Analysis Overview
Threat Level: Known bad
The file https://rebrand.ly/wllozr0#[email protected] was found to be: Known bad.
Malicious Activity Summary
A potential corporate email address has been identified in the URL: [email protected]
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-06 17:54
Signatures
A potential corporate email address has been identified in the URL: [email protected]
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-06 17:54
Reported
2024-05-06 17:57
Platform
win10v2004-20240419-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | cloudflare-ipfs.com | N/A | N/A |
| N/A | cloudflare-ipfs.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133594916807196938" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://rebrand.ly/wllozr0#[email protected]
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffca21ecc40,0x7ffca21ecc4c,0x7ffca21ecc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,15460178156396942745,3482482781464274945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1948 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1896,i,15460178156396942745,3482482781464274945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1988 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,15460178156396942745,3482482781464274945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2236 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,15460178156396942745,3482482781464274945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3136 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,15460178156396942745,3482482781464274945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3176 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3668,i,15460178156396942745,3482482781464274945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4488 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3344,i,15460178156396942745,3482482781464274945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4656 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4464,i,15460178156396942745,3482482781464274945,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4876 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rebrand.ly | udp |
| US | 15.197.137.111:443 | rebrand.ly | tcp |
| US | 8.8.8.8:53 | cloudflare-ipfs.com | udp |
| US | 104.17.64.14:443 | cloudflare-ipfs.com | tcp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | www.w3schools.com | udp |
| US | 192.229.133.221:443 | www.w3schools.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 111.137.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.64.17.104.in-addr.arpa | udp |
| US | 192.229.133.221:443 | www.w3schools.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | egensession.com | udp |
| US | 172.67.192.136:443 | egensession.com | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | udp |
| GB | 172.217.169.74:443 | content-autofill.googleapis.com | tcp |
| US | 104.17.64.14:443 | cloudflare-ipfs.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 221.133.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.24.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.192.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aadcdn.msauth.net | udp |
| US | 13.107.246.64:443 | aadcdn.msauth.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| BE | 88.221.83.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 200.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
\??\pipe\crashpad_1952_MMOBDGIOFFTYFTMR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 9c831cf0011b708873f03cd0b79a9926 |
| SHA1 | 679b8b31cd944fa373ef25769e995e9b9d439fc1 |
| SHA256 | 2b8fd17f0a92fd5a726fa01ad01e1102cb47b402a626af381b4c6573671549c3 |
| SHA512 | 8e10baf66be0be2b33d3b211452eaddfd0bf6c7399bd2ad60cd24b71ce5069207fad53c05885c844b185dc51f233131bdd9322348ee2ffd8d4233e0631e208c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\07ca2005-8d4b-46b3-a5da-c793dc741352.tmp
| MD5 | 2cbcca5cd7057a5ae4695872c6db1580 |
| SHA1 | 3c5a829b24d0f448e880bd27c0a3c3493afc8a34 |
| SHA256 | 0c110b329b8c02d7660364249b39fe34ac82ec6a956418fab4bfe738b465c45e |
| SHA512 | df00aa7dd0316b97bc6dd2ea463f929044aea6737222879898f5f62a63d44e7170029bf110746dacbaf4ab183ab1b792b4e520e92837862dbebcd0dd65b54956 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b1bc509fda113ccf763d22ecf1667408 |
| SHA1 | 2206d1f531f6f3c17b802531e3a08088b3a6efca |
| SHA256 | 33def0dba170bb14e8730d2b846b49af8ce04855e816602df63dac28e8f367ea |
| SHA512 | f55fc79cfb4acfbca9b64efe9358413911314ebeec7273f58ef8391554d5eb8c245b49442be9181ebbf39fdc3dacf3ba48a39a9f197df3fa1af71a27fd7dcf96 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 1b497e8d73670e0562cfadaa5e39945a |
| SHA1 | 177ba5530dbd6a84d35786fac962df39e87b92e7 |
| SHA256 | d0ef69537611d25600ae9c0863b9b7159077070b359993c66dd8f796d0909401 |
| SHA512 | 4cfdeb01d4777f0e75fcf2929eb53d2af806a10e6378ecd7c14c0e88c6f77190c4ff85cbdb0cb52c13a867e7947fa8f3db0a1694a30b7efc85e1b77dcb648b02 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4ed98942c8d4e4945339312d4e6f8c6f |
| SHA1 | 7e6f4325ac0bca970a1d21d8e1a3009b80f3cce5 |
| SHA256 | 3387b1b41d859c475c9dd9c3ce9ae521003f80775ad69593a80c4a999bbfab06 |
| SHA512 | 92525e31998d8e5d17daa70ae66283b5c21ac54ef8e2df2e0ed276d24032903ff96cb07ffdd229afd96a8b892f0a6d9c6fd2191c3fcdf1de5bf61342ed7f3c3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1913ff92bdc25678515d3ff415007120 |
| SHA1 | f7011c046c4751743dde78589104a14eb1dac51a |
| SHA256 | 478a476894f7fd7355a49f35abd21cf6b456d297ba3b052a964771dcdc65e514 |
| SHA512 | fbda8f666474e6e5dd492dbcabdcef5be7b4487baaefcbede6aa8db369ff736496b1ab7f0f45b7cedfc6e18e1105d90a51467d04b561155c993f2ccf28802351 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | fb5914289ff71afd90c6551ea2de4ac8 |
| SHA1 | 5e738949c3c18672d647bf923c0370cf206af7b2 |
| SHA256 | f4c9a871ff0daa3104c205c5b0b9a49fa67305bb7bf425687123bf1123d33c7b |
| SHA512 | 4f004c1f590b6281b708cf465fd38db97d0c475e17530895c7412f1db4923d8fd3e0a6d7c862da685209202bf6816bae593c497821af941291fa84532faaceb0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 147ab2359fa90329307aef59e6bae97c |
| SHA1 | 08a9642fb63ffdf795d87879fff36dc5349e5198 |
| SHA256 | 469ed31a06c1ca21b075e2523f61b7e84c13162e2cf7144ca9338b301627c605 |
| SHA512 | 5bce1fe62fc86c2db925c51ecfc96c21d72459acb7afdedbb25862f39f7e67925ee784246b11057ae8deb51d5fb921b25665d0bb5498ea3d1a10357c3ff93610 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d29c132e-c43c-4035-9de8-a86a12883e08.tmp
| MD5 | 9b70f858bfc211bccb82eef18cb751d0 |
| SHA1 | 43fce840e6470421ed26eb7ff468536d19fb95e7 |
| SHA256 | 2594474d22571118fb1ca4accd903c892dd9c3f6fadf7efa77b16ca65f5dc94c |
| SHA512 | aa383723c0221e37bd3b072d9f875df1641cacbd4f454ccd7319e37fb77cb88891c27c7c3c66d566d0841e5cd76aef8e73f50523d45871571e03963e993c932d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 2b8caf2cfd424eacfea4e6c6b74aecfe |
| SHA1 | 67975e26bd9c16fe27a8d0fc95df312914a3abe6 |
| SHA256 | bc42c92f064d3dca09d6d38291837b6d36e580fe4e5fec32dd72de750db893fb |
| SHA512 | 8f19b611c58da75f907deeedc2152d8c69407b3eebc8d43357b4b009d88df7d8dfaf3850841c12564317ecc1b307d41129cd30fae1ac3a8de6990a9d39cc491f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3eecb96cf18e7ffffecce43c6c2a857e |
| SHA1 | f97bb58d7a588093d888229b3ae1e414d69351ba |
| SHA256 | b7ee529e3dda98f5c505dc01f700db7c91f06fdb12e178bb75ac7e392f6abd46 |
| SHA512 | 68a5851e1edcc0d8432e7fff55d186ee2a9dec7883e452d881e2631f2e97aa3d8dd684a5d65a4e7ec63e74b8dee2b1620c306a20cac4e7fff02edfd79c62c5af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d0af0dc4f8ba8a026bc9ab3a474cf604 |
| SHA1 | 90878bcc945cc0ab8c57fd8005e617e566b4f3ae |
| SHA256 | c19aa37d45f799fe6b11c2adc6c97176a718801868574175d14bf8b301700500 |
| SHA512 | ce95807fb388811aa9ef5da2c871c7562b233ac381a693901ff0c4f5d1bacf3021f12ebd6b21e4b2009089143a5e2d955adf9b1ddc3ff5af2293881e54e3f7f2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c27ddfc38fe7b3a8496f2df0eeeeeb62 |
| SHA1 | 0dac264d83a45d9669e63d9075d0911f4f77eb00 |
| SHA256 | fcb1cf23fab4590a8cea3bb0b2ae2e495c8d4e6af1d19b593e20440017ad4960 |
| SHA512 | 7ee06fe5ee8ae9071c1035b7074292c01a99204d0a87216df6f2af4215f03a0ee568cf801e2f5c656d2beab36d5cd1122c82ae77cffc73f349cd3822d34349f5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8ae49df6780886395910bcc4108d0641 |
| SHA1 | d9f8ae9cab9ad8d705cf2bc6b7260f726bf64de2 |
| SHA256 | 085a0b0bcad55db2608f384f6fd05e2ccacc682e8c2189b477cfb1928e67bf67 |
| SHA512 | d5fd49729fccf4cbbd7bfa1131e84bbad4eff7cc996a26beb23f23d2ca8bfbed2680ce7a4bdf14a8e3e77ee4d10198e35a59421c82d3250dce184fe4e5fd7d9f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | caea86bb03859c3d4b440a52a86d85f1 |
| SHA1 | 3b2bc955e18f14adc4638c1450b3b60385745193 |
| SHA256 | f2ab935c2a91bdb1218ed5e196d8c8e81599c7ab20b2d6874fcfa68f091877a1 |
| SHA512 | a4ea42e8fcf9266bf21140146e5403fd353e341abd01044d98722ff305a3e4f6a2d48d27939591455998eb975d6c5955b137ee4f0086030fb9261f460e9eee7f |