Analysis Overview
Threat Level: Known bad
The file https://mcas-proxyweb.mcas.ms/certificate-checker?login=false&originalUrl=https%3A%2F%2Fwww.officence.com.mcas.ms%2Feur%2Ffdb676e9-2f51-4792-8426-ba06784d6d7f%2Fc8bcd97c-0097-4755-b7d3-a3a3e89a86ca%2F0b7ba8ce-c034-4ea3-9b46-1b0e59e6f9e8%2Flogin%3Fid%3DTTZGNnVKSVdFSFBHTjVPMDI0TVBpVE9YUzNjL3paNkVoeDdjbEJteG9ZN2RtY0V2NWhQUEIzTGtvTGZjc25XbnlJdnhGV0xocUY1eXZpL2RmWXJuUWhlSEovUG9malFJYU1EejlSaCtjVEtsakxBMWdibXpnWWQyS0VCazR0bkhXcmVOL2ZZclA1OHJqc3JuZ0JORHlLdWw2K3ZyOUQvL1oydWxKMCtWTisrRDV1cjU4NU1ZbWtNTkFjUHJJRnQrR3VkUldydkgwbXdCZHAzL09hOUFhMzFhMTVZKzIrZ3dhN2pDY0FTNVhWamRDUFJWcjZ0RjE1R2p0NDhrRTdqN0dzMm9BTXpsSldGaTVzNWxURy9SWklCQndzQVA1Vjdxbmp3dWNZaStIOXQxM3RqdC9CWXlEME13Q0dvaDA0SlF4V29zVDl1eGVKUVllcVNUSXFMTkRQSm5aeTBtT1AxYmc5MjdOL0Q1Y0hKTmtQcWlMT3VxWk1jNzZ1SjB4QXlscERWYUpEWVM0SGtSNnRwR2dUOU9aM1c0R0xzNXIydEl3bUJFcWhSejRxcz0%26McasTsid%3D20893&McasCSRF=23a5cafef6477b4b704ab98467ebbdd886866aed4357f5a4c575661af80a46c5 was found to be: Known bad.
Malicious Activity Summary
Detected microsoft outlook phishing page
Detected potential entity reuse from brand microsoft.
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-06 08:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-06 08:12
Reported
2024-05-06 08:15
Platform
win11-20240426-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Detected microsoft outlook phishing page
Detected potential entity reuse from brand microsoft.
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133594567766933073" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mcas-proxyweb.mcas.ms/certificate-checker?login=false&originalUrl=https%3A%2F%2Fwww.officence.com.mcas.ms%2Feur%2Ffdb676e9-2f51-4792-8426-ba06784d6d7f%2Fc8bcd97c-0097-4755-b7d3-a3a3e89a86ca%2F0b7ba8ce-c034-4ea3-9b46-1b0e59e6f9e8%2Flogin%3Fid%3DTTZGNnVKSVdFSFBHTjVPMDI0TVBpVE9YUzNjL3paNkVoeDdjbEJteG9ZN2RtY0V2NWhQUEIzTGtvTGZjc25XbnlJdnhGV0xocUY1eXZpL2RmWXJuUWhlSEovUG9malFJYU1EejlSaCtjVEtsakxBMWdibXpnWWQyS0VCazR0bkhXcmVOL2ZZclA1OHJqc3JuZ0JORHlLdWw2K3ZyOUQvL1oydWxKMCtWTisrRDV1cjU4NU1ZbWtNTkFjUHJJRnQrR3VkUldydkgwbXdCZHAzL09hOUFhMzFhMTVZKzIrZ3dhN2pDY0FTNVhWamRDUFJWcjZ0RjE1R2p0NDhrRTdqN0dzMm9BTXpsSldGaTVzNWxURy9SWklCQndzQVA1Vjdxbmp3dWNZaStIOXQxM3RqdC9CWXlEME13Q0dvaDA0SlF4V29zVDl1eGVKUVllcVNUSXFMTkRQSm5aeTBtT1AxYmc5MjdOL0Q1Y0hKTmtQcWlMT3VxWk1jNzZ1SjB4QXlscERWYUpEWVM0SGtSNnRwR2dUOU9aM1c0R0xzNXIydEl3bUJFcWhSejRxcz0%26McasTsid%3D20893&McasCSRF=23a5cafef6477b4b704ab98467ebbdd886866aed4357f5a4c575661af80a46c5
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe7528ab58,0x7ffe7528ab68,0x7ffe7528ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=1804,i,8129534980367158505,2596600097284066789,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1804,i,8129534980367158505,2596600097284066789,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2116 --field-trial-handle=1804,i,8129534980367158505,2596600097284066789,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2932 --field-trial-handle=1804,i,8129534980367158505,2596600097284066789,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2940 --field-trial-handle=1804,i,8129534980367158505,2596600097284066789,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 --field-trial-handle=1804,i,8129534980367158505,2596600097284066789,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4496 --field-trial-handle=1804,i,8129534980367158505,2596600097284066789,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4628 --field-trial-handle=1804,i,8129534980367158505,2596600097284066789,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2424 --field-trial-handle=1804,i,8129534980367158505,2596600097284066789,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mcas-proxyweb.mcas.ms | udp |
| GB | 20.90.50.115:443 | mcas-proxyweb.mcas.ms | tcp |
| GB | 20.90.50.115:443 | mcas-proxyweb.mcas.ms | tcp |
| US | 13.107.246.64:443 | aadcdn.msftauthimages.net | tcp |
| US | 13.107.246.64:443 | aadcdn.msftauthimages.net | tcp |
| US | 13.107.246.64:443 | aadcdn.msftauthimages.net | tcp |
| US | 13.107.246.64:443 | aadcdn.msftauthimages.net | tcp |
| US | 13.107.246.64:443 | aadcdn.msftauthimages.net | tcp |
| US | 23.53.113.225:443 | c.s-microsoft.com | tcp |
| US | 8.8.8.8:53 | 115.50.90.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 13.107.246.64:443 | www.officence.com | tcp |
| US | 13.107.246.64:443 | www.officence.com | tcp |
| US | 152.199.23.37:443 | aadcdn.msftauth.net | tcp |
| US | 13.107.246.64:443 | www.officence.com | tcp |
| US | 152.199.21.175:443 | aadcdn.msauthimages.net | tcp |
| GB | 172.217.169.42:443 | content-autofill.googleapis.com | tcp |
Files
\??\pipe\crashpad_3152_UTEIVWYTEBVHORAP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\1b79e815-f1ae-4df5-aba8-f09207d73443.tmp
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1c126956d2622db99351c790f94fa4a4 |
| SHA1 | 495639c5260882f024c0909e3222747008cbfb49 |
| SHA256 | f3c835cc594fcfad6d6b776c1052a585083f3a5e260aac4ce573cac84895561c |
| SHA512 | abc383060c94290a59185b7e35439a3ca9a835dded5d1aea90ab300a732f61317cbe54980897dec544536ee623ec2e9dae26e84ad2ebdc1bc092313657e973ba |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 867415ed527f0b4ff9b0265cc33d85ae |
| SHA1 | 4b3308621cf580d98ff3413014d164729f87ed13 |
| SHA256 | 5f33a639d5b86f82918fea45a3a97487e72820796cb487ba191928350f220a41 |
| SHA512 | f394ee148aff938b43e7e3c3e0fb2cc5a523b8d7c54d6b51a71f6deab7e122612d2e012e5a929a74bfdc8417caec0cd3b5ffe9bd9ffbcee9618adbe197182da4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | a84bfe7f1f28eec20c13046e55b289a9 |
| SHA1 | 0e4d7f7f8eb0f983b135ed794b70236fb1919b6e |
| SHA256 | 8b342784f1cf15d7372909033e075be66b8fee8ffc5630d1435f2f0170c892d2 |
| SHA512 | f4be9ac63f06bc60df25b3a6a57f1ddb6ed0f8c048cc7b4cf70faefc28d7211c12fc0f1626eed2222b6883eba6328db631a0749a67bdf73b8eee5ebbc304cab7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 7233c10b7009e96faa2045688c500935 |
| SHA1 | 1cf076e4c0d09b4587136d26062f655b1bc40d18 |
| SHA256 | 5e5ebe614c7442bfbc8ecc9d862daeb5b576a8f2e1273c5ed3eea94869997f62 |
| SHA512 | 6dc297b331c8a7b324103e19f7f6e17dd8fed546bf1e2c30352727b066768a9742d197eec50f0f171fc680a5c773147f9cce3c7fe02ffc2b7963255a5ec62fa7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 902f8f9c91ea3e1996a26053b560d93d |
| SHA1 | 36d39754369149f5eddaa68412d0eaa276858b56 |
| SHA256 | 6bcf669b572037943a392c3aebedbf61b36061a2e21d579729239acc95be8456 |
| SHA512 | 80e5a7a6db96042b2817374a7d2b1f1aceece9e7902f788f5747a086b914ed04f28c5ab324a6185ad454953083a76d41c457a69305988b429dfc6d548bae0745 |