Analysis

  • max time kernel
    124s
  • max time network
    288s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    12-12-2023 04:05

General

  • Target

    https://www.paypal.com/invoice/payerView/details/INV2-LXV4-EVG7-HNXG-Y4MU?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000274&utm_unptid=7940a2d2-9875-11ee-9ebb-3cfdfeefd0b5&ppid=RT000274&cnac=NZ&rsta=en_US%28en-NZ%29&cust=&unptid=7940a2d2-9875-11ee-9ebb-3cfdfeefd0b5&calc=131011af3523c&unp_tpcid=invoice-buyer-reminder&page=main%3Aemail%3ART000274&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.218.0&xt=104038%2C127632

Score
5/10

Malware Config

Signatures

  • Detected potential entity reuse from brand paypal.
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.paypal.com/invoice/payerView/details/INV2-LXV4-EVG7-HNXG-Y4MU?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000274&utm_unptid=7940a2d2-9875-11ee-9ebb-3cfdfeefd0b5&ppid=RT000274&cnac=NZ&rsta=en_US%28en-NZ%29&cust=&unptid=7940a2d2-9875-11ee-9ebb-3cfdfeefd0b5&calc=131011af3523c&unp_tpcid=invoice-buyer-reminder&page=main%3Aemail%3ART000274&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.218.0&xt=104038%2C127632
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6cd9758,0x7fef6cd9768,0x7fef6cd9778
      2⤵
        PID:2408
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1284,i,5298375684120258212,4805755112645112990,131072 /prefetch:2
        2⤵
          PID:2728
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1284,i,5298375684120258212,4805755112645112990,131072 /prefetch:8
          2⤵
            PID:2676
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1636 --field-trial-handle=1284,i,5298375684120258212,4805755112645112990,131072 /prefetch:8
            2⤵
              PID:2648
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1284,i,5298375684120258212,4805755112645112990,131072 /prefetch:1
              2⤵
                PID:1188
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1284,i,5298375684120258212,4805755112645112990,131072 /prefetch:1
                2⤵
                  PID:2972
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1392 --field-trial-handle=1284,i,5298375684120258212,4805755112645112990,131072 /prefetch:2
                  2⤵
                    PID:1480
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3400 --field-trial-handle=1284,i,5298375684120258212,4805755112645112990,131072 /prefetch:1
                    2⤵
                      PID:2996
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 --field-trial-handle=1284,i,5298375684120258212,4805755112645112990,131072 /prefetch:8
                      2⤵
                        PID:2780
                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                      1⤵
                        PID:2040

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                        Filesize

                        65KB

                        MD5

                        ac05d27423a85adc1622c714f2cb6184

                        SHA1

                        b0fe2b1abddb97837ea0195be70ab2ff14d43198

                        SHA256

                        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                        SHA512

                        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        304B

                        MD5

                        bb23f467f4af7b9378c7b3a05bbffb9f

                        SHA1

                        fad5ecf4b038b3d1da9617cb73550e7e3a18b082

                        SHA256

                        e25109d15ef193f4a7d1539e6f79d09432249d7b319baa87fe2bc5c83cc2898f

                        SHA512

                        d43882b386890882e36e2c32dd0f1c2aca0f87c8b20ee7568a0aaa9a23764142dbb62b1566bb1d9aa539a8e8ac5d57cb87ad048f8f64f83776d8f8094473a9a6

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        304B

                        MD5

                        91306ea5d97652bb12e6114b70ac0aff

                        SHA1

                        42ae76c534ddf525eac296c52c6213c86267f7c4

                        SHA256

                        6d447eb0e8bf86470e9ff1fe25c78a8ed9f83613a5d606f93755f3a74e4dc340

                        SHA512

                        29e84c96ad599215f064a939ae0d381274287288a8e2c53648e944cfcfd5d486820152ef13744919e4371ff37eef9c924c96de3916a201ef3d2da75eda410037

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        304B

                        MD5

                        fc1786b2754b882b88a2858d1f294344

                        SHA1

                        789087f997c821a482b19c53f55ad45a68f750c6

                        SHA256

                        2b7398ce273dbb908bd05c5def8e3d9ce94c61f2256dfe6006ecf108f1ed98bf

                        SHA512

                        e6c1db286220b6b6e99992d9bf8b3c12a5e77997623e3cb445df543fe40997d8f307b8deb35d4608554232f5b3be70db33fe896d142f84bb3697b5367252401f

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        304B

                        MD5

                        c75e5cee01f80fca3e59b8c89c0f13f2

                        SHA1

                        deb2699864d7b9193a68d65251170619fd9585e4

                        SHA256

                        1b38aefdecd7ade586e2c6e45f5de06914b8301690c12dcb3a3c370b802c49d3

                        SHA512

                        5b5c73c751510b92d06768874957b3fc186f06250425dbd8f3fea00b401f3bfed2260b0a1ade73513879d8ebeea509f2abd9e9c4fb681b7206884aefe2e644ab

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\67d4db64-d608-4973-aa53-75d0366330e6.tmp

                        Filesize

                        5KB

                        MD5

                        13e2457c0ca331432eaa8d65d294a929

                        SHA1

                        9abdb161601fd5185b9a386882a19f5a1be6b82d

                        SHA256

                        384f69f1872ce0b43385dc14709f8461e5d50722ca5de347ed21d56d693adb4e

                        SHA512

                        e97b38c26a06a2e37e6652d52051e28813760bdc7312738b049e24f9492f67d7faf569cf4b9166b015142c01a2260b5df68ed9c7226c38b299993ef0073976d1

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

                        Filesize

                        200KB

                        MD5

                        b3ba9decc3bb52ed5cca8158e05928a9

                        SHA1

                        19d045a3fbccbf788a29a4dba443d9ccf5a12fb0

                        SHA256

                        8bd1b2afcbe2fa046b0937197f1b2f393ef821ff89331f99754b9006f0114df4

                        SHA512

                        86a86d370e96fa29c0c1d12991c2287936b400830869ff7b5abe4de6f32db2df782b626d724496cd6de27f8cbd32101ba34cbcd4c650ef11afa26bc048d68529

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                        Filesize

                        264KB

                        MD5

                        f50f89a0a91564d0b8a211f8921aa7de

                        SHA1

                        112403a17dd69d5b9018b8cede023cb3b54eab7d

                        SHA256

                        b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                        SHA512

                        bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.paypal.com_0.indexeddb.leveldb\CURRENT~RFf76584d.TMP

                        Filesize

                        16B

                        MD5

                        46295cac801e5d4857d09837238a6394

                        SHA1

                        44e0fa1b517dbf802b18faf0785eeea6ac51594b

                        SHA256

                        0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                        SHA512

                        8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                        Filesize

                        1KB

                        MD5

                        e7d9f5147702583b5cfabbc542479d47

                        SHA1

                        f296d40bb16c2053fb3beab2550fb48d378381cd

                        SHA256

                        4699df92e59c4f09761f0a2224d06e3ce6703532293bb52fc58a78e61e3f804f

                        SHA512

                        2dddd49a5b816620a5ff4f3faf9df101efbdd6bbc58f94169229c2f4eb77dcb898b9088232c6d27008bfcd9edeb1626a4748801d8485e8d69628f020f2215201

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                        Filesize

                        1KB

                        MD5

                        a3ea68de7034f088d1573e0303a79904

                        SHA1

                        ba21e34f87f216c8b703141da6de6a00afa87bde

                        SHA256

                        20a586fb2591910d7ff42949fe26ddd5d32ec78cbc1256c957161b982905dd24

                        SHA512

                        1c5951e5b0dc42dd825cccd3cb720a259979a23809647b38cad4849b65ce64ac760165e1ab615a6014fc23f6a8d1a90c87bdc7e0eeb203810c8ef6da5746b28c

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                        Filesize

                        5KB

                        MD5

                        674e7ffec5c10ae7965064200fa1d94d

                        SHA1

                        033f9afe91193bc19cb51aac2352d56279aa263e

                        SHA256

                        37d08439bfbf286503d8ba8e4733c0e4438d2c879e1a15eba95fb97336a6b427

                        SHA512

                        ec2aeefbbf3795253b4db486e061e65928b2aff34893687f97d848880175767546a08eb27d853a43a91604acb643512f78ec29035c89725ef7b6d0f200333e71

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

                        Filesize

                        16B

                        MD5

                        18e723571b00fb1694a3bad6c78e4054

                        SHA1

                        afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                        SHA256

                        8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                        SHA512

                        43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                      • C:\Users\Admin\AppData\Local\Temp\Tar50A7.tmp

                        Filesize

                        171KB

                        MD5

                        9c0c641c06238516f27941aa1166d427

                        SHA1

                        64cd549fb8cf014fcd9312aa7a5b023847b6c977

                        SHA256

                        4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                        SHA512

                        936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06