Malware analysis cadden.com Malicious activity | ANY.RUN

Add for printing

URL:	cadden.com
Full analysis:	https://app.any.run/tasks/b155c2c9-84ef-4f4d-a004-079b1c5d325c
Verdict:	Malicious activity
Analysis date:	December 13, 2024, 21:47:32
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	ta569 apt tds phishing socgholish
Indicators:
MD5:	9CAD61F38CC0FD898C4EF8C00AB18B7B
SHA1:	81F6F8920439D986DA2A27B5BD83E31C6E16DDD3
SHA256:	B6A9FDCF0FF1C4DAE60D51D86D2E69D2E2E19BBD4C810D9523FE689B8DEBA8D4
SSDEEP:	3:NBSIn:NB7n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
Windows 10 Upgrade Assistant (1.4.9200.22175)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
Client LanguagePack Package
DotNetRollup
DotNetRollup
DotNetRollup 481
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
Hello Face Package
InternetExplorer Optional Package
InternetExplorer Optional Package
KB4562830
KB5003791
KB5007401
KB5011048
KB5012170
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MediaPlayer Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
Notepad FoD Package
Notepad FoD Package
Notepad FoD Package
Notepad FoD Package
Notepad FoD Package
OpenSSH Client Package
OpenSSH Client Package
PowerShell ISE FOD Package
PowerShell ISE FOD Package
PowerShell ISE FOD Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing PMCPPC FoD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
Printing WFS FoD Package
Printing WFS FoD Package
Printing WFS FoD Package
ProfessionalEdition
ProfessionalEdition
QuickAssist Package
QuickAssist Package
RollupFix
RollupFix
ServicingStack
ServicingStack
ServicingStack 1852
ServicingStack 3989
StepsRecorder Package
StepsRecorder Package
StepsRecorder Package
StepsRecorder Package
StepsRecorder Package
TabletPCMath Package
TabletPCMath Package
UserExperience Desktop Package
UserExperience Desktop Package
WordPad FoD Package
WordPad FoD Package
WordPad FoD Package
WordPad FoD Package
WordPad FoD Package
Xps Xps Viewer Opt Package
Xps Xps Viewer Opt Package

Add for printing

MALICIOUS
- SOCGHOLISH has been detected (SURICATA)
  - msedge.exe (PID: 4792)
- PHISHING has been detected (SURICATA)
  - msedge.exe (PID: 4792)
SUSPICIOUS
- Contacting a server suspected of hosting an Exploit Kit
  - msedge.exe (PID: 4792)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

150

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
4792	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2604 --field-trial-handle=2320,i,16194277592197507296,15814343983252007256,262144 --variations-seed-version /prefetch:3	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe		msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c1		binary
		MD5:DAFD0A2E599F63FA9D7EE1D98FCE7F51	SHA256:6912F7388531E949BD5406B5668CD6B55FEA4CC7E2D123DBAED489054DD98438
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c7		compressed
		MD5:87E8230A9CA3F0C5CCFA56F70276E2F2	SHA256:E18D7214E7D3D47D913C0436F5308B9296CA3C6CD34059BF9CBF03126BAFAFE9
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000be		compressed
		MD5:0CD99D13E95F3A9A4EE5D49B554D3BED	SHA256:FCFF79AE48A859046D7D3E5200A6B4216B661BCE8EB1536ADDE8D86FCC5543B3
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ba		compressed
		MD5:9640915738503451AA21181699FEAB5B	SHA256:F8834E669AD1F4039442C26AAA373EC39C35A233B9786D374FC3F670F16B0ADC
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ca		text
		MD5:F75381C4E486B720039D9A7A011EF0D9	SHA256:76EA2EDE44D08EAD29997C868496D8F06A7026D91BDD56DEBF0513AE3B907998
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c6		text
		MD5:10B9924A6E640D1BE64A137897B6EB17	SHA256:8E5B066F59BB97DCA090E051D06862833E3D1BA09F9613195F3B5E6C1DAE8EDA
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c3		image
		MD5:974795B6CFEBF80CD9B4A0218BAD6AC3	SHA256:1C980BA9A622021EDD42AD3099D3A9789B3C45A27261E90C3755DC825AF0F73F
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c9		binary
		MD5:BA64E4BA599E82CE3C33D29C33C64BA5	SHA256:7363E097E3D45D458983EF5917AD3CA9ECE535A2A86BD74DA5A5E19164FCB13F
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000cb		binary
		MD5:32C655DA7E430D0B5DA51C5D5830DA38	SHA256:B823EA3D199A6A0E8E925DC85443127B5ABEF2C8F84DD63C4046EB55983CD43C
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bd		image
		MD5:915B8F5D2495E6565CC8DCF583AF7668	SHA256:7A4E6E14460E4439A54C3EBF8FBA7F8639F8156B26657DCC6D57B62E6C58F840

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	HEAD	200	23.218.208.109:443	https://fs.microsoft.com/fs/windows/config.json	unknown	—	—	—
4712	svchost.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	52.119.45.100:443	https://cadden.com/wp-content/plugins/gutenberg/build/block-library/theme.css?ver=14.1.0	unknown	text	2.61 Kb	—
—	—	GET	200	52.119.45.100:443	https://cadden.com/wp-content/plugins/gutenberg/build/block-library/style.css?ver=14.1.0	unknown	text	92.0 Kb	—
—	—	GET	404	52.119.45.100:443	https://cadden.com/wp-content/themes/cadden/dist/js/vendor.min.js?ver=6.0.9	unknown	html	42.2 Kb	—
—	—	GET	200	52.119.45.100:443	https://cadden.com/	unknown	html	61.2 Kb	—
—	—	GET	200	52.119.45.100:443	https://cadden.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.0	unknown	s	87.4 Kb	—
—	—	GET	200	104.21.27.152:443	https://use.fontawesome.com/releases/v5.15.3/css/v4-shims.css	unknown	text	26.0 Kb	whitelisted
—	—	GET	200	2.19.80.89:443	https://www.bing.com/bloomfilterfiles/ExpandedDomainsFilterGlobal.json	unknown	tss	619 Kb	whitelisted
—	—	GET	200	52.119.45.100:443	https://cadden.com/wp-content/uploads/2021/09/Screenshot-2021-09-07-103330.png	unknown	image	844 Kb	—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	224.0.0.251:5353	—	—	—	unknown
4712	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6900	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4792	msedge.exe	104.208.16.91:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4304	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5988	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4792	msedge.exe	2.23.209.182:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4792	msedge.exe	52.119.45.100:443	cadden.com	FUSED	US	unknown
4792	msedge.exe	104.21.27.152:443	use.fontawesome.com	—	—	whitelisted
4792	msedge.exe	104.18.40.68:443	kit.fontawesome.com	CLOUDFLARENET	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146	whitelisted
google.com	142.250.181.238	whitelisted
www.bing.com	2.23.209.182 2.23.209.133 2.23.209.149 2.23.209.130 2.23.209.187 2.23.209.140 2.19.96.129 2.19.96.8 2.19.96.16 2.19.96.41 2.19.96.50 2.19.96.35 2.19.96.26 2.19.96.120 2.19.96.11	whitelisted
cadden.com	52.119.45.100	unknown
kit.fontawesome.com	104.18.40.68 172.64.147.188	whitelisted
fonts.googleapis.com	216.58.206.74	whitelisted
use.fontawesome.com	104.21.27.152 172.67.142.245	whitelisted
blackshelter.org	185.121.15.137	malicious
fs.microsoft.com	184.28.90.27	whitelisted
crl.microsoft.com	2.16.241.19 2.16.241.12 2.16.164.106 2.16.164.49	whitelisted

Threats

PID	Process	Class	Message
—	—	Exploit Kit Activity Detected	ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (blackshelter .org)
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain (blackshelter .org)
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain (blackshelter .org)
—	—	Exploit Kit Activity Detected	ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (blackshelter .org)
—	—	Exploit Kit Activity Detected	ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (blackshelter .org)
—	—	A Network Trojan was detected	ET MALWARE SocGholish Domain in DNS Lookup (virtual .urban-orthodontics .com)
—	—	A Network Trojan was detected	ET MALWARE SocGholish Domain in TLS SNI (virtual .urban-orthodontics .com)
—	—	A Network Trojan was detected	ET MALWARE SocGholish Domain in DNS Lookup (virtual .urban-orthodontics .com)

Add for printing

No debug info

General Info

cadden.com

9CAD61F38CC0FD898C4EF8C00AB18B7B

81F6F8920439D986DA2A27B5BD83E31C6E16DDD3

B6A9FDCF0FF1C4DAE60D51D86D2E69D2E2E19BBD4C810D9523FE689B8DEBA8D4

3:NBSIn:NB7n

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SOCGHOLISH has been detected (SURICATA)

PHISHING has been detected (SURICATA)

SUSPICIOUS

Contacting a server suspected of hosting an Exploit Kit

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings