hxxps://58[.]email[.]stripe[.]com/CL0/https[:]*2F*2Fdashboard[.]stripe[.]com*2Freceipts*2Fpayment*2FCAcQARoXChVhY2N0XzEwMzJwbDJ2eGZDOTlaeWUo8pjUsAYyBn4kGuJklDovFhNn4SC2bJYMLOHQqYkFw1jlxm6SfJozk-HF2dsHZfSErPU4pquq9vfW2Fpt3aU/1/0100018ec238a50e-8ea826ae-9a7c-4d14-aaad-46919ebc481e-000000/WNQOukdPo-mystT_tYneMS83pPxCflCDy_y6i9gjntA=347

Analysis

max time kernel
300s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://58.email.stripe.com/CL0/https:*2F*2Fdashboard.stripe.com*2Freceipts*2Fpayment*2FCAcQARoXChVhY2N0XzEwMzJwbDJ2eGZDOTlaeWUo8pjUsAYyBn4kGuJklDovFhNn4SC2bJYMLOHQqYkFw1jlxm6SfJozk-HF2dsHZfSErPU4pquq9vfW2Fpt3aU/1/0100018ec238a50e-8ea826ae-9a7c-4d14-aaad-46919ebc481e-000000/WNQOukdPo-mystT_tYneMS83pPxCflCDy_y6i9gjntA=347

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133572724872308105"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2988	chrome.exe
2988	chrome.exe
2292	chrome.exe
2292	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 496	2988	chrome.exe	85
PID 2988 wrote to memory of 496	2988	chrome.exe	85
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 4000	2988	chrome.exe	87
PID 2988 wrote to memory of 764	2988	chrome.exe	88
PID 2988 wrote to memory of 764	2988	chrome.exe	88
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89
PID 2988 wrote to memory of 4872	2988	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://58.email.stripe.com/CL0/https:*2F*2Fdashboard.stripe.com*2Freceipts*2Fpayment*2FCAcQARoXChVhY2N0XzEwMzJwbDJ2eGZDOTlaeWUo8pjUsAYyBn4kGuJklDovFhNn4SC2bJYMLOHQqYkFw1jlxm6SfJozk-HF2dsHZfSErPU4pquq9vfW2Fpt3aU/1/0100018ec238a50e-8ea826ae-9a7c-4d14-aaad-46919ebc481e-000000/WNQOukdPo-mystT_tYneMS83pPxCflCDy_y6i9gjntA=347
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffffacf9758,0x7ffffacf9768,0x7ffffacf9778
  2⤵
  PID:496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1872,i,5632376826526126258,13309228382364242426,131072 /prefetch:2
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1872,i,5632376826526126258,13309228382364242426,131072 /prefetch:8
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1872,i,5632376826526126258,13309228382364242426,131072 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2792 --field-trial-handle=1872,i,5632376826526126258,13309228382364242426,131072 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2800 --field-trial-handle=1872,i,5632376826526126258,13309228382364242426,131072 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4624 --field-trial-handle=1872,i,5632376826526126258,13309228382364242426,131072 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1872,i,5632376826526126258,13309228382364242426,131072 /prefetch:8
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1872,i,5632376826526126258,13309228382364242426,131072 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4724 --field-trial-handle=1872,i,5632376826526126258,13309228382364242426,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2292

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
755B

MD5
80b9f96cbd0f887a68586c16ec16a1f8

SHA1
4c9cda51c86e15d78bd0b0651f8dd4d7b596ae92

SHA256
94d4519b4db43373fa842bd386605e862eec567c2b49fa1e70f45d4489a5960d

SHA512
da7ee77d4ecf6e1eecb5a69f976dcd5aadb82b10ed8bbc8191a6f88fcc1a17a098cbaee37b3b19d6ac0d8f1abdc5c22f9cbdcc777f154932cf36cb470e03c248

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
eaa4061d2b11984024868eaa1cc24a29

SHA1
16f361da946ef58cd103284644198a6f082ed5dd

SHA256
31e47834a52dd7885dc5a0caa423e92e59966598a7c52963d47858ec6c51dfcc

SHA512
3ba4eb7352defb4375ac82d18ca44b74bb5d10f716b4ec0f402f176ee75b2cbe68dd77405cd7f30579927de3faab4ac5967670cd2044bfd444b408864acc9273

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2a5fb086a9e09311303f22a0f1c4cbd0

SHA1
1f9001ee2f3ebf660a913f68721b3424bd59f8f9

SHA256
61a6b49cac3c894d6c8d5a7a59bc1b969107ab68e92559d917b9fea29c2bd1b4

SHA512
071b56d56424952cc406e8853f2d1b750b247486de3b9593eacbc366951387f9c58655db31d824cada968e67ec66b3acf70b7db60db99dce601fed977c946946

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
4fef49b10d37afcb456b7d1a3dd8571a

SHA1
2c31bb110f98362b9f2a01e4c0750dada17d4847

SHA256
fc1c5c504f3f66b82942ae089fd956bbf89ec6bd66bd4a8deda255a561fcc51e

SHA512
10b9396ba60da4f7274771fa20c4aa2f18af36cfd05ccccf256fc5612c409491275e90038804f475dc26372668a217818ab8e8adc9fd4093b366fe62e53cb375

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit