Analysis Overview
Threat Level: Likely malicious
The file https://ams_support.axiomupgrades.com/password/reset/52RNb8BwNuFdgynBM13CrUhTF1PbAYybNMhMdjkx7wsYeh0R6cObHCm8DgvL?email=al.bundy@saic.com was found to be: Likely malicious.
Malicious Activity Summary
A potential corporate email address has been identified in the URL: [email protected]
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-01 20:28
Signatures
A potential corporate email address has been identified in the URL: [email protected]
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-01 20:28
Reported
2024-04-01 20:30
Platform
win11-20240221-en
Max time kernel
78s
Max time network
67s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133564769536062098" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ams_support.axiomupgrades.com/password/reset/52RNb8BwNuFdgynBM13CrUhTF1PbAYybNMhMdjkx7wsYeh0R6cObHCm8DgvL?email=al.bundy@saic.com
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff913ff9758,0x7ff913ff9768,0x7ff913ff9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=312 --field-trial-handle=1816,i,14113153298337594414,5553236958191250235,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1816,i,14113153298337594414,5553236958191250235,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 --field-trial-handle=1816,i,14113153298337594414,5553236958191250235,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2808 --field-trial-handle=1816,i,14113153298337594414,5553236958191250235,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2816 --field-trial-handle=1816,i,14113153298337594414,5553236958191250235,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1816,i,14113153298337594414,5553236958191250235,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1816,i,14113153298337594414,5553236958191250235,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ams_support.axiomupgrades.com | udp |
| US | 35.81.92.111:443 | ams_support.axiomupgrades.com | tcp |
| US | 35.81.92.111:443 | ams_support.axiomupgrades.com | tcp |
| GB | 142.250.180.10:443 | content-autofill.googleapis.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 35.81.92.111:443 | ams_support.axiomupgrades.com | tcp |
| GB | 142.250.180.10:443 | content-autofill.googleapis.com | udp |
Files
\??\pipe\crashpad_864_JBZBXRQLBPYSVGUC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d2c297fec5d700076156e8a01401f84e |
| SHA1 | c5f23fa52c75708a7bb73dd3012b91f0412b9ac6 |
| SHA256 | c42ee202853021d105bdd97e0104d24835973bbd67e7be84f7181700f94b9b25 |
| SHA512 | 34d5339f3d118a63deb2e0230781a09237a8d7aea599467f31ff4b68306f0664935e4c6fd991c16d6c69a8b7e1bdc290261297b6488fed1ebdc122aa6063dc1d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 73e900f118c098518a8bdf4b8b6e0c0c |
| SHA1 | 585fd864382c0f4926a77542d3f94694c3794354 |
| SHA256 | b3cdccc7d04ee5f25206ce8f29c63020a493ed38eea7b09b4ad904d16b546b58 |
| SHA512 | c80959139476a55156bb7839fa300c35911a65ef2edcb94ed9c9a1818f24e66a2b92009d6d4b29ffea11d37d91f97b3beb8e54e423c7fb6570fcd23ca2905e66 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | b8e236f6204596004e0896d5ceea1913 |
| SHA1 | 16b16256f379f2ed431b39d2418c65e4170a1ed5 |
| SHA256 | 3a5d7dc257d54066ab9b88d7f58ef9f24c6955c63e5f8d9aed72252a23905e12 |
| SHA512 | 25d41fe91d869650ab2372f8ef698c409ca5b2136a7ad1025beb92bd12b8a609b525096ec6b751fe5e4970b6d759de29a6d02f33a23be75ca750caa7017649f5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 4e5be5fadec22899bb96381b82987749 |
| SHA1 | 39a680a21a33548ce8cf5bef8d72e63dfa13bf22 |
| SHA256 | c5c2c5b3233333e401df9880973b61d4514cc21d74b32f838f50bca21b28e4f6 |
| SHA512 | 567f7d32f43c280f3b92c5adc176c80dd553838e287a313c8d6f059a84a5e28cebc68335f0914d28b4c5f352013bd38a2a148a16ad33ea8b027450fc1c17c61b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | eaa034279c624a6255fe6163474b0242 |
| SHA1 | aa495cce52723be134234935dcd44c56b5b8d8e3 |
| SHA256 | 720c92b28cb6c08f0c2ca4f8b3a30b09fdea9949ab5dbf3a0e565730c43c84ee |
| SHA512 | 7b6ac75867cb28df6f9369266a20457a07345d15d07d64b4d4804dcfa38892c2d8689db5b4030b19b1885e4a488c76a5eb76921a2a461cca81638a6a27d4e17a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5c4c0ec3cff345fe20d1cd5851e55581 |
| SHA1 | f4f3a4b26094542078e61593973660478e714ab2 |
| SHA256 | 5977887a0b4ec94ff6cdd89bcf3b854e0f8427bb4dfea5b8ca5cc70fba83645f |
| SHA512 | 76353a6afd1d800bc570f596ae34e85c025d386df64adb989dac63aefcd373f1857f2f3ef16b62fc1b5681a1ae0227056aa49ab3d1dd943434a5fe49944816ce |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | bcb56f216dda313f2036e718c0f5e77a |
| SHA1 | ff20ffd250921cbdca4aaa5b40529ec4d474cd4d |
| SHA256 | 75379bb7b9273701b77272e3a1360b8360ef5930239185a1c73d9edb1ef610e2 |
| SHA512 | 73de73bda8d4b7d6969bb7d2dd7d33e578a22f0f6674a4def36b27655f733a7cde41942248e95f40ee3d56b7748a47cd7ab024bea420b4e78270f6426ee6e37b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 57ab9cf606fc1f8afac22f1c43f3f69a |
| SHA1 | 1e3b53918c4904808bc77fafdda02d1b0ff1afec |
| SHA256 | 590b984ebcb9238155ad07e762bb374fefabe18d7bc78abb93e21763e36caf19 |
| SHA512 | de1d38915482684c6aad4787d79d7a374fb5b5a4b505501142d6ee1df97f70213f5292a46c7383a7ccfe6bf01ebb2ec01cb2241c66d8d2cb223ca4ddc005e9dd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 3c6be906e3a65caacede3376c0a8a00e |
| SHA1 | d3a725f80faa3f9586da576466faad516424de3b |
| SHA256 | 2ede8699cf0c2584b4eebda8959260319f885d8246f894fabd360da0900e0666 |
| SHA512 | a77b4e7979caeb48833727e3e0e62e03f3af62c2295864d20f7bbb759fa98df994f95e4895614798ebcc55d6f5b6d215d8d67b17d96979e644796d758ec24bd2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003
| MD5 | 5656ae58a4ca972eb7ba56d28fffb4a1 |
| SHA1 | bf0c29f6052b86955c30b9211c02413e46e2938c |
| SHA256 | 67cf70082f1cb536a680c267837886e96211542363d0ac5c2234d36ab9a97417 |
| SHA512 | 90c59e8ff940a23f4641226f3a26435166525a68adba3e4944131f193d4acfed33df530af156dd9b5aab9bd7904c87ffcf4407b0d0c4848f822eb9a469da7f57 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009
| MD5 | a44386502f79e4e2f0c9f91c1c0dfad2 |
| SHA1 | f1106dfa8ada219a5600c6a8fd2dfdf93a427c52 |
| SHA256 | ba4a4802c1982ae8e201da7be9c6ff31c017a367531bb4c4f1f5e722e095a59e |
| SHA512 | 1c81e79bb2a2e0316317f367e4c9dd62314495cc6a6a5d8a3e0d080c1ddf48ed184c2cd91223c62b475833896c9c5706b5504322bc162f249aa9fb6717fe82f7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 4d1238d8edcff10deaeb00aa5d38ff29 |
| SHA1 | c8a8c518847b153ea7570e851a785a3bfe7aa2a8 |
| SHA256 | 7603574db46a3acce2c1fdb33ef708d74471f1ecd6e2b84293570497b58577f3 |
| SHA512 | 39f5c160f9c77cbaecfee575125fc6b59f7c0807e923638c58fafeb8436e07fe4bdc1342f467867e0179b8d91867ec06f47e1a4f0a0bb7b2e61787350c0dc0e1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 388392ed001467a971c54615e1fb10c7 |
| SHA1 | 81c9746e84fddf4a46a909fa544eeea77289c460 |
| SHA256 | 2fbaf9317a4a5b7455be52430f7319f05e6c91c4ebf48de67762b1f3e5626531 |
| SHA512 | 099ee3f10fdf8d1e0a93037f01f71c89c2c146b631625c4fcd310e7035b09703250ee9551959569a65130bdbfad287e351eced8d95daef3d2e42b59815e73f03 |