed22bfc762efeb2d22775c5f61f5e2f65f10302983bce0dde20000000c992f763ef02864ffce1d47f7aec9e484ff044c72351134ca7cd25aba6d6e11e40000000bd9dc4c3bb43c1a1e2cded3c0b0c37f8acb471d8be6211a021f39f4ec2e04961756d12bc40dd84dde0fb286a423d4adcfc7f52ef5e83b002a13e415473bf0b2d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70a3516d14bada01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{98D9A651-2607-11EF-A6AA-4E798A8644E3} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c73133b66f2acc4dbc69211227f73b1200000000020000000000106600000001000020000000493a38f5756150f9369179a689f0d5f0896789abb90e831ef34cf3c4f336af56000000000e800000000200002000000054a0a0187a74c887a9a18b2c664dce185c23d14a6c65a8aa1c745e749223fecf900000009c503ba8859a15bdcf253ec77b3e0b9f6478a5ea42adaa5ed09ef2be9fdcaa88f761f9c2834dd757ac5ed0180acb024015aa623d1fb280b044a8802d5dff8486d418445769eaebacbc54668b607c984547a591471e2524c3077f4b3a7f7123527c6c671d669888bcd6f43adca7715893e27f81bd12b818905ff34f9c2af0b0c46c95ec7f0a83976689e5fe1fbcae605b400000006cd73d123178dba2e69c1dcfac8632af5c575c3e74eacfc0802d5afe525fc5bb1e774bc7a2683d481ad60599ac777174b0462506ee93db98b9fb5c014bd8d256 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424061822" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1804 wrote to memory of 2752 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1804 wrote to memory of 2752 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1804 wrote to memory of 2752 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1804 wrote to memory of 2752 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\XyB1Uc.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1804 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab1FD3.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar20A5.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b0f6c62dc0a840a22e08a4db9f0264e |
| SHA1 | adaf9868c886836b50788c3f884bdb7016a4e786 |
| SHA256 | 303a09efc1bebcd6cb33ca4869b73c8b37adef902116b75c44771c4812c74b37 |
| SHA512 | fd67cf1a93acd0cb3f25ab775c40e3054fa5a14fac805bbb45f25b7b3ed88d51f5c5903cdeddb90fda045f134f39be8d587f24b0ed70782f8437983bfe22497c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aead540ac5c040c51f49240d961c9b2f |
| SHA1 | c2a54ed5f686c2b735e162f2bcc2bdf4fd17022c |
| SHA256 | b4e797062cff9ffcc4d0d5e7e4adc34bc8a6045560d21283a602a8b976965350 |
| SHA512 | 754c20d99db7eb525e9d76376810494ec0f68ce141eb70ac7b56963da5ac784a4a6c60b8176f4d4d93a5438ba1d391d989bf0ceb5c67834d1081bddb968971aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 19b2a7ffa5a1c10b2a4a2d317ef3ea10 |
| SHA1 | 2cfc22dd827cf8b0daebec0e172d34197857d8f1 |
| SHA256 | 4d5b5856e977a07886398801541acbfea8cae7b917de1bfa9a5d18af91fb5f4b |
| SHA512 | a05ca98b053f20761e6b882573cd08e571fa226bc9816dbd89d888770ac0771100b3a62cf76696a12d03ed05311b2f0cc25335d7df3645ae3f6520479d1fb709 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 232265758dea455b53aa351fbbb8a4ea |
| SHA1 | 237e1dd235bca5bf7b981cf8b462eb2e784823fd |
| SHA256 | e03017127a42e86edca7a60709bcb6d03c8cd99b57590556a97ed583804a64f3 |
| SHA512 | 2c3d1991aa686c5e3ca45db0843ef9cec4cd12b6fcb169aed826539b0ed62ec52dacca0aaab82775a7cd22291adf398af94759e78b3aa31c8a785b13f5e324bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1b64d5e7dff8d15ef7ad8c8524dc309c |
| SHA1 | cb94274053a9fe44b6347efd4622d6b7c5debe9d |
| SHA256 | 83b677f10de8ec555b4026e9375b7aa462054d64716fc3add2d8d8272cf16def |
| SHA512 | cc068eda81d836f46ecb1265a5467770536edfda2ffc839200f1ac2616d7ca844e7059dac02ccf177905c3d2d5f0e933b0daa4f15dcbc6bfcbee8b7cc867a842 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f03869e5baa2531475084aa06b879907 |
| SHA1 | b34a70927604cbabda6307f0c128fe86393ecfae |
| SHA256 | e9c26997560ebb051743fcfa855ffe3882a2da43ceb3d068f77f2d65746d8fae |
| SHA512 | 87fc1e8a4f619b1dd79a05ec8b77689cab035bfebc96e76b3fe7dea2d3e8270874599fe11804f7d08bf4309b1f0f273b95a2ed29b2a5dffd1b0ba3ba3ac9ced6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ec5bef4bab57b540dbd38ce528298b55 |
| SHA1 | 5a97915f884b3220efdac3861b9133056d964f8e |
| SHA256 | 2af42b481d70c54675d4b08b0333ba01453324c09fa124a4467784cbeee6dbdc |
| SHA512 | c6289f2281d6d9ad2e82be9f450079a322da850f919444b732f18d1cff4cc88fbdde39da25be9f32f34ffd754e8e1dc9c46345a539a162e98e912c7b750f176e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 837aede1e2d350ea178ba392d1ca429b |
| SHA1 | 640cbdb443a710ab10b5cb29973fc6579a197679 |
| SHA256 | f647c4c52d2d02bd1023909c2020e8e7fcaea9be530c6ec905fbd45c1b649501 |
| SHA512 | 1a6995dda479c85e39946e774ddc282cf19e76a01072f41da0690395d1d1f311bfe0f7956769d1c969f1ad92ce938e9176b489a0597664f99fc2899c1d6e28a2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f10d1d8896dfff952d5dc65781d6597e |
| SHA1 | 06f154345fee2d927ab36f9e80c7049301c938d9 |
| SHA256 | 7d3c7f10e72ae2bd8d167ff760da9c3b76071a9daf8a27a743c1221164924dc6 |
| SHA512 | 4b671c6a95157a5eb8fe139562e67b22672168b3f8dd9a775621124438e2566cd976f2ab5eaf2eec1160f3d454d4d2ee3c3e3216373c902e4ad185f76a0c17ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bd87d39344fbb6000d51a55690f116e4 |
| SHA1 | 84b509141cebc303a3d7154b5aef576f206a6387 |
| SHA256 | 650788f8bd846af861d90b953e055eef5c7afcc04bb0d412a5d14ce195bd8358 |
| SHA512 | 7d8b7126fb12fd6383651837246a7a0426e9870a526fe1a54bcfde1f2f834f6a3630548101a6c1161c1bfb731dbb8bb44bb18014e85757fd5620830ad4b62848 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 49772a8abdbd92be43d344e5cb5b686d |
| SHA1 | a159c1658775579943d52bb46c0d31d087f0d58c |
| SHA256 | 5a2a34f8e6abc5dfd555af32d331ece39434a652e3f0f85e073413e5e401128c |
| SHA512 | b0fc1ef0d9c726ac59b1a331373be36f119f1bb7ee0c3583d3e019cb28f8825b3d701bd437f34aa2c71eb686bbf4d0cbfe7cf1b6264c4b4a20c14ac77dc01b6a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f54f5e4763732d1f1ac9463ab8f4c9e0 |
| SHA1 | f47b4d78dad1dd77a42c45a568286e73ef047179 |
| SHA256 | 8a11fbfa4ee3d054a835625aa98529553b30b9cbeb228615b0bb9619e86b459f |
| SHA512 | e1e534e5ec580e7d874a5afb46d2cd5559b1852a5ae6010d7ee747b3c4bc658eab4b2bcff2674d08b9b9ff3a93e03df41d9e41747d9a3383f45b1fcaf284cef2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6db43dee4834f9b9f513ace54289b82d |
| SHA1 | b78bc4312a7418f1c4e772f08b7b0f912b206270 |
| SHA256 | 4d9de58a5824ad86b566e5ff99205f0e4b1e0fd485cd6248ce26fe374c8d1849 |
| SHA512 | c4e6f366d8e5a1fb413550152e22bed7f9bf3cf651bda3e133d1fb9c1f5b7066e42b037bcb23adb0a68e123a7cefe7f303f63163e45a195c20351ce7d3c39d77 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8a6e9fc8eadfc8bbd1a8f16b48b07d4a |
| SHA1 | 7871d55264bcbfe219309f5ac9acb8d6188075c3 |
| SHA256 | 8064454a05e4cfb47995feda63307af963125baca93cbda070216ed9de3a1477 |
| SHA512 | 868db87c6184dd3a4da138a25862d1ca17c41794c8b64b881020669156ae1460aeb26377405849281b250bb7c6e18729aebc36f70f6d1b6625383cb16fd66b4c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0025aa0e1309595204f84f74638fde64 |
| SHA1 | 646f64cfec0a0748403e79fe4b8a02152d1c0e1d |
| SHA256 | 724bb8fdfcef012f8b7f439829c5a5bb8488307cf1e282f9069af394ec376f36 |
| SHA512 | 79f3a66028ee12f2243a6e8e4e9c25a7614853f0fff174fea467c1e78690f5515a23e407ac020a56b46dc51a2686daa7959b3e1c3390eb1704687403b3f77c90 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | da6a3d7b99fcfcacad13f3f7688303bd |
| SHA1 | 0da2a8c02fbe5ab59aa14d8e1f8237504c1efcd7 |
| SHA256 | 8bbd976b8aee1202769fee0a6dc747e5d4645f06c133b0d1cf55baa0b3ed1b7e |
| SHA512 | 83144b37256fb64d323c6219cf9fe9c03d7e071c88fb12cd79c50bea64b1712a5c2e9cb08adfd62a32a21a46e236d8573dc19b98d2c101976669805783bdd152 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e69879cb87daaaf10b0b624b405c991 |
| SHA1 | cfd6da2f1feaab2285f3a11adbac4c545cab0643 |
| SHA256 | 4e0c4e960eb112eda3288fdf149d7a45981e0f8467c6a98bb281066e7e44eaec |
| SHA512 | a0dad8e69d1aa55a7fb20efb6c99daa6cf31789170a3b398f235bd5216885a3d571680b7958623f29d74d43d4a164d4529d161aacd863cf732faf266285df44f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 467324da391404fa983badef1146789f |
| SHA1 | d0727db875f295a4ff45a6e2b94acc5be832b058 |
| SHA256 | 0ea011eb44f9badfae8e75a8e9d9dbfefa75722bcc50b12acab2ef361e76e807 |
| SHA512 | 5af92fa455f8dce4f19a0967ef83c08184e9d9d7b63cce004d12104134de4dbfa138fd53e978612e0ef3e659749cbe3d35bcb5a8d4fdef0ebc727b04e277f823 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 02:24
Reported
2024-06-09 02:28
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\XyB1Uc.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0f1e46f8,0x7ffa0f1e4708,0x7ffa0f1e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17773220332883933842,12810353281397882890,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,17773220332883933842,12810353281397882890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,17773220332883933842,12810353281397882890,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17773220332883933842,12810353281397882890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17773220332883933842,12810353281397882890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,17773220332883933842,12810353281397882890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,17773220332883933842,12810353281397882890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17773220332883933842,12810353281397882890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17773220332883933842,12810353281397882890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17773220332883933842,12810353281397882890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17773220332883933842,12810353281397882890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17773220332883933842,12810353281397882890,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 612a6c4247ef652299b376221c984213 |
| SHA1 | d306f3b16bde39708aa862aee372345feb559750 |
| SHA256 | 9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a |
| SHA512 | 34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973 |
\??\pipe\LOCAL\crashpad_3076_HIYKUFSIXNWSYKIS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 56641592f6e69f5f5fb06f2319384490 |
| SHA1 | 6a86be42e2c6d26b7830ad9f4e2627995fd91069 |
| SHA256 | 02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455 |
| SHA512 | c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f9600ceb-928e-40c2-a404-bd17c6293240.tmp
| MD5 | 860ee54be0bcff8c58dbad952fbf9abc |
| SHA1 | a81279250910037f77ee7ae5a1d70f0adedc4e1b |
| SHA256 | b1d2b629c79c127d0def9ca4d30bae4658d2fdd5157f55eeab00833809ae4332 |
| SHA512 | a07d412506069acb3c410dd5dbc374ea9bc6f420812f477f475e4d4eb5ec7d7ae6cbff2565b8e1e5c73836f4d52ae6cb2b028e7a569636264312790fdea21127 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | dc90b1141d63bcce733fae386b2ce730 |
| SHA1 | 0a42bcf9e3f679cfe2aa92557a41f641e49709dc |
| SHA256 | 81804e09206e5f4931ba41fbee76c03c9f17ea8e57c3fbf4322114d93fc60818 |
| SHA512 | 9dfbf1d078ec4e6737fe6f7899e9005f9f9dbfca4dcf07adbd399f3157ec25831022a9e62441ed6cf0ced2b2168ebfd7edb8ed7e9a1fbe68eb2fca9ea5fd398d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b48c3d1add3c7e07b11479cd24deeed8 |
| SHA1 | d8688c670c312025877722da7182932795a11f62 |
| SHA256 | a0e03a7b1a7e7babf0a683fe13e6f7679bc4be49adec5732011c64903131d24f |
| SHA512 | ea64df88e287df6f268dfd6ba59be8d9191647af2ccf91d40557e5fffadb1b514808ba187e9a33411decfc08a5cff8f580432a4365218316129cdb8e07c5308a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2747a2bd1b42cea16b837be961638006 |
| SHA1 | 79729091bda39c23ad44559604c3f14024d3f3e7 |
| SHA256 | 927b5aed590a5c23393dad5ea1c79fb0a7b6124141baf2796b8a7a8c7458735d |
| SHA512 | 80d7bc8c317095848fc25f592fba3544c452e25c018601ce29212d2fd659bf3b9aae0d74c51f20ea31d632a65fb1b433e9dd8ed66df9587143eb63b5390cd92b |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-09 02:24
Reported
2024-06-09 02:28
Platform
macos-20240410-en
Max time kernel
120s
Max time network
133s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/XyB1Uc.html"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/XyB1Uc.html"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/XyB1Uc.html]
/bin/zsh
[/bin/zsh -c /Users/run/XyB1Uc.html]
/Users/run/XyB1Uc.html
[/Users/run/XyB1Uc.html]
/bin/sh
[sh /Users/run/XyB1Uc.html]
/bin/bash
[sh /Users/run/XyB1Uc.html]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
Network
| Country | Destination | Domain | Proto |
| DE | 20.52.64.201:443 | tcp | |
| DE | 51.116.246.105:443 | tcp | |
| US | 8.8.8.8:53 | bag-cdn-lb.itunes-apple.com.akadns.net | udp |
| GB | 17.250.81.67:443 | tcp | |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| BE | 104.68.86.71:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| GB | 2.21.189.171:443 | help.apple.com | tcp |
| GB | 2.21.189.171:443 | help.apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp |