Analysis Overview
SHA256
53563fbd91f64957c81e813d206a6afc7224cc8d391e5b982231afe0aa49b79c
Threat Level: Shows suspicious behavior
The file a34f01e6341149e7e5ebe2d7cd9ca3ad_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Writes to the Master Boot Record (MBR)
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Enumerates system info in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-13 01:11
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 01:11
Reported
2024-06-13 01:14
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\DiskSerial.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\DiskSerial.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.qwerks.com/order/buynow.asp?ProductID=3638
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcdb6046f8,0x7ffcdb604708,0x7ffcdb604718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4428 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14065257495532441428,2440026978268901343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.qwerks.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.4.4:53 | google.com | udp |
| US | 8.8.8.8:53 | www.qwerks.com | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.qwerks.com | udp |
| US | 8.8.8.8:53 | www.qwerks.com | udp |
Files
memory/3776-0-0x0000000010000000-0x0000000010015000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | eaa3db555ab5bc0cb364826204aad3f0 |
| SHA1 | a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca |
| SHA256 | ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b |
| SHA512 | e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4 |
\??\pipe\LOCAL\crashpad_808_FXSIOHEZFBULXOEX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4b4f91fa1b362ba5341ecb2836438dea |
| SHA1 | 9561f5aabed742404d455da735259a2c6781fa07 |
| SHA256 | d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c |
| SHA512 | fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6109c5e58d5f34155a434bebbbddc6d2 |
| SHA1 | 423aa7f3d36c957861645ca9c129a58569fb954e |
| SHA256 | a99a262ceae9a52f08b500bab84362a4c37c15363144227b657305d96a9f81cf |
| SHA512 | 8f4b03f750695083effd428a8902b155e0cd65ad1c8f3ce35154ad5561f5162485e5914fe537613be95611d3c109299437ab5633c609e1aa74f179f61babd1c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 517aa4d496c3f324a254b37781637d44 |
| SHA1 | b9aa01c671a12015ba68f6607d918cd4bb612526 |
| SHA256 | d2cbfa460cafc3a23219218ab2c18d44bbbe2931ff618ca70ce63d1c4bc7b9e9 |
| SHA512 | d2335961ce72e6a0ee7d9a134f89fc7a8fdb4e2a115ce1e6cdeb45edf863acc97e5cdd5a494fd36f4d24d5d3e4657f50706989a320bacd1eeaf93a026a7a4ad1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5d15f6966ffbde82fb8aee1b66689466 |
| SHA1 | 35d2801ab8d0d2523e83ff37d9dc410d373bf74d |
| SHA256 | 68a4c07a0ced1cd7d8ebf25c884b2708a61b015fa2b0da5db71f346c937f1146 |
| SHA512 | 2ae692435b714cc5fe8759b1ae41940ca4137e86146037005c8049886d4cc3437d596ad2d490e6ef3f88668e56b48b7a999567555546bc6037d4f9c66f8f5a36 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-13 01:11
Reported
2024-06-13 01:14
Platform
win7-20240508-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\hh.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\hh.exe | N/A |
| N/A | N/A | C:\Windows\hh.exe | N/A |
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Help.chm
Network
Files
memory/2140-24-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-13 01:11
Reported
2024-06-13 01:14
Platform
win10v2004-20240611-en
Max time kernel
98s
Max time network
100s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\hh.exe | N/A |
| N/A | N/A | C:\Windows\hh.exe | N/A |
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Help.chm
Network
| Country | Destination | Domain | Proto |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.42.73.26:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.234.16.2.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 01:11
Reported
2024-06-13 01:14
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
54s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe
"C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1004-1-0x0000000000400000-0x0000000000467AF7-memory.dmp
memory/1004-4-0x0000000000400000-0x0000000000467AF7-memory.dmp
memory/1004-5-0x0000000000600000-0x0000000000615000-memory.dmp
memory/1004-6-0x0000000000600000-0x0000000000615000-memory.dmp
memory/1004-8-0x0000000000400000-0x0000000000467AF7-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 01:11
Reported
2024-06-13 01:14
Platform
win7-20240221-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008723104b66fc41479adb63b5683a021000000000020000000000106600000001000020000000f424f9b4e960f73e4f0344185734fe256b1b6cd7a159e69a6804a90a6e0b2555000000000e800000000200002000000056429bda8e556283d5b1204b7084b83fc12b6dcab363c35025c17d154924ba579000000039f82e683b2df8bca867d531254062890cf320a93270a59b63f00f3746260aaeef3bfde987f7e72fff60c2d6f8daec92e51bcc519deaf6ac6a12c50daa7263d2707f5ed5f7540477bd0bc285f8b544dce8ced41a24ceb1a3d39f4f7200c87ccf8620a5a46292cde7498c455e885dc1230b0a5026d5004eb65a1d0bad63a7429b6d32a7fc35ce348ee437a3704a2e60c340000000122b84cc53c400777134da9d3b68d8834a167f1e4390acddf011f8db2d0ce570a99f83d47cd67906104609700213d43680cb9362683995da902cd6f7c6ef9552 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E17E4881-2921-11EF-B0F4-569FD5A164C1} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00bc33b62ebdda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008723104b66fc41479adb63b5683a02100000000002000000000010660000000100002000000017c24e9518aefc24dc0ff2189d846cc45ea58a2c906be2c0d9af2d4f7e571554000000000e8000000002000020000000e2a352d1e34f9b1099bdac0ac9f2b70e81376f7e086ca8d6509570b07926b55420000000f29d8838136dd2fbf916704bd33ca7ac904100407482bbc6a76c5013c6e2a7544000000000538a4fd61857a05ef1529f6a9b23b0cf3611f03c865ca239e3e2e2a832bb15eac01d9360b36ea544fd74ccb526782f5a19207586f739799208fa767e1ab884 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424402964" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\DiskSerial.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\DiskSerial.dll,#1
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.qwerks.com/order/buynow.asp?ProductID=3638
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3020 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.qwerks.com | udp |
| US | 35.173.30.22:80 | www.qwerks.com | tcp |
| US | 35.173.30.22:80 | www.qwerks.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2988-0-0x0000000010000000-0x0000000010015000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab4AD7.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Cab4BD4.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar4BF8.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 297f17f6b63e239051adc52de5353469 |
| SHA1 | 1cd7f1e009b071f6eee5dcebcacac6a1d7da28a8 |
| SHA256 | c81892723c286957204fc34966bcf80b9af6554ca185adc03a7ede9863392276 |
| SHA512 | 13994e1e90d2a1530ef487814a2a9827447ae5a2d95d78d653ce184db3920908b0d845b3065715012817c5e9d1e9fa5576b68bc18a789edc3e904a5f5538da84 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d94924862c5bea2b2d72971c79730d1d |
| SHA1 | 4a639a62c4b654d46e625baa23eab5f2ec48d144 |
| SHA256 | 9a245cdd1c753b11a3309f98126e20dca1d9cc497f84e4a1d25a07493b3a53a0 |
| SHA512 | 5b477407b8cd1943cb3e29cdbaf4d124d16564da4889c42064d189fd40c69857ec712162de7969fc3471b4aae610a4a86e15ec3e2d51a8dee97604686b07ee7f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b31906ec6736e98605735038a7a7872 |
| SHA1 | c7b98edbeb16d8d59a3c004aa61c6536ff176412 |
| SHA256 | 02c989ef6fb2473687e92a94e1ce44bb6f69adedfe2908f649febcb2db3707dd |
| SHA512 | a8052a8aa49b5c9f3b9ea2d70624e10171dbe320faaba452949ce479be0d7c54f75dc986c14857bf73621a7893d2c0e36a39c0184cad57d58fe42e2c8d9bed92 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0b212ebf0b6de886f2bb8b6b835623bc |
| SHA1 | 2ff8fc5cc85cb0b838958566f18d7e437029d63d |
| SHA256 | 102e55d83cb41cb2658e0491678fe12c094eedb35a3e20d518d1020c5818aa66 |
| SHA512 | 7496f8dd47591f01e84c4ee5fe046c1f4bd3bd2a355bf1948e70ca7938600306fdb5591ca2626d32530b2a232226ebf6e76357f10b833ba8bd56b23e61a57700 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4b8973e41b79bc87aec3fe370843d282 |
| SHA1 | 3c55ace9b2499775711fab1f2e24f2c5fbf68088 |
| SHA256 | e1b5b2832b01fe417748d7814dc921b4bedd5839e6c668c1c17d18dbf4cc35f1 |
| SHA512 | c640abe92606948e90b8b7e8df92c0fe478d703a6f2f0b56d946d059a785a10f425eec4676f06b9d4314555f37797956108fdd91fcbb291412d8fcbd315deabb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a9831252c314ebbd4f76b8043e93c1e5 |
| SHA1 | 560d932c604b96dd07cb8f003155bd5805f1f91e |
| SHA256 | 620fb473ed5af27d9bd5b4bd1f7802db4ad79db703ea0ca063f0c0f5191db9d2 |
| SHA512 | 559bb4c34cc272802777f009c8c2154ea5b7a2073bd2568c0aa27bc2490b88f8972851355241dcd58b1e11ec5bfa73bebe5a4a002d1bf38535ac095187e16a11 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7499d78bb35ece8a48a54586c2a0e114 |
| SHA1 | 3fdcabd8129f448c5fd82421aeaa57a23c4ccea9 |
| SHA256 | cc7a3c9379f2de163c26af919cfd3ec6f871ed257cf7c285b0a0f3504a1c1ab6 |
| SHA512 | ddfa1a1332d828091bbc676dfdb5638c9d1a15fb5b2a9e1190cfca2aa901f52a592401de5b486397fbc403091709ea5d66b6882683978e3d3e545a83fc5b1f53 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ed2cf3552b68cee257ed3d09e4a4d9c4 |
| SHA1 | 07d1df54dd0abb6f0e84a0374c334fd0918f5804 |
| SHA256 | 66542478fdb4e7aa2c46353ea3b5c07e611b7a784ec29ef4866c47d9e37e28ce |
| SHA512 | d86defa1c532fe68725d99634002920f909fdb61bfd33b51de4df6dee9c9b539a79a890445d08381bd7c2428fa99f9a0ca3078970ccde740762bcc5c5ca2824b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8a8efff0d9c717e2f9991fcde9fac5ba |
| SHA1 | 95edccc47626a0af8563b78c0968ab5a0d098ece |
| SHA256 | 1744bac7e38675420de0fa1aa7e149504ba25c5fe9b8c4a21730182bce50b20e |
| SHA512 | 536aeb308a50b8915edbbe0dadb779aba9fa1dc0d451dc6f47a8843104d56c08c8cc4fd34cc3e581d31122553f4a1e7e2930893b33eb660f442271af95b1d693 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b676f67d0ed3c933a556f8246b8a240 |
| SHA1 | 0794bc81f6b2aa24aedbcb08e9c3eafbf53d9835 |
| SHA256 | 4ae77a74c4060b1b49814f3b835e6bc89b8926da7c591b2ac8eb34776aa2e2f7 |
| SHA512 | 92c6a4895103ef97a1fb7e540cd425e7b5b177a24e802070fc56cfb2bcd204d78cd159a009d0a2a4f4f02434ba0dfebb5712c15f98153551e9b81cdaf704fe47 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 317df2581c713aa11e4e9b484bbcc8e9 |
| SHA1 | d2a88d31c46160a25b1be6dfcd75829a1e7ee126 |
| SHA256 | 48322aa658c1712fd5f2b027e648f88c365cd4c88e0089ade8f03a6019e84ae6 |
| SHA512 | cd3294452504d238f3f1410319f69478c012cbc717805bdfe680aa4981391ead0d4b2c28122ba34a12966e5dc7a09d89f6bf53004be863c1a397ac78ad0b10ca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 773fa97cbea0a7e25a77510b291ce17d |
| SHA1 | 255cbb17a0fa9cd56c9f696432f60e9f5edc51bf |
| SHA256 | 26a4556989fce993b6a1826873bf884b7f8b9cdc1dd5f5c60a0c1b4831db31c9 |
| SHA512 | b24ac62bafd2bd4c9f36b0a3e0ab6cb5693db9f02a63fa9b2f1bd1b48c14a5198d7bceb8b08117e783d19f6ddf6dd674ff15b1daa475c30cecf3493f6032c999 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8428e84b675a9206133e6ee849afe1bf |
| SHA1 | f95ff84761c98381cf5666bcd019d3198972af26 |
| SHA256 | a79bf284b7ba7051d9cb34603b0258c56b43fd8d179fc5ad9de995ddcc30ef0e |
| SHA512 | d19a684d470dddd4e2ec98e78b890165d43e22db5542a1a552c740eba07626214acee0b15b2edcb6238221bf2f72dd217b6ddddd19660eff13971d3e016dba9c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f71cc155c1d828e4458cb285e1a13822 |
| SHA1 | 47fcd7a73b87f62001bf1d5f0619f976b8d600f7 |
| SHA256 | 60b31f5e9b8c1b220c8c2254d9374cd60de5239c639fba5a8c752c277c864460 |
| SHA512 | 0a18ddc0c24edd180e9a18a536537879de50966b6f64d32757a801b0cca169d36cc3b0490b1ecb8f674b785782f64848a28b055e9dfd7e0364621c91f8e42d98 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7a276435428b818685a08bbdb17de0c7 |
| SHA1 | db51d71024c747f46d1d760ef7270f09dd360f87 |
| SHA256 | c6d2b413c5a5e2a871fcba283bcc68d53f003c44b755e2fd6297649edf06310a |
| SHA512 | a2c8acb5eb7630fd2067e2fbbba8f10d6424febc15e335258feb901e98a8760aac5cf4c0760ce0e16619691ccb4a98495d2f1f08f17bfa13d7180a76d7689c7c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8cad7f24783d407908204a4aedc75213 |
| SHA1 | d7b107c135d409120f4abb7faed41b49ad88b67c |
| SHA256 | 67562db1a9e803a125d9076b9bbd5a2242e051428120d1731ffc34351b687c0d |
| SHA512 | 833676ec790c3b66994e6de4e0ae5230b1f4832a11d08b315d813f0b7e9c50921155768e0e6ac7c9df3435d4e82bc984700114b0c3a716fba75bcae28e5d142a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae790edb58bb8fcf809363f49b4219b1 |
| SHA1 | 3ef6a14f35ebba66c28f382c2e5e7ff55c3cc4f8 |
| SHA256 | 54c05ba5974c526808aceb3abcf286256f38e911ef24f17e017a527568c1999a |
| SHA512 | 9fc8f86fa73156e5ec5659464f2ea529a6185caa421d4780484bb1284692ad7124cfc4c8e19b8b9e5f366d38262011a01337ddd9f9d73aa6f7886a35b4ae6b0a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 43f92b5a31edf405895882de246527ae |
| SHA1 | 9aff6cffb8f673c800cf7774dcebcd6e8798a530 |
| SHA256 | 5864d23c9687dd1e8c4771cd9c3989b040fb6a0724eaceb73d76ae435956abe7 |
| SHA512 | 062e780e30e1ca31defd2cc7bab6e1c71e5816516aee00f5cd1ac2c1a318c5701d7f8bdb5947d324855409e53e8fb45c18ac01a067da9c9c523f8946159bd6c8 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-13 01:11
Reported
2024-06-13 01:14
Platform
win7-20240508-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2932 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\SkinMagic.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\SkinMagic.dll,#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-13 01:11
Reported
2024-06-13 01:14
Platform
win10v2004-20240611-en
Max time kernel
124s
Max time network
128s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2284 wrote to memory of 1012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2284 wrote to memory of 1012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2284 wrote to memory of 1012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\SkinMagic.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\SkinMagic.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 01:11
Reported
2024-06-13 01:14
Platform
win7-20240419-en
Max time kernel
140s
Max time network
120s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe
"C:\Users\Admin\AppData\Local\Temp\Ancer-v3.5\Ancer\Ancer.exe"
Network
Files
memory/1044-0-0x0000000000400000-0x0000000000467AF7-memory.dmp
memory/1044-4-0x00000000002F0000-0x0000000000305000-memory.dmp
memory/1044-5-0x00000000002F0000-0x0000000000305000-memory.dmp
memory/1044-7-0x0000000000400000-0x0000000000467AF7-memory.dmp