Analysis Overview
Threat Level: Known bad
The file https://cloudflare-ipfs.com/ipfs/bafybeiaxsq5gwdbbwep7cyr5dx7z4yg6mk7vbsdvrles6pxmr24po5n7jq/trdsasdfg.html#[email protected] was found to be: Known bad.
Malicious Activity Summary
A potential corporate email address has been identified in the URL: [email protected]
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-03 15:18
Signatures
A potential corporate email address has been identified in the URL: [email protected]
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-03 15:18
Reported
2023-10-03 15:19
Platform
win10v2004-20230915-en
Max time kernel
66s
Max time network
73s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133408199564799936" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cloudflare-ipfs.com/ipfs/bafybeiaxsq5gwdbbwep7cyr5dx7z4yg6mk7vbsdvrles6pxmr24po5n7jq/trdsasdfg.html#[email protected]
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff885449758,0x7ff885449768,0x7ff885449778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1860,i,5729935237856974164,17887234549635225648,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1860,i,5729935237856974164,17887234549635225648,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1860,i,5729935237856974164,17887234549635225648,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1860,i,5729935237856974164,17887234549635225648,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1860,i,5729935237856974164,17887234549635225648,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4468 --field-trial-handle=1860,i,5729935237856974164,17887234549635225648,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4776 --field-trial-handle=1860,i,5729935237856974164,17887234549635225648,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 --field-trial-handle=1860,i,5729935237856974164,17887234549635225648,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1860,i,5729935237856974164,17887234549635225648,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloudflare-ipfs.com | udp |
| US | 104.17.96.13:443 | cloudflare-ipfs.com | tcp |
| US | 104.17.96.13:443 | cloudflare-ipfs.com | udp |
| US | 8.8.8.8:53 | c2.icoremail.net | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | stackpath.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| DE | 172.217.23.202:443 | ajax.googleapis.com | tcp |
| US | 104.16.57.101:443 | static.cloudflareinsights.com | tcp |
| US | 104.18.11.207:443 | stackpath.bootstrapcdn.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.96.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.11.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.57.16.104.in-addr.arpa | udp |
| CN | 115.236.118.136:443 | c2.icoremail.net | tcp |
| CN | 115.236.118.136:443 | c2.icoremail.net | tcp |
| CN | 115.236.118.136:443 | c2.icoremail.net | tcp |
| CN | 115.236.118.136:443 | c2.icoremail.net | tcp |
| US | 8.8.8.8:53 | 136.118.236.115.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | logo.clearbit.com | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | sberbank.ru | udp |
| RU | 194.54.14.168:443 | sberbank.ru | tcp |
| NL | 216.58.214.10:443 | content-autofill.googleapis.com | tcp |
| US | 18.239.36.13:443 | logo.clearbit.com | tcp |
| US | 8.8.8.8:53 | 10.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.36.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.14.54.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.211.227.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloudflareinsights.com | udp |
| US | 104.16.57.101:443 | cloudflareinsights.com | tcp |
| CN | 115.236.118.136:443 | c2.icoremail.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | exqiutech.com | udp |
| US | 8.8.8.8:53 | dialdirect.za.net | udp |
| MD | 91.208.197.23:443 | exqiutech.com | tcp |
| US | 192.185.12.240:443 | dialdirect.za.net | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.121.70:80 | apps.identrust.com | tcp |
| US | 192.185.12.240:443 | dialdirect.za.net | tcp |
| US | 8.8.8.8:53 | 70.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.197.208.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.12.185.192.in-addr.arpa | udp |
Files
\??\pipe\crashpad_1272_SBJWXZYOAEZGVHZF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 5330cf0546dccb07797d1d3b16d63cff |
| SHA1 | 8386cab4fdc12f1d5f00dab41c6943556b6622e2 |
| SHA256 | e6b7d833abfa95a57cc5b5fb3519e4d06d9a53d03b982460deac6faa2b86eb86 |
| SHA512 | 62a50ec3f215717095cc5f8a6d706bbead949ef67ae6752820437dfa1de4125527f9795699f7c3241c9d0523576f6ae514ae03e8d8d2e4934c256ee5993516f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ee2d0ff843e4d79b652e919b6cb298b2 |
| SHA1 | a0687d01f8cf8c91299db0e536b57480a56be17e |
| SHA256 | 7d82d6daf8132f7a64747db019eef03da0421545fa3ad01c6c76072b701973fd |
| SHA512 | 747ec80736afc55d57c35819660c5143a5668947e567bf549bc7c3b6a81a4021c8e73ca37ec8037f6fff94e58bac045b13a4f278ce5468633fcbe9c0c0475b0a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4528cee7a39a1dd20d80e5e1ccdcf8ca |
| SHA1 | 98d034b33e411fd12d6ffd84afd75803cfad07d9 |
| SHA256 | 8d70020775426ab77572dc430cca7cff79cf151e09c810310f4c9033f45aa7be |
| SHA512 | a0b691ac56afb165318e6425703644ef9eb293c168c13d22c41293353a4819c6a94ab578e41183c0d6434cd1a3ae7e0161225d9310cbfabd2d2f8911f8580176 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 754f34bd4ca44ef5bcd5956d59078f8d |
| SHA1 | 3385151b8910269d26752344509da755353330be |
| SHA256 | f7327a638b02637a24b341d529dc8e74a5332a6f376834ecf151fcd2e32edf78 |
| SHA512 | 1b7fdddb5c9103a5dc362bb0c4751c9da259bf409841469892bd0c0ea56bd84f56bdd866c9f8b696df0497dbcc024c8f7229902e7397c4099d23468824f6ebf6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 31d11b56058cda54e5493d6142109e55 |
| SHA1 | e7bd9566ea4866d439cf5c1e995c9d0a016e9663 |
| SHA256 | 43338dcffb90a326d6275529f9dfb088df87e16f20537107165cfaac0dafc4e5 |
| SHA512 | 92da1dbb86adb21ade9c6a03f3106fc69d07184032cec5edd40d787302c676982a4dbe21001c7363a7979a6cbc4449509b9b737ab380ee5c2d645528519f2e16 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 37a2e52afc4d98c5fc555bf45038946d |
| SHA1 | 87e5462459a0eebfa130644aee472017fc63a85a |
| SHA256 | ec9ac45736a55934e1bea2dba2742c5dec9a0078040902519e5b541d5ec441c8 |
| SHA512 | 861bfd2f3997af1725835d55dc2d76d149bed35b6b87abe373ac07cb808487e3d765351d44108ef8f8d303201c4b74f6cc55ddafff9a20bc8dcb95eba06edab5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | d2e1c33bff662b1f5d3b0c8eb5a98ac5 |
| SHA1 | 133addc8683a86d24e15df1a34093f300be8477d |
| SHA256 | 321ee10ce7ea43f27d47b7f83dc20d57d57b639d2bd53d694d5f1c1133014129 |
| SHA512 | 2e4894da25d65da9b47789c71e1a1ae71207760629b6eef98a0c0c003072f744d2587431168ff4ad2ac11501ecad0afcd0067e971140dabf67554a9c289a2bb2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | ca761d0580c0202e472ccb7e71067f9e |
| SHA1 | cfc2fd9d695de4207ec96ae54f3c2caa3b43d778 |
| SHA256 | 0bfc8a4edfd0b5dd994d36b57f0b8a9a9c89543ea74aa527453c5c924316676a |
| SHA512 | f555eecb7ac0c945b3267ea7501e9f3308bb6c60d3fb9d4d81d4f89bc757f5999fac0b4109147fb3359ec6c9bee65a2b9c00a65faf5fdb05f5c54e50ea75198c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 007b470b0189348f1bc2f4a35a15aa2c |
| SHA1 | 036b02beb27088966d37cc2210d62ea3b8b1dff6 |
| SHA256 | f6b8f1e87af5300410099afdf707ed64bab3c41157abf987ebe140bf543b46fe |
| SHA512 | 98fe5084f5c5459676f8626b297be3411c2ca25961b2307efaa40d3b40e973b6050508f7e031125c2b8cbeabe03c44cc338d0320de278bcb79586ecf0327ab92 |