Analysis Overview
Threat Level: Known bad
The file https://www.bing.com/ck/a?!&&p=645d98e2974d9183JmltdHM9MTY5NzUwMDgwMCZpZ3VpZD0yY2NiZmUyYi03ZjkyLTYxNjQtMmQwZC1lZGFlN2ViZjYwZTAmaW5zaWQ9NTE0OA&ptn=3&hsh=3&fclid=2ccbfe2b-7f92-6164-2d0d-edae7ebf60e0&u=a1aHR0cHM6Ly9jZW1zb25saW5lLmluZm8vY29udGFjdC11cy8#cGF1bGEuc2FsZXNldmFuc0B0eGRvdC5nb3Y= was found to be: Known bad.
Malicious Activity Summary
A potential corporate email address has been identified in the URL: [email protected]
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-18 22:36
Signatures
A potential corporate email address has been identified in the URL: [email protected]
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-18 22:36
Reported
2023-10-18 22:42
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133421423866926028" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.bing.com/ck/a?!&&p=645d98e2974d9183JmltdHM9MTY5NzUwMDgwMCZpZ3VpZD0yY2NiZmUyYi03ZjkyLTYxNjQtMmQwZC1lZGFlN2ViZjYwZTAmaW5zaWQ9NTE0OA&ptn=3&hsh=3&fclid=2ccbfe2b-7f92-6164-2d0d-edae7ebf60e0&u=a1aHR0cHM6Ly9jZW1zb25saW5lLmluZm8vY29udGFjdC11cy8#cGF1bGEuc2FsZXNldmFuc0B0eGRvdC5nb3Y=
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ca899758,0x7ff9ca899768,0x7ff9ca899778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1852,i,10815041298078706955,135370240734123584,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1852,i,10815041298078706955,135370240734123584,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1852,i,10815041298078706955,135370240734123584,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1852,i,10815041298078706955,135370240734123584,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1852,i,10815041298078706955,135370240734123584,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4640 --field-trial-handle=1852,i,10815041298078706955,135370240734123584,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1852,i,10815041298078706955,135370240734123584,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1852,i,10815041298078706955,135370240734123584,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4748 --field-trial-handle=1852,i,10815041298078706955,135370240734123584,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | cemsonline.info | udp |
| US | 188.114.97.0:443 | cemsonline.info | tcp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tkitas.ru | udp |
| US | 188.114.96.0:443 | tkitas.ru | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.153:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | termalesdesantateresa.com.sv | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.25.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 198.187.29.56:443 | termalesdesantateresa.com.sv | tcp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | code.jquery.com | udp |
| US | 151.101.2.137:443 | code.jquery.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 198.187.29.56:443 | termalesdesantateresa.com.sv | tcp |
| US | 188.114.96.0:443 | tkitas.ru | udp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.29.187.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.24.17.104.in-addr.arpa | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
\??\pipe\crashpad_2564_ILFZKBTDKCMCLHNB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | f8868686a785dfbcff9f51a9b6cab1c0 |
| SHA1 | 3e58fbe9f520b73f3288274d3892ed1417187081 |
| SHA256 | 7b46f27caee57b4d30fe98458046643016cf63f57b5d2a0b75732ff2dd009bed |
| SHA512 | 6dd1286aa297fd6dc14f1c49edd220dea643ad75fd96fd12b89e37353190b42ca2a8a5cb9e3f48c56bd3d7a684d7300e94efa9142a629708448bbf3e863e8118 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3d605b850b4894ca402f5f638a86a3ce |
| SHA1 | fe5ffc2cd99bc87f999c99924605e4b8de5cdb26 |
| SHA256 | ca9c474264d2c666fd1b575d77044deea89213272b13d41498ead45c9873fb87 |
| SHA512 | 092c530ae5a26f18180d5868126e97409d940e6b7abf07434805092dbc7a0ae2164450e46cc5e2344fd1d823f907ad8b2ee97e2c31b3195fa61220dc944e933d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 369557ef836556d9931afef64556bb08 |
| SHA1 | 4d6683b68d4c176199ca065a7d839e9ff5db0695 |
| SHA256 | 2b010b884c6ef4a8fe0404d1a0d0620523f00043f91fb2944332fff7caa13ffc |
| SHA512 | 5aa73ac86b404195b16f0fbd40c99c3dca635ce75ecbd18edbe228ff85acc4bf3e9cbe94c00e22d214e19e2625b5f9ff4ff33fe6c2840e8cb2376351674975bb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 8818a9c7e4012dc1bbdf9ef5f3a9b1d0 |
| SHA1 | 5ea997e4f5cb8d8d164d8895e5f09d05aa06f5eb |
| SHA256 | d0ff33326d4ce65543f9605cd24c1f4ba33fcce657443a510dc3ba17a42e824e |
| SHA512 | 47f0bce24952a79bbd638abb44e1b4e638953ad2e24bb8820c14b4314a9d0b963204334acb5f3d682a3bbc5fc76c5281d12f3801cf12433836645f62b266a60a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 237564baf1b3fc2faee3fcdde2ba90ba |
| SHA1 | b89c6b3a3a4b26fb28936d0022f08c569a9e2102 |
| SHA256 | c834f1ac0f7fb8785b0b552a5bd950495152ae10bf593b1ec68d924faf9e82f8 |
| SHA512 | 03d3ceaced47624a785dc640603c2ffd4b65529eeca61210489a31ffb258884b0274f7459a5c2a4a49b11d22f6ecc96aa0a74d25c32e803f432c2b47e057de97 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 24febc77fa3b106d501d1b022b321e65 |
| SHA1 | 72016961b490b2e93dbb2143d6fa6cf5caea37c1 |
| SHA256 | 643ce41625d7a138564f0be151835f53b4fa532206cf1f5eedf5121f15a7b086 |
| SHA512 | 705365a7a800154e5ee129ecd0c0b370620d6c2623aaf98e321fddf5fe62f21ab9eaf094a50be982c4438d1c148215da44f85a02370d4c9d2060b95062cca977 |