Analysis Overview
SHA256
4497a7b46fc100c327213087e507d43e96c1095877cbb84daf8fc40869af42c4
Threat Level: Known bad
The file 9c7b7d39a5af4f32ae473283d9447968_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Program Files directory
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 00:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 00:49
Reported
2024-06-11 00:52
Platform
win7-20240221-en
Max time kernel
141s
Max time network
140s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px97CD.tmp | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424228866" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002b8c3221473f0741aa31592aa2f2c5f600000000020000000000106600000001000020000000d342a207605852d0b395135853a1b3df8a8fb308b27b82e8c69a7f1bb5658573000000000e8000000002000020000000e43ec68dbae07efbd9cc03d6fbaa5e947457344bec220dbba548d5f59d5e2f32200000007ad99480f6be53116aa12f9c6bd1063f05d1b7cd2e85b6fdcd1225adf93a93bc4000000087ac5b1f909620d5c0a5e7e84c8ae60f770e9f1868097258524ca1a477291d34287980a421ec504a039a58e040c16aa3dc3e8e8d7469d3477dc9c651a5474d37 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e029f85899bbda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{833424C1-278C-11EF-A7EB-E60682B688C9} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002b8c3221473f0741aa31592aa2f2c5f6000000000200000000001066000000010000200000009e03d1857ff64430f0d3f6a01c4d9b44d116eb8bfd167ce105e11670ad2d0f05000000000e8000000002000020000000a7069e3df18709679cf8cdb62d5a48c931419f684ab2594616ead6f37ca1923490000000a81c9e15b7e36872320b76ebd28c29691cd6654eaed142a79a41f02b3a937215758713c3ea8a82c852d624ca56ddd9711f972442ba58992deb50d463ce5a994ce7ff2e0c2b0c83bc2acb2819ed8a1d4d84f9b9cc1efcad53e4d79206e5ac7ef8d0ae870e4ac12f632b8510cbec4d73177eb58a2b10311dc18cf480ee50a634af59e359511b114b9ca38b673617520021400000004c5b9d6574e4c24065a4bcf1a818fe3882641fffb52868b10bb75cd443b63ed8216bae366a4cd2e84a42b465ecc5bd2232edf4c53ae2ddcdf0b8f7a1c1615597 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\9c7b7d39a5af4f32ae473283d9447968_JaffaCakes118.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2300 CREDAT:275457 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | df455f0fa8fb3fa4e6699ad57ef54db6 |
| SHA1 | 51a06248c251d614d3a81ac9d842ba807204d17c |
| SHA256 | 15068b86edc0473a4f96f109830318e0540af348197e2b65f2e90ff32cfb14a1 |
| SHA512 | f69dea5b68e4fc8737fc0e6ef48476d3ed0a5ebd2f9dccc9d966df137f9ffdbb51e413a0852c22399afab53ea8a2755664afdcee6897a1cf387a9a620481b2a6 |
memory/2472-6-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2472-7-0x000000007759F000-0x00000000775A0000-memory.dmp
memory/2472-10-0x00000000003D0000-0x00000000003DF000-memory.dmp
memory/2472-12-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2472-8-0x00000000775A0000-0x00000000775A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabAD22.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarAE53.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3d2a75f1312836d7c9bde6bc833ec518 |
| SHA1 | ba946c7058b68b985246d88d8141ac451b4cdcbd |
| SHA256 | 0d4c5decb0f405663bc61664acaced54e6d157bd189a82e06ca2586fa60809d7 |
| SHA512 | 2dd1acd8336d8a688ffccfd13963bc2488fb109bac7a7abb1251d4366c8a1583f803bd314218b8056dc71428cbe65649804550825d7c195774d25ad188855cd9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 59a0295effab0548e6d778996bc0b337 |
| SHA1 | eb72b1df497e231a8957608f27f17436745b38ef |
| SHA256 | 14ddc31176df7841a1a0b22fbe6f9399e3b33856375b22ac211d8161b3cb02c7 |
| SHA512 | 867a3946bff5f2155bc0f478a621f26a0156b035eef9e81a8d2e383962b20bcacbfec302916f219c5953e2218b54dbe45910a65788f2255a482cb79f39a8cbfa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0af19429a9f41029be1ec00cb937c4d3 |
| SHA1 | 1c371ce34b0fa63a8790464cb6296ec451d20002 |
| SHA256 | 0d5802a4cccaab219d6756b95869fc901a8d5bf94469aeaa2bec662bad07b63c |
| SHA512 | 43d7a4a6d364681300b8670866941f962ceb6afb1f645f3987e4d6187ddac23ff20b3c7651edf8d3820d4dedfa6430c174644d53def71fd8b5961a6f6d0513b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 33d54ccfc37317f087cdccbe502bcafe |
| SHA1 | 3f3a2b68392ac178ff1eb676a0bffeb60a4bc540 |
| SHA256 | 73e7b171684bb11ae031448e39130ef393db4d6d6f42130110464cd294075d3c |
| SHA512 | 13775d5550caef250de1bd24258f8fee53647413332b669b473539b011f2f35984b5c51fb96f84fedc6905fff5a257a2c282ba78afbaba04a34fdd7d77a0b130 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0acefab550470497769243929057ed76 |
| SHA1 | 084cee231e9d0535b3e18a707cf46c92030a7230 |
| SHA256 | e41d9850fffc0c9a46babf8372142a60f8a8f12909fa1a042614473f77ba4289 |
| SHA512 | 7ae0b1d0b05a15ac82ee02c9643eb906b7361123568d3dba7d0a39ffceabe9484c00235d9fa1766e9c972b5c6b050d8eb1db231b4a9b508783f159741516c870 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 59a0e410fab0b56f0ed8ed79c8f2fd85 |
| SHA1 | cb75fab90676e251c471e01a8d18aca285c33040 |
| SHA256 | 47c3694df15f9a0c6ccc17eb18abb87c9d549684746b5dbfc383d3cfb0a56b8e |
| SHA512 | 90b338d940670d031ee5b2870167134a66ac199cf98b257f37eac4a012e84f324c91d7fbcda90d3f7f0fa3bd8c86bb613378a5d9b94e72bd0d442c69563acee2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 80a015449f7290725ec5486dbb90bb00 |
| SHA1 | 1994b6235454ada50b330ce5ba11c9ca7c0026d3 |
| SHA256 | c3b62cc455ecd0f8ee45746b2077d45ef49c1e60aca57956006b5b2696f1cbb5 |
| SHA512 | cca28946c8a3d87727242d7f8a88a254e9f1f0d716d1b9fa3346782486f5228d211026f5530bd07554a1c5c28b21ef630f7c3fa677fe2cd088dac14ac130f393 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a8ef95a157c21f4564705cb16b31f2b0 |
| SHA1 | ba03c9d9fb7d61250340ae66aebe721a70b6e241 |
| SHA256 | 52a9aa93003a11da41861d38eb83a69fdbccc205c1f54b5fe5ee3b0641d537aa |
| SHA512 | ab5e5c738d327fa874983015663fb4f09d8602206aaaa8f7031f293461945d649fef678d70143831174ea5bd10c587c6455e3f225a3e540d4c75dead14a2af72 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 156e7c6afa80de0f1d64bf5d93fb7017 |
| SHA1 | ec6d550bba0ffbf06794d01ad03b5fec5552d1c6 |
| SHA256 | eb381567b25e4370a746be27a8fb77f50a45d484b70740957bc2cd26df973c2b |
| SHA512 | 17412e7c662fe0a95721ac6fd098d3d345322f7cbff2dc66566b896511968a471e24a480c2d3e2d5eb9759cc0e3dd3755ee04be3e6b53fbaea9af965f80f9eb6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5ba1fe11ec802cdd1d63b764e509d062 |
| SHA1 | f025eece6e34144dfdbc0b58e1f4152415d15dae |
| SHA256 | 9b339938aff3803d860301c73280415bbc5f7b153169103bf6247b02767464af |
| SHA512 | da2134bdbdc58bb75720a3b49c05e9dc5edbfae0d8a823fb0711a4d89ce6b6d619bbb9d4e5740771409a83ecf2ecb5402381b861ea898a6a9e685f3af8eee7e1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b61f20d6fd18b20e0b7bf4bdbfcae2ba |
| SHA1 | 5b99f366e0b0a3e6d6f2012689ba8c105d0ed9b7 |
| SHA256 | 850527677f1ca46bddcb2d779c6d8deaff1d82e1d331e88ae58be4661ca484fc |
| SHA512 | 2e48f78c22bff6c65a7fcc1a9d4d89b8349e94dae9ff653aedb2ff16a925e77f8f02b839102f834b0422a0af1edbfa0675bcf1b81c8266a00cdf82e954a22990 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3adaef7881feb54a5953f37dec9c98c2 |
| SHA1 | f9fa5d36dc92cf47c974f460d3897fe4e0b5d351 |
| SHA256 | 9c5d016edb74f7ed3eb4fcdd05a95267475ae3e69a4b47c9b32abbd1ac899f0f |
| SHA512 | 5fb9aca036537e1771a064dae86efed58e606bcfb3d28042b0489d80c6f3d24a01f07a8813d0a8b82571a9d66c8a13df2a03c28db99e0bb04e5251d84bc93c56 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9478122eb35765dbccdd59c0e0d11f06 |
| SHA1 | 40f9253f09613ba30403bb34a064066aa510aa0d |
| SHA256 | a24c2c3fc015d18121e6558c2001e1fa28616547a47edbcf464737f3f7e13476 |
| SHA512 | 198deba33fcfe34dda660ac67d878108b450bb7ef399905bbaac970ad4460d155bc05355ca640768584e7ff59f7aafd93a8cb00e28f0e06ccbb499f3ea230e54 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 00:49
Reported
2024-06-11 00:52
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
139s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\9c7b7d39a5af4f32ae473283d9447968_JaffaCakes118.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a1dd46f8,0x7ff9a1dd4708,0x7ff9a1dd4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2935149713232598296,3565365019210142197,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,2935149713232598296,3565365019210142197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,2935149713232598296,3565365019210142197,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2935149713232598296,3565365019210142197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2935149713232598296,3565365019210142197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,2935149713232598296,3565365019210142197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,2935149713232598296,3565365019210142197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2935149713232598296,3565365019210142197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2935149713232598296,3565365019210142197,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2935149713232598296,3565365019210142197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2935149713232598296,3565365019210142197,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2935149713232598296,3565365019210142197,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8b167567021ccb1a9fdf073fa9112ef0 |
| SHA1 | 3baf293fbfaa7c1e7cdacb5f2975737f4ef69898 |
| SHA256 | 26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513 |
| SHA512 | 726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54 |
\??\pipe\LOCAL\crashpad_4688_SUEIVDYXLFNTNMMB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 537815e7cc5c694912ac0308147852e4 |
| SHA1 | 2ccdd9d9dc637db5462fe8119c0df261146c363c |
| SHA256 | b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f |
| SHA512 | 63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 08d14034fc14413d978d2c5b83cfde87 |
| SHA1 | 5647e20bd85ed5e61b6e36334d1cecbf243df613 |
| SHA256 | ec39839ccbeeaf61ddba9f40b0fe7389f71c27bb38267b4a183f4d5429cfa7b4 |
| SHA512 | 362a207ceabb833dd0e0ccaac39844476608582feb84e06cb69195b260951af8e64daeb0a518c83550d7005ade3c8901326640659d09f93955b01640f0a99873 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8f4d59182f9da3508053437c73b8de93 |
| SHA1 | 104cdd855f269bf8d9def0027d1db3ded2386a66 |
| SHA256 | daa83a2578b4c51b3491b16d54dec3865862e45eb629a4a97c118c26856c9ded |
| SHA512 | 4d6c505e2feadc1965d510c4c62b8f58d8615dda3a3e35d0a8dbdf1d9a2a678db9c9915c617c5323d92d8a497b25e2eb1bfeb70f457cd2dd04fa7062f71da9e5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6ec1b468-93e1-4db2-8080-73304eb61ab3.tmp
| MD5 | 13bf6834e347630d96b714868801f55d |
| SHA1 | f6af10482bb9d616906ce4d37c3d5c4ea148c152 |
| SHA256 | d215275ec6fab74441300b64500dbc9b0a34c13a0e740767ed2cfa766d6ddcf7 |
| SHA512 | 1f1ee9fc907c01d94e0e593137a555109ca8cab46c090c2998962788232497c0c6f0d5eb0a4434fffb4ecd7ddc786cc0a29f05a6e097e877727c7907d1720cc5 |