Analysis
-
max time kernel
300s -
max time network
288s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2023 04:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.paypal.com/invoice/payerView/details/INV2-LXV4-EVG7-HNXG-Y4MU?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000274&utm_unptid=7940a2d2-9875-11ee-9ebb-3cfdfeefd0b5&ppid=RT000274&cnac=NZ&rsta=en_US%28en-NZ%29&cust=&unptid=7940a2d2-9875-11ee-9ebb-3cfdfeefd0b5&calc=131011af3523c&unp_tpcid=invoice-buyer-reminder&page=main%3Aemail%3ART000274&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.218.0&xt=104038%2C127632
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
https://www.paypal.com/invoice/payerView/details/INV2-LXV4-EVG7-HNXG-Y4MU?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000274&utm_unptid=7940a2d2-9875-11ee-9ebb-3cfdfeefd0b5&ppid=RT000274&cnac=NZ&rsta=en_US%28en-NZ%29&cust=&unptid=7940a2d2-9875-11ee-9ebb-3cfdfeefd0b5&calc=131011af3523c&unp_tpcid=invoice-buyer-reminder&page=main%3Aemail%3ART000274&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.218.0&xt=104038%2C127632
Resource
win10v2004-20231127-en
General
-
Target
https://www.paypal.com/invoice/payerView/details/INV2-LXV4-EVG7-HNXG-Y4MU?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000274&utm_unptid=7940a2d2-9875-11ee-9ebb-3cfdfeefd0b5&ppid=RT000274&cnac=NZ&rsta=en_US%28en-NZ%29&cust=&unptid=7940a2d2-9875-11ee-9ebb-3cfdfeefd0b5&calc=131011af3523c&unp_tpcid=invoice-buyer-reminder&page=main%3Aemail%3ART000274&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.218.0&xt=104038%2C127632
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133468275641228389" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 832 chrome.exe 832 chrome.exe 4640 chrome.exe 4640 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 832 chrome.exe 832 chrome.exe 832 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 832 wrote to memory of 3744 832 chrome.exe 35 PID 832 wrote to memory of 3744 832 chrome.exe 35 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4224 832 chrome.exe 88 PID 832 wrote to memory of 4056 832 chrome.exe 89 PID 832 wrote to memory of 4056 832 chrome.exe 89 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90 PID 832 wrote to memory of 4600 832 chrome.exe 90
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.paypal.com/invoice/payerView/details/INV2-LXV4-EVG7-HNXG-Y4MU?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000274&utm_unptid=7940a2d2-9875-11ee-9ebb-3cfdfeefd0b5&ppid=RT000274&cnac=NZ&rsta=en_US%28en-NZ%29&cust=&unptid=7940a2d2-9875-11ee-9ebb-3cfdfeefd0b5&calc=131011af3523c&unp_tpcid=invoice-buyer-reminder&page=main%3Aemail%3ART000274&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.218.0&xt=104038%2C1276321⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecfaf9758,0x7ffecfaf9768,0x7ffecfaf97782⤵PID:3744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1868,i,12504710072157071150,2695903785608397732,131072 /prefetch:22⤵PID:4224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1868,i,12504710072157071150,2695903785608397732,131072 /prefetch:82⤵PID:4056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1868,i,12504710072157071150,2695903785608397732,131072 /prefetch:82⤵PID:4600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1868,i,12504710072157071150,2695903785608397732,131072 /prefetch:12⤵PID:4996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1868,i,12504710072157071150,2695903785608397732,131072 /prefetch:12⤵PID:4048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4528 --field-trial-handle=1868,i,12504710072157071150,2695903785608397732,131072 /prefetch:12⤵PID:1660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 --field-trial-handle=1868,i,12504710072157071150,2695903785608397732,131072 /prefetch:82⤵PID:1892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 --field-trial-handle=1868,i,12504710072157071150,2695903785608397732,131072 /prefetch:82⤵PID:4768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=996 --field-trial-handle=1868,i,12504710072157071150,2695903785608397732,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD5b3ba9decc3bb52ed5cca8158e05928a9
SHA119d045a3fbccbf788a29a4dba443d9ccf5a12fb0
SHA2568bd1b2afcbe2fa046b0937197f1b2f393ef821ff89331f99754b9006f0114df4
SHA51286a86d370e96fa29c0c1d12991c2287936b400830869ff7b5abe4de6f32db2df782b626d724496cd6de27f8cbd32101ba34cbcd4c650ef11afa26bc048d68529
-
Filesize
624B
MD5bfc8d4ac17e4af0f78d117fd66407a6f
SHA19d218814191277981978fe323ef3a5779437f6c8
SHA2560862f82b1e9b5509d2e7d3daa8238657fc9056d45913f72bdb70d48c0a2a4c56
SHA512e604558ed21a2d1971152b45fe37b4680dcdf27b33d026fc716e61ea33546a54a459ecfdfb50533651c1a9b3ce8081b965ce6356331a067532a7e770cf144ffd
-
Filesize
2KB
MD5f4363506f873bc2a4df0be51ce57b4ad
SHA183490ae4f9cd64c960541ed913af2c2791227e3f
SHA2565bf89d06c950e85a43c9b3f497cba0d55a401f34431660190b30919dd34e265d
SHA5124c3359339f26e4856ff453ba3efa2375e3c68fe64808e283bd4fe415e942a8e58d900816026047ec813c5f933c966f35eb43239f957cf7901f45b5ba99745eab
-
Filesize
1KB
MD533facf538360ac7585e00416977ea499
SHA16b43ca0e07fb5bb3e4242a91e88d301d75563f9a
SHA256309baaec33ea52d7023301b576ba0cb047dfb392f10ae5e8e895a45f3718efd4
SHA512133e9065d076d1fdf2b2a722f9f9067456ef7aaba75cd37563e7171d2e9f8dfcc7afdadcceb899751cc405107b68ee2e5beb254c40c05b5374d5f1fbd1b78cc2
-
Filesize
6KB
MD5cd9f0a6bd344fc50595d3422e3d7d0bf
SHA1bf6b5c7317ffcd49f0958be9b7e9d07ac7adb7a5
SHA256123a7ec79ec4adc9866c318d0fecc0e45bcd61d0fe127526f127595de6ff5c1c
SHA512c85293f3c20aee5ea4911744558d4644498a525720aec50b87cedca82b120d59f5002b52d13bce41468d78aeefb49ac8ae9cf7e39671cc699a4f0f2029631440
-
Filesize
115KB
MD56369e3b6aa7760d54090dbff0443a840
SHA1343d903d45c98831b8c140f2fc80c162f1159883
SHA25650807ddc6fba02aa9dc7c26e539bb73feaddb414f030331e5380756e1be2ab36
SHA5129154091ca1f6303cd619026c86a575eeb6167b6c2a5dc9f1ab407b8bb391a2ac7d54cc1e98e32ea146372782193297e2ed14cd396381041f24ffa22d9995c23c
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd