Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    156s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2024, 02:51 UTC

General

  • Target

    http://actemail.net

Score
1/10

Malware Config

Signatures

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://actemail.net
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4744
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffe69399758,0x7ffe69399768,0x7ffe69399778
      2⤵
        PID:4864
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1884,i,5348015756150813706,11170335304540335207,131072 /prefetch:2
        2⤵
          PID:3240
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1884,i,5348015756150813706,11170335304540335207,131072 /prefetch:8
          2⤵
            PID:3584
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=1884,i,5348015756150813706,11170335304540335207,131072 /prefetch:8
            2⤵
              PID:4608
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1884,i,5348015756150813706,11170335304540335207,131072 /prefetch:1
              2⤵
                PID:4952
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1884,i,5348015756150813706,11170335304540335207,131072 /prefetch:1
                2⤵
                  PID:4836
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1884,i,5348015756150813706,11170335304540335207,131072 /prefetch:8
                  2⤵
                    PID:1864
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1884,i,5348015756150813706,11170335304540335207,131072 /prefetch:8
                    2⤵
                      PID:4916
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2728 --field-trial-handle=1884,i,5348015756150813706,11170335304540335207,131072 /prefetch:2
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2080
                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                    1⤵
                      PID:4120

                    Network

                    • flag-us
                      DNS
                      actemail.net
                      chrome.exe
                      Remote address:
                      8.8.8.8:53
                      Request
                      actemail.net
                      IN A
                      Response
                      actemail.net
                      IN A
                      51.79.69.93
                    • flag-ca
                      GET
                      http://actemail.net/
                      chrome.exe
                      Remote address:
                      51.79.69.93:80
                      Request
                      GET / HTTP/1.1
                      Host: actemail.net
                      Connection: keep-alive
                      Upgrade-Insecure-Requests: 1
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Encoding: gzip, deflate
                      Accept-Language: en-US,en;q=0.9
                      Response
                      HTTP/1.1 503 Service Temporarily Unavailable
                      Date: Fri, 05 Apr 2024 02:51:53 GMT
                      Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33
                      X-Powered-By:
                      Retry-After: 3600
                      Content-Length: 1013
                      Connection: close
                      Content-Type: text/html; charset=UTF-8
                    • flag-ca
                      GET
                      http://actemail.net/favicon.ico
                      chrome.exe
                      Remote address:
                      51.79.69.93:80
                      Request
                      GET /favicon.ico HTTP/1.1
                      Host: actemail.net
                      Connection: keep-alive
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
                      Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                      Referer: http://actemail.net/
                      Accept-Encoding: gzip, deflate
                      Accept-Language: en-US,en;q=0.9
                      Response
                      HTTP/1.1 404 Not Found
                      Date: Fri, 05 Apr 2024 02:51:54 GMT
                      Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33
                      Content-Length: 209
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=iso-8859-1
                    • flag-us
                      DNS
                      217.106.137.52.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      217.106.137.52.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      172.210.232.199.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      172.210.232.199.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      106.23.217.172.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      106.23.217.172.in-addr.arpa
                      IN PTR
                      Response
                      106.23.217.172.in-addr.arpa
                      IN PTR
                      mil04s23-in-f1061e100net
                      106.23.217.172.in-addr.arpa
                      IN PTR
                      mil04s23-in-f10�J
                      106.23.217.172.in-addr.arpa
                      IN PTR
                      fra16s45-in-f10�J
                    • flag-us
                      DNS
                      93.69.79.51.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      93.69.79.51.in-addr.arpa
                      IN PTR
                      Response
                      93.69.79.51.in-addr.arpa
                      IN PTR
                      mailactemailnet
                    • flag-us
                      DNS
                      138.32.126.40.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      138.32.126.40.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      133.211.185.52.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      133.211.185.52.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      103.169.127.40.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      103.169.127.40.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      206.23.85.13.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      206.23.85.13.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      24.139.73.23.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      24.139.73.23.in-addr.arpa
                      IN PTR
                      Response
                      24.139.73.23.in-addr.arpa
                      IN PTR
                      a23-73-139-24deploystaticakamaitechnologiescom
                    • flag-us
                      DNS
                      138.136.73.23.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      138.136.73.23.in-addr.arpa
                      IN PTR
                      Response
                      138.136.73.23.in-addr.arpa
                      IN PTR
                      a23-73-136-138deploystaticakamaitechnologiescom
                    • flag-us
                      DNS
                      210.143.182.52.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      210.143.182.52.in-addr.arpa
                      IN PTR
                      Response
                    • 51.79.69.93:80
                      http://actemail.net/
                      http
                      chrome.exe
                      657 B
                      1.5kB
                      5
                      5

                      HTTP Request

                      GET http://actemail.net/

                      HTTP Response

                      503
                    • 51.79.69.93:80
                      http://actemail.net/favicon.ico
                      http
                      chrome.exe
                      644 B
                      668 B
                      6
                      5

                      HTTP Request

                      GET http://actemail.net/favicon.ico

                      HTTP Response

                      404
                    • 8.8.8.8:53
                      actemail.net
                      dns
                      chrome.exe
                      58 B
                      74 B
                      1
                      1

                      DNS Request

                      actemail.net

                      DNS Response

                      51.79.69.93

                    • 8.8.8.8:53
                      217.106.137.52.in-addr.arpa
                      dns
                      73 B
                      147 B
                      1
                      1

                      DNS Request

                      217.106.137.52.in-addr.arpa

                    • 8.8.8.8:53
                      172.210.232.199.in-addr.arpa
                      dns
                      74 B
                      128 B
                      1
                      1

                      DNS Request

                      172.210.232.199.in-addr.arpa

                    • 8.8.8.8:53
                      106.23.217.172.in-addr.arpa
                      dns
                      73 B
                      173 B
                      1
                      1

                      DNS Request

                      106.23.217.172.in-addr.arpa

                    • 8.8.8.8:53
                      93.69.79.51.in-addr.arpa
                      dns
                      70 B
                      101 B
                      1
                      1

                      DNS Request

                      93.69.79.51.in-addr.arpa

                    • 224.0.0.251:5353
                      chrome.exe
                      204 B
                      3
                    • 8.8.8.8:53
                      138.32.126.40.in-addr.arpa
                      dns
                      72 B
                      158 B
                      1
                      1

                      DNS Request

                      138.32.126.40.in-addr.arpa

                    • 8.8.8.8:53
                      133.211.185.52.in-addr.arpa
                      dns
                      73 B
                      147 B
                      1
                      1

                      DNS Request

                      133.211.185.52.in-addr.arpa

                    • 8.8.8.8:53
                      103.169.127.40.in-addr.arpa
                      dns
                      73 B
                      147 B
                      1
                      1

                      DNS Request

                      103.169.127.40.in-addr.arpa

                    • 8.8.8.8:53
                      206.23.85.13.in-addr.arpa
                      dns
                      71 B
                      145 B
                      1
                      1

                      DNS Request

                      206.23.85.13.in-addr.arpa

                    • 8.8.8.8:53
                      24.139.73.23.in-addr.arpa
                      dns
                      71 B
                      135 B
                      1
                      1

                      DNS Request

                      24.139.73.23.in-addr.arpa

                    • 8.8.8.8:53
                      138.136.73.23.in-addr.arpa
                      dns
                      72 B
                      137 B
                      1
                      1

                      DNS Request

                      138.136.73.23.in-addr.arpa

                    • 8.8.8.8:53
                      210.143.182.52.in-addr.arpa
                      dns
                      73 B
                      147 B
                      1
                      1

                      DNS Request

                      210.143.182.52.in-addr.arpa

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                      Filesize

                      678B

                      MD5

                      1b752dd562274fdd91bacfbf727a1dc7

                      SHA1

                      5e6f8729108c1aff3d2c6f68f04f38310f792141

                      SHA256

                      11e2c32b620314be608040455b715bdffd3b20e48c18fa21a1202f6b205cb976

                      SHA512

                      c552cb6cd31c6c220963a908e55f9f1afcf3dc328293eb080cdbe7106ed3e8d14a93ff1731a3a82851edb96789d3c769cbac3f521bcc0e84c317a751e7b48953

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                      Filesize

                      6KB

                      MD5

                      41ec535bca29e67c31f6e9a97540940b

                      SHA1

                      bb62768087a6617eb0b93fcf1e8d95240ea7bf49

                      SHA256

                      7e4a3cb9cad792a85fc5617a26a9895da6de0db63ce625942d036e8af0880d00

                      SHA512

                      a6bcfaf75a65acc0409c9cdc3228623cdbcaa53b7c3901700bb58fd4f977371af009cd9fbded8264a01a51228299084de9563ee6977be9ee05b0c29f6458c34e

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                      Filesize

                      253KB

                      MD5

                      debbd34b139ba56d614213d378dcb741

                      SHA1

                      286caa70f903e97568b7c897aae766cffa249c4d

                      SHA256

                      0de3ae3185879ec6b5fa87e674e28bb6222908e392d7104e7c9898c9313a29e5

                      SHA512

                      2496ac527d703e2fcefe06dbfaee4aba17d2c6d22ae4d933dd4820e7abd7e58804f34bdb583f73f21b132177d7403a78e2066de97b06e6a8aa6c48f358754cf3

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                      Filesize

                      2B

                      MD5

                      99914b932bd37a50b983c5e7c90ae93b

                      SHA1

                      bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                      SHA256

                      44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                      SHA512

                      27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                    We care about your privacy.

                    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.