Analysis Overview
SHA256
59c34ab10c3ed2f66543503c63df63cc7afa45bdd867c37a2281eb363116fa22
Threat Level: Known bad
The file a1s-root1=email_banfield_2024_01_25_16_SMTP-att-1-4TLRgQ29l4zJmsx-2024-01-25T16_51_46.eml.infected was found to be: Known bad.
Malicious Activity Summary
Kinsing
Drops file in System32 directory
Drops file in Windows directory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 17:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 17:32
Reported
2024-01-25 17:41
Platform
win7-20231215-en
Max time kernel
477s
Max time network
360s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\perfh009.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\PerfStringBackup.INI | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\SysWOW64\PerfStringBackup.TMP | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\Outlook\0009\outlperf.ini | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\inf\Outlook\outlperf.h | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File opened for modification | C:\Windows\inf\Outlook\outlperf.h | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063093-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\ = "AddressLists" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304E-0000-0000-C000-000000000046}\ = "ApplicationEvents" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046} | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046}\TypeLib | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E4-0000-0000-C000-000000000046}\TypeLib | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\TypeLib | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\ = "FormDescription" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046} | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\TypeLib | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\ = "_NavigationPane" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046} | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063097-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046} | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063094-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046} | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046} | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\ = "_Rules" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063076-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\TypeLib | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046} | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046} | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FA-0000-0000-C000-000000000046}\TypeLib | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063034-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\TypeLib | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}\TypeLib | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\a1s-root1=email_banfield_2024_01_25_16_SMTP-att-1-4TLRgQ29l4zJmsx-2024-01-25T16_51_46.eml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | config.messenger.msn.com | udp |
| US | 64.4.26.155:80 | config.messenger.msn.com | tcp |
Files
memory/1516-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1516-1-0x0000000073BDD000-0x0000000073BE8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
| MD5 | 05f4c38631980fb366798b274bae9a77 |
| SHA1 | 32b074485d1e13e580e780c96eac91c1ff502662 |
| SHA256 | 2e8fbd5ebb7407aaeebf61f08a20eb38bd66b42059c26a63e8ca3dec42e19336 |
| SHA512 | 27fd6456317d4defc0d7173bdbc6d7693ddc039969eaedde7de966475760b9531c7d9dcf227ddbcb2db4084719aa76b511e85a15dd334d48e7dfaa6b3bca0ef3 |
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
| MD5 | 47948ff650ad2532d9c4b57d06194b43 |
| SHA1 | 6e997648dc0bbf61398e6708e6df511e6d43a0e3 |
| SHA256 | 3a89ea50c9c4fbd23ce14f5f61d0c750edc64ccef5f11c192384c3edd102bc20 |
| SHA512 | 16af7176196cf71d14fafe79a56c9811b3ed312fa691e26970f31eaae3ccd351335f11af982bd2ce9bfd0b7eba220c88d6f736c3528f5db23d588ef3dc132e8f |
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
| MD5 | 73dfc030c11041ce48a970b8e0cca999 |
| SHA1 | f1d7d453adc5956472dd02da19cf73837949a36e |
| SHA256 | 13cee8455b8739b34601d110a92f739a2da7a8b2484bacd61baa0e18c6945a90 |
| SHA512 | fce0e364ffeca5c66f8aa913006341c37cefbc0b976897eebe3f8a50379dedce3c5133298f1ee078288b26c4c30fa3ec94a149e01b1e0c30dce5f7c8c41e06dc |
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
| MD5 | f7a124ee31c6065d5808947d2af91934 |
| SHA1 | cc917cf3cf4c36ce6e6c777ea6612fc0a42fb5ec |
| SHA256 | dde0afa274f543a966c4a013280799b922b68965d2e2518c79e85d0f3b62fdb4 |
| SHA512 | 6df485d70a3e3e2763f7668b7f2def8adc2239dfe39df08881584973d5263fd75a6639b04b3bc930d815fdeff798544881b998467cdd17433a84e644662bd3e6 |
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
| MD5 | 48dd6cae43ce26b992c35799fcd76898 |
| SHA1 | 8e600544df0250da7d634599ce6ee50da11c0355 |
| SHA256 | 7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a |
| SHA512 | c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31 |
memory/1516-142-0x0000000073BDD000-0x0000000073BE8000-memory.dmp
memory/1516-163-0x0000000069C11000-0x0000000069C12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{E9A09C70-D3F1-4915-AF88-DC722C2048C3}.html
| MD5 | adf3db405fe75820ba7ddc92dc3c54fb |
| SHA1 | af664360e136fd5af829fd7f297eb493a2928d60 |
| SHA256 | 4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476 |
| SHA512 | 69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72 |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 17:32
Reported
2024-01-25 17:38
Platform
win10v2004-20231215-en
Max time kernel
246s
Max time network
267s
Command Line
Signatures
Kinsing
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\a1s-root1=email_banfield_2024_01_25_16_SMTP-att-1-4TLRgQ29l4zJmsx-2024-01-25T16_51_46.eml
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-01-25 17:32
Reported
2024-01-25 17:38
Platform
win7-20231129-en
Max time kernel
88s
Max time network
245s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-2.html
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7089758,0x7fef7089768,0x7fef7089778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1240,i,15271034542675940167,7159507647028299330,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1240,i,15271034542675940167,7159507647028299330,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1240,i,15271034542675940167,7159507647028299330,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2332 --field-trial-handle=1240,i,15271034542675940167,7159507647028299330,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2320 --field-trial-handle=1240,i,15271034542675940167,7159507647028299330,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1576 --field-trial-handle=1240,i,15271034542675940167,7159507647028299330,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3024 --field-trial-handle=1240,i,15271034542675940167,7159507647028299330,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
\??\pipe\crashpad_2152_CPEMNUHMPABMGJPK
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 74b1e2cc0942f263d8fbfeb52ce53230 |
| SHA1 | 4a91db2b05b197dd8f90cd6d63982396f591f1e1 |
| SHA256 | c6acf73b90256b16af9d6dd15b0974ccf6793cef28fa7f9cc2e3d7f1df2a5fa9 |
| SHA512 | f63bd9004ae425ec1c336c471ba8c3a6416c1117c373163d898aff6c7a85cb939fc991e1da90a515c1c13ad02f7c21f6a78b65e40247e43b43cbb2235d888d6f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 048b67ee2bc5245e5567b022eb09ff87 |
| SHA1 | c29b4e86cea2e2efe47c1951d663f7903dd45655 |
| SHA256 | e31c4e5afa688fb8900f9ea3a56b553cb9a3229862f1bdc3757a73ce9c8302bb |
| SHA512 | aecda6cf439699de59c7411844fe758f39b829837e33766ddd9d24fc7e8e411889835c5127a4852b6c05180714f186bba5ff3e8b412d150d8ff7e79a1a47af76 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-01-25 17:32
Reported
2024-01-25 17:38
Platform
win10v2004-20231215-en
Max time kernel
299s
Max time network
270s
Command Line
Signatures
Kinsing
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133506776170154009" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-2.html
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecde29758,0x7ffecde29768,0x7ffecde29778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1856,i,15115401519917667710,5115833500914338684,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1856,i,15115401519917667710,5115833500914338684,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1856,i,15115401519917667710,5115833500914338684,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1856,i,15115401519917667710,5115833500914338684,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1856,i,15115401519917667710,5115833500914338684,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1856,i,15115401519917667710,5115833500914338684,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1856,i,15115401519917667710,5115833500914338684,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 --field-trial-handle=1856,i,15115401519917667710,5115833500914338684,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| US | 192.178.49.3:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 3.49.178.192.in-addr.arpa | udp |
Files
\??\pipe\crashpad_4236_MBXIRGODMIAJRYWM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 706549932b8cf550149bf1afb8ba8a30 |
| SHA1 | f0f41c3c21e971743dc32a33e556b755c98f91c2 |
| SHA256 | 30f6b3684fb17ae523f1f51d91b79188020c071b1fb66c57a827d54fd25424e4 |
| SHA512 | e8c6b7e0eaf552c1d26b8c7d606c7a427bd3d51d2a37e8496460d7f1b3e50b5a27f2d77c6065c7797e9d81b75f6029e30ae42008a00e0a5a030d2154da6b36ef |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9314f5e788eeb991963cbe350d98e6c7 |
| SHA1 | 7b74d50fc4dee77ece24bf5eda681e58489a700a |
| SHA256 | d26f3f4cd08cc493fd0ee20056d2d161ef12f2952555afa0d322865afce61dec |
| SHA512 | 71a57737fd7bba6af2239ed6d9235485ccede14c002b36ad585ccc60ed214e308791c0d0d0457b79d901188c3d1c9d27d64f045f35c098ad83283cd03dbc2d6e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d12cdcfa96a8479e102b91e72ab564d0 |
| SHA1 | 82cab65cae7ff5cfd90a2fc90aa47576a3fc8b8b |
| SHA256 | 0e64adcb4ff93d5503d660a1004b3950252a11e8a11edfe43beb23883de249e1 |
| SHA512 | 95df3ed8e43f095e6358fd8413916cde6cf50d5cf1ef08803789f151a505fcc1c478293d476fa9f61fb856b02b5c1978f74a45de85c0011782590ad7c48b46df |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 94193615eb39a154f225c8c6a641e65c |
| SHA1 | 1d7bdde5a96073a3dc2ca034b3143ccc5a642e62 |
| SHA256 | 988998d9f49458e6e1aeef35de36ebc5c235ba14bbe3a45e6385cf8310e1b8e8 |
| SHA512 | b1685d7ba5d9561676e09c9cb2f24fe0a2771bfdfe65fc8bc53030f5e3c6c464d8e48e359f74f9b13cf7494c423b7c323a6790dda0ca9074964a10bdd9bac4c6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | c99308a93099478cde7082ab3f88c454 |
| SHA1 | c9852ac860a92a65772a6f11b927f215ab9bc0c2 |
| SHA256 | b65c7726efc13cee65af077a66826bd800de372880f6c5bba31757f165808cc4 |
| SHA512 | 5ddcd77ce735c34f5e0f01174e50c6b15381b71d4ff899ca36b3aec744e4a465eb6d7c4f11d6b14e483a18dc0f0350d996aadb71444adb6d0c54cce215fe657c |
Analysis: behavioral5
Detonation Overview
Submitted
2024-01-25 17:32
Reported
2024-01-25 17:38
Platform
win7-20231215-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\email-plain-1.txt
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-01-25 17:32
Reported
2024-01-25 17:38
Platform
win10v2004-20231215-en
Max time kernel
130s
Max time network
198s
Command Line
Signatures
Kinsing
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\email-plain-1.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |