Analysis Overview
SHA256
9704089855fbd9dae0830681b51ec899bdf762a627c039d0efcbcc364b033129
Threat Level: Known bad
The file 1670ad86a1374a7b91e737a250d56e60_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Program Files directory
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-05 05:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-05 05:59
Reported
2024-10-05 06:02
Platform
win7-20240903-en
Max time kernel
130s
Max time network
131s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\pxE33E.tmp | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{06ABF7D1-82DF-11EF-94A5-465533733A50} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434269855" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\1670ad86a1374a7b91e737a250d56e60_JaffaCakes118.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:472079 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.c4v2zd.top | udp |
| US | 8.8.8.8:53 | news.share.baidu.com | udp |
| CN | 182.61.201.94:80 | news.share.baidu.com | tcp |
| CN | 182.61.201.94:80 | news.share.baidu.com | tcp |
| CN | 182.61.244.229:80 | news.share.baidu.com | tcp |
| CN | 182.61.244.229:80 | news.share.baidu.com | tcp |
| CN | 39.156.68.163:80 | news.share.baidu.com | tcp |
| CN | 39.156.68.163:80 | news.share.baidu.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| CN | 112.34.113.148:80 | news.share.baidu.com | tcp |
| CN | 112.34.113.148:80 | news.share.baidu.com | tcp |
| CN | 182.61.201.93:80 | news.share.baidu.com | tcp |
| CN | 182.61.201.93:80 | news.share.baidu.com | tcp |
| US | 8.8.8.8:53 | api.bing.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\CabFE00.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarFE9F.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 97893df6e447b4c2fa2adda0a450213a |
| SHA1 | 692a337e05899b66dfea27e2625e649208f79394 |
| SHA256 | 1084be0dd782fa22c5e353e7fb8ca672c9909d074f3e752cda24ae71e35955d7 |
| SHA512 | 97128759d58a30b1f48cc6ab52d34ddf9a28811a18c036b3965277b58342cce1370521909a86d66be366aceb10cc306da27db090fba295b058af1a773f4cb1f3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b1cf0e3e916c1ff14295b4b3f5131d3c |
| SHA1 | 1a8e2b0d641b052e84223866f134e0afd263ff23 |
| SHA256 | b56bdbed505529dfc4769891bcef60a9e04483baa89220b715d45d7ffc28cab1 |
| SHA512 | 2b34b21b641e30a7850dcab1bc89a90fe4133ab21d43b80f290f121f74a37b5cc38d7fa0b0063e7c555009561731ed5634f761af3df53b1722ac50a121a81437 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c3c11a4e1ead0d4a6c6a9ce2e5decb2c |
| SHA1 | 54bb3326990a0f24658d1459f86019c490e32e0d |
| SHA256 | bad7443e0a7b6b8e493cb58bfa6fe1929950a4950fb2a8028879d353abca2e2c |
| SHA512 | ea3885084ff9be259d35185e9157dba6c840afbc9d47f7843dd9efa82abdb15f84391ba17ceea06620ebbe26de9bcc29faba9ba6c69bfc779b7ae90221cb8cdc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4f415efc4c5fd70c85e609c54cb69019 |
| SHA1 | ded35c05993b11bb2c526299cc1fd7bb225264b8 |
| SHA256 | 90f367687f6228fd4c2f1158e820d9564390a50b4df8c9df759834e6adba0e57 |
| SHA512 | 6d213a95d65f582ccef686902f68c8a1938e504973bfedeec9d5ab72f5921882cc7d98cd7cfac87445c81d6b785637c2eb75cd6423f47f3490c3e4c112de8c8f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 97faf653fecb854a4ac85c0f6f383b8c |
| SHA1 | 4f6f4adee358d504f0f6bbe7527fc8efd94ad7dd |
| SHA256 | 4cbdca9802c829dc7b64843b95f475decb1aefd49726f23680cfeb5467cc8abd |
| SHA512 | b4b5096cc1b08c80d71d72af44db8d10be30e522ec6bc98f9b8f4fb7611d25da4aaa5be258d94d42def36979ae2791ba6502c5afcd1d1f2a8dc7153ce25eb143 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c1f9c98b3e8a534576f2a0ab3020ca08 |
| SHA1 | 8c2a7856e572ef97f6ec2574e3c81e24ce8daff8 |
| SHA256 | 27bf4dd60f4eb3a8b7e40f811de69940eaedc1b02f882276204f60affce95fb8 |
| SHA512 | 4776563c86b2961c32974bdb09eb66056b5f523fe62d7287c27bf0157777afa985d6aa963f597e86cea3b68450da74448f4289e560fe7677111be4ef35df35e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 77571edda8d328ed590904219458f483 |
| SHA1 | 8c63c947c12da1ce1efa164d5f8c157674bf0343 |
| SHA256 | fcb5864c1555344fc40ce14c182608e6d9d3511e46c72767f514f459369b5722 |
| SHA512 | cfc401455a902037f3e17ba9531121df6e5d5d3d5b33e686c2552b7a52ce4b2671c6056cdc3b59f0d7fbe9617d1a2c087785637d847eec60f9d725e36b2b54aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6cc20f28759a158b4a50094d2e9b83aa |
| SHA1 | 305c8ce5dbd58475f59793871e0660e483186b7b |
| SHA256 | 4733ece4fff6f0f79df7f0ec09f016e651c4f87973963d48b2987f9cbb27442a |
| SHA512 | 9603937a6006e3b4536d694a6fe0583a585064e967d0a6afdeb59f269130089817644454302697c7a74e62802d86abd02d0a17a9ccc41a62362de2a7ffc1a489 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7a93f191f4f38feca95c34fe87fdc388 |
| SHA1 | 452bd81bc9f7363548c215542a5c04acdb66fdaf |
| SHA256 | 7407e7047e8967e6221e075aa0fd08e6e897474dec6233ced55215f88c72d9c4 |
| SHA512 | 10b69f67584533e20b1ddf82c480fcfa0cfa6b603742b1e13e07fa1ce64cb85f35c80f99e310be4023e7fd1c8a478ea10dab74c377dccd22c6b73bf3c08377c3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a6a4a1a5b8569b79c91e6be8e117a04d |
| SHA1 | 3cd8cc96c8cf15007f94462ed9c8d5c26e0849c8 |
| SHA256 | f97674369a7f31845f06810d967c10b807f3d19ec7fb63b879e07e2db654a636 |
| SHA512 | 8e782e546aa082b408544f15d6f08fdf5b53891a4b76e25d7fb830304a308ca24289452270a9166427d717a94af4de9ff5ee1a91d4b28d9f4c49bb91f6d57e45 |
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/2488-435-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2488-437-0x0000000000230000-0x000000000023F000-memory.dmp
memory/2488-441-0x0000000000240000-0x000000000026E000-memory.dmp
memory/2488-440-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1940-448-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1940-446-0x00000000002C0000-0x00000000002C1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ec9b8a1f5e1b57782e17a804babe67ba |
| SHA1 | 16373f76c11b12bcc3d58d0865441ca447f0fbb9 |
| SHA256 | 942c891e655dced40909559507350908db3ddce70c600a64b724a047eb9f9dac |
| SHA512 | 66f17ba505efa5bbd15006ca262aef204b95d519145adc90e7e71f53952ee6d6e218eb4648d03bec60da92eec21bfe80c1a5b9a2c6280435a305641d59c4b4fa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d04f69352737e0bc59624541340b7bb0 |
| SHA1 | c183c4c6c2e3940fade6e45ab4cc5b5936e575ac |
| SHA256 | 8154f9d8835bb493f6bc0155ecfb61ee0f490e561ec88736f580eeadc4f3152d |
| SHA512 | f0e7a40de695f4298024a8069011fb134f214acf999537286b946441e46b13f4604448e8010205ac4bea7fae16d17dfab2e086c56a6e9ae799ed85e3e295f19b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fa0e004ac5d55ab2c2d05e0a8eec54d9 |
| SHA1 | 89a7cc0dfac8c5066f89646c054ac5a2c384b5cb |
| SHA256 | 70cfca79e1cb779eb87e8f824322f173ff7e24d164a76a101af21df94e28de1b |
| SHA512 | 48f3cc9ae899b0dc9e102225e4fb3b68f53951ac301f2f97ee687bf5a9f004a6927b741b8a53675275980acd370954ce4eebfee311d0eb2abd4d60cc7240678c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2c3ce0365f5ac2b3f959a255c7fa6df |
| SHA1 | 3864d89e95738c18b2dd89fc973d4d4fcd089631 |
| SHA256 | 715184d672f8ca58637efc9a5be9f590f639f3896918c7875adfba7572c22a50 |
| SHA512 | a3ba0d94d20af927397e7382db3681dbcceb5bf932ef57c3e1dfa18bb7ec779a8f7b0bf3029e859af7b953fd800ccc534081d25868e3d167c121ab995be84943 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 239eb4fa1bc7e7a044ece3590182c492 |
| SHA1 | 2b3b91b6d94df75b83cbd0ed4ed870473f761fae |
| SHA256 | 21906f2aa4986880f373835d8abbfda732ef40ab2a76606bbaece0d41a7520bd |
| SHA512 | eea0eda0135f995957f692345ec5ba5881b39062ccf632047cf4c844fde82342e3b8b4210afa48ef4ed99e3b2a5013c0c8b7f4a5be1cd3e2b657febcab498e02 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4e161285fd0d172cc50f135e84564ee3 |
| SHA1 | 1140d706926e58b55dbe8ebc423bf377f37bd3ca |
| SHA256 | 0a1d88e561f2237be643019591a740c762750288c9aab5a5f71b14eea4ad7fd0 |
| SHA512 | 27fe3588d467cdbc76abbfd48425d961dc32dfa003b5e2588ca203929e257c5597ab8ea02e2387160b9d7bb635319f9d82e69eb88b52a395642ed1e7f495fcbf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 344e12d3a2cfb0a84c48ef82c6ac1abf |
| SHA1 | f7226114956c0bc5578edb84ce21e8353979a782 |
| SHA256 | 3b5497ce64f5b8b96e7fed2b7821d53b2316ba2e98f1a994844d74e9a1fa7a11 |
| SHA512 | 76426275eb9f80d585f726a3c129f7cfa098d3ad28ead3911053c5cdecdf55e676833c35627f8c89b33066651949fb08bc4eeb9c846660b9cb04d85357e4ac8b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1b91369a535443729bb0f486bb56e8e8 |
| SHA1 | b3aecb6f9dafd3c385e8407c323d523b43a811a0 |
| SHA256 | e0cc7d76889826246309be8223fd2d2e8e18cdb8818f7c298c69f7f6e9cf44de |
| SHA512 | bd062e6fe109e8024318ec60c17fcb5439d78b5f1172de745928a6bc18b9f37580c248bb4a3bffdaff2632a99d47088744196260ae949b3e2197901a886a512a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e0415d56020b3457526a5077caea57d9 |
| SHA1 | 1ff3a9308f5fa969653eacc65413d317c9047829 |
| SHA256 | 46740d99ca4aa5321c7d0df0729760eb4d7898b1a6ada03eb4cfa9ed41b19f6f |
| SHA512 | 0df2ae7658c0f7c4f9a9f29e72b0a17a1137402d3a9655e1ced63d33334a1bb5501deb05a5d2264b6fbdb93c26acf3c19c0382d0543b22fd3bb1b7bccba22a13 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 06a617189a2c6b8dbefee78350a34705 |
| SHA1 | 3a8e571620f50428a3dea1fb7b247b35f655b1d6 |
| SHA256 | 138643b004607e63c3c9762f1f4c387b0254487abcc3563a3cb0db7665f94cec |
| SHA512 | 6a8b11dc8a669ee2809a2d79a18553cb8115c953ce46380f015701db537f6b0e98d3cff8918a166c1871c94fb55baa54057e8c5e46ce5b77a566639701b81af2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-05 05:59
Reported
2024-10-05 06:02
Platform
win10v2004-20240802-en
Max time kernel
139s
Max time network
133s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\1670ad86a1374a7b91e737a250d56e60_JaffaCakes118.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9feca46f8,0x7ff9feca4708,0x7ff9feca4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,7006472297021010672,15597568745365372030,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,7006472297021010672,15597568745365372030,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,7006472297021010672,15597568745365372030,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7006472297021010672,15597568745365372030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7006472297021010672,15597568745365372030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,7006472297021010672,15597568745365372030,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3112 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,7006472297021010672,15597568745365372030,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,7006472297021010672,15597568745365372030,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7006472297021010672,15597568745365372030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7006472297021010672,15597568745365372030,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7006472297021010672,15597568745365372030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7006472297021010672,15597568745365372030,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.c4v2zd.top | udp |
| US | 8.8.8.8:53 | news.share.baidu.com | udp |
| CN | 112.34.113.148:80 | news.share.baidu.com | tcp |
| CN | 112.34.113.148:80 | news.share.baidu.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| CN | 180.101.212.103:80 | news.share.baidu.com | tcp |
| CN | 180.101.212.103:80 | news.share.baidu.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| CN | 39.156.68.163:80 | news.share.baidu.com | tcp |
| CN | 39.156.68.163:80 | news.share.baidu.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| CN | 182.61.201.93:80 | news.share.baidu.com | tcp |
| CN | 182.61.201.93:80 | news.share.baidu.com | tcp |
| CN | 182.61.201.94:80 | news.share.baidu.com | tcp |
| CN | 182.61.201.94:80 | news.share.baidu.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| CN | 182.61.244.229:80 | news.share.baidu.com | tcp |
| CN | 182.61.244.229:80 | news.share.baidu.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e765f3d75e6b0e4a7119c8b14d47d8da |
| SHA1 | cc9f7c7826c2e1a129e7d98884926076c3714fc0 |
| SHA256 | 986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89 |
| SHA512 | a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079 |
\??\pipe\LOCAL\crashpad_3944_ZYOXCADZCUXHEFOM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 53bc70ecb115bdbabe67620c416fe9b3 |
| SHA1 | af66ec51a13a59639eaf54d62ff3b4f092bb2fc1 |
| SHA256 | b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771 |
| SHA512 | cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 457b8ecf372147016025914436ebae92 |
| SHA1 | d3edab3510944dfa9a9f7e3cc4e00d5a6bbde5bf |
| SHA256 | 11bbae420c493e360db2491395de98f2f82333ee236a5ee7b13d6a647e316f68 |
| SHA512 | e881ad035c18a886d6420b6848905a88c867af56319399ae8fd567c77c94a8b72febf20bcf6eee08cf0fb0211af2c4ae474078eb34a9e5fe71ba014c342581b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 076a7c6aaf82730bb4667f2746e33bc0 |
| SHA1 | 24b01f532f8daf24d9f1a83ec41d097ecb54c656 |
| SHA256 | 94c0e3e76e14ef1d13c1aebd892b693a1956b9af4c2a8c2b09881b46f96232d4 |
| SHA512 | d49f33e4dde5b471fa82d1096aac0321df1ed222a53f348b93c4931dd99b1b7265a5b9ebf09d4fe1c496ffddc5e739181d177a6c3d1e83288c8763a295a68e6c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 447b3d6eeea2b4ca6ab0d1decbbd8171 |
| SHA1 | 04176ada3299c6af88930d434a93b1d7c5d94a99 |
| SHA256 | 7e20da14f153454f14682f2cc377fc1b876e20404b682c5ca796d442f0227c71 |
| SHA512 | 26a0601a88c75ac145b6d0913624116bb4662132bcd96e361b6bc45a34401bfd3a4f47bd9fcf8e5113d9fbd01669550890b0a595f3de8c6a62bad469a2bdf469 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |