Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2023 19:50
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.paypalobjects.com/digitalassets/c/system-triggered-email/n/layout/fonts/PayPalOpen/PayPalOpen-Medium.otf
Resource
win7-20231130-en
General
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133467978875105308" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3376 chrome.exe 3376 chrome.exe 1652 chrome.exe 1652 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3376 chrome.exe 3376 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3376 wrote to memory of 3048 3376 chrome.exe 86 PID 3376 wrote to memory of 3048 3376 chrome.exe 86 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 4760 3376 chrome.exe 90 PID 3376 wrote to memory of 2744 3376 chrome.exe 91 PID 3376 wrote to memory of 2744 3376 chrome.exe 91 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92 PID 3376 wrote to memory of 2100 3376 chrome.exe 92
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.paypalobjects.com/digitalassets/c/system-triggered-email/n/layout/fonts/PayPalOpen/PayPalOpen-Medium.otf1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbdb29758,0x7ffdbdb29768,0x7ffdbdb297782⤵PID:3048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1884,i,5999682413090334090,10439482621396922027,131072 /prefetch:22⤵PID:4760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1884,i,5999682413090334090,10439482621396922027,131072 /prefetch:82⤵PID:2744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1884,i,5999682413090334090,10439482621396922027,131072 /prefetch:82⤵PID:2100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3180 --field-trial-handle=1884,i,5999682413090334090,10439482621396922027,131072 /prefetch:12⤵PID:3056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3212 --field-trial-handle=1884,i,5999682413090334090,10439482621396922027,131072 /prefetch:12⤵PID:1492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1884,i,5999682413090334090,10439482621396922027,131072 /prefetch:82⤵PID:4928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1884,i,5999682413090334090,10439482621396922027,131072 /prefetch:82⤵PID:1760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1884,i,5999682413090334090,10439482621396922027,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\4511114a-f3a8-437c-af97-248ffbe7ff09.tmp
Filesize538B
MD5ef3323f6ec142b1d4da5a617c687a0c9
SHA1e27617304932541195ec2c96d882494bd3f53dc8
SHA2565c1c912e3610c90c10af967aef9772c63afa7a11eb2e121dbbfde8154568fb36
SHA5121cf9c1eff33101e948111b94739b6c59234cb8d6da3e58127b40a95ef01b70c36caee45536de529cd6d5d26154524050f7654f80c372dd294d656c716296f5fe
-
Filesize
1KB
MD56e9ce08430d8e1927a580d4663843470
SHA14671f1111f03c82358e9de232d6dad0c92df0798
SHA25690267c775edbc55e951fa5c501505e94073d352b3ba8597817a55680853aaac9
SHA512199912073da58fa9961abb98aad504466546705c331b190ac084b1d2169d54ab6e16683204757c8252640a1c87838efa51a96ceaa08b2b506f1c0a68b18382e2
-
Filesize
5KB
MD5a09bd57ab9be2cdfe946b6b3c163bc2b
SHA1c3e11a42ad8568deb14a1911bc9961bd161112d4
SHA2563006df2c41662795fdfc1002ad9426026dcdb41c64bb04d49cf48c3779d8d9b3
SHA512427c7c1be680c8d1afbbdc08be4c802f72c238518bd956a403cc7e7a6a31ee9aa433e1266b294f33a44f45f5ac4e86a166f0d79c90929a4e206f7ecee25beecf
-
Filesize
5KB
MD5777bb8e17d0837bcbd0fe50d126de19d
SHA120ea15bb83134d78f309783720b6c4a772dabc37
SHA25660a5d498202aaf9fac7d54ad7ed06461612fa05e53be4c526783d14c52d59f61
SHA5127678595cfbd2a41b8fcb5095ada118cd1a32fb508073bcf8bea11ea8b16486e69f65278e3047b5d0a33f9cde2110c143d618cd5f58530a712fa692b15c1237e9
-
Filesize
6KB
MD57701384ba94160c38688b34f9f2fcbf8
SHA188c24b86174d50a1705ebb645c714aa8563eecea
SHA2566aa0fe84ac844430313bea92b1506ae9417b835093d9cc049efd5fca678c8e14
SHA512b0e0631e94c60baf14d9ac28d0cc8ce27646366e9d56cc9a9aff8a50e53704fa5aee7c8882af1a2dfe431439ff86d05daf44e9bd1f12749276f3861b20b8411d
-
Filesize
115KB
MD5c628c6d767d5576bd63f4e2d57ab63eb
SHA1602096037311cc60f70178d20e91469f1e569e16
SHA256ea6fd205096e558cb351e3d2120c99305ae5594d933b434bd9e4d56435542974
SHA51246ab5901b6f0240eb7f219c65266a43daa3ff9a0d4719dc5312734b94852599cea5675009fbb3b402ddad4e70aee20c4aa900136e23d6656cfc40e147c734bcf
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd