Analysis Overview
Threat Level: Likely malicious
The file https://mailstat.us/tr/t/btrlnz4jjmt3jjmt/1/https://t.yesware.com/tt/1285127462371863c116858185057004c9928052/a36977710168471048043c809c718634/9710480f35e9280edb1604aa28512746/opc.am840.com.br/eron/[email protected] was found to be: Likely malicious.
Malicious Activity Summary
A potential corporate email address has been identified in the URL: [email protected]
Detected potential entity reuse from brand microsoft.
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-07 13:32
Signatures
A potential corporate email address has been identified in the URL: [email protected]
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-07 13:32
Reported
2024-05-07 13:35
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detected potential entity reuse from brand microsoft.
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133595624050015690" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mailstat.us/tr/t/btrlnz4jjmt3jjmt/1/https://t.yesware.com/tt/1285127462371863c116858185057004c9928052/a36977710168471048043c809c718634/9710480f35e9280edb1604aa28512746/opc.am840.com.br/eron/[email protected]
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe8acab58,0x7fffe8acab68,0x7fffe8acab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1900,i,12488877609167559023,13680002555078553504,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1900,i,12488877609167559023,13680002555078553504,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1900,i,12488877609167559023,13680002555078553504,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1900,i,12488877609167559023,13680002555078553504,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1900,i,12488877609167559023,13680002555078553504,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3968 --field-trial-handle=1900,i,12488877609167559023,13680002555078553504,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4448 --field-trial-handle=1900,i,12488877609167559023,13680002555078553504,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4824 --field-trial-handle=1900,i,12488877609167559023,13680002555078553504,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4364 --field-trial-handle=1900,i,12488877609167559023,13680002555078553504,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1900,i,12488877609167559023,13680002555078553504,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1900,i,12488877609167559023,13680002555078553504,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1900,i,12488877609167559023,13680002555078553504,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mailstat.us | udp |
| US | 184.73.182.153:443 | mailstat.us | tcp |
| US | 184.73.182.153:443 | mailstat.us | tcp |
| US | 8.8.8.8:53 | t.yesware.com | udp |
| US | 18.233.202.46:443 | t.yesware.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.182.73.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.202.233.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | opc.am840.com.br | udp |
| US | 8.8.8.8:53 | js-agent.newrelic.com | udp |
| US | 162.247.243.39:443 | js-agent.newrelic.com | tcp |
| US | 8.8.8.8:53 | bam.nr-data.net | udp |
| US | 162.247.243.29:443 | bam.nr-data.net | tcp |
| US | 103.153.183.192:443 | opc.am840.com.br | tcp |
| US | 103.153.183.192:443 | opc.am840.com.br | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.243.247.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.247.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.183.153.103.in-addr.arpa | udp |
| US | 162.247.243.29:443 | bam.nr-data.net | tcp |
| US | 8.8.8.8:53 | poneion23.cloudns.ph | udp |
| DE | 5.230.43.245:443 | poneion23.cloudns.ph | tcp |
| US | 8.8.8.8:53 | 245.43.230.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eionsesav.cloudns.ph | udp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | tcp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | tcp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | udp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | tcp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | tcp |
| US | 162.247.243.29:443 | bam.nr-data.net | tcp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | tcp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | tcp |
| US | 8.8.8.8:53 | aadcdn.msauth.net | udp |
| US | 8.8.8.8:53 | aadcdn.msftauth.net | udp |
| US | 13.107.253.64:443 | aadcdn.msauth.net | tcp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | tcp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | tcp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | tcp |
| US | 8.8.8.8:53 | outlook.office365.com | udp |
| GB | 40.99.201.146:443 | outlook.office365.com | tcp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | tcp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | tcp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | tcp |
| US | 8.8.8.8:53 | r4.res.office365.com | udp |
| DE | 2.16.6.6:443 | r4.res.office365.com | tcp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | tcp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | tcp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | tcp |
| US | 8.8.8.8:53 | aadcdn.msauthimages.net | udp |
| US | 8.8.8.8:53 | 64.253.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.201.99.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.6.16.2.in-addr.arpa | udp |
| US | 152.199.21.175:443 | aadcdn.msauthimages.net | tcp |
| DE | 5.230.43.245:443 | eionsesav.cloudns.ph | tcp |
| US | 8.8.8.8:53 | passwordreset.microsoftonline.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | privacy.microsoft.com | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 172.217.16.234:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.21.199.152.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
Files
\??\pipe\crashpad_3312_SKVFFHKZUKTXKPUA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 67ab8e1ff75d068218dcfc69a271e979 |
| SHA1 | 988e087eba9c27fd83f24ba4adcb204aa1cd9f65 |
| SHA256 | 0ea5bea20f45735637795da6989d7a81c5f2960dd7fefd2d00e20f04af42fde0 |
| SHA512 | bbbb4251799e698a7069561cec7d539e83496a3b418d17da78dc616413d97bc988c33e500b4dd21c815a6354bb879bee65a0e58df2b414172e42677bbb27de3d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ffdfd48983f732ed375c02332b5ffb91 |
| SHA1 | 80547fb9f19ed750ebc56472f48fc3ba4e2bf848 |
| SHA256 | 447332125089ac193a10f0edd5587d4d1c2a5c963f875c17d4b465d8f65967f9 |
| SHA512 | 796f1ec7d48ff88e4c08d259de28f710100a0f505fc471086de269cc3421cf0cb901e14d786fdda3c52b03eb942324a6a32283490324b6421569a49af794d1cf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | a799e529c02c1789d930c6553d520ea3 |
| SHA1 | c2e53d243cf1cf7a3f089da874062014954b67cd |
| SHA256 | 3b283544c2c4cd468a53a71c23b7925ef561fd5dede6d8c941adde346f20dd70 |
| SHA512 | 74b69f1de3fc4024ff5e07eb6b954e1f8d97f32e4ea54e2f2668442dd31728816db034fedf1c19f83a11470290ad6d967ab00f8922601f8677cd61c582c3b904 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 69336b46a090da2e77557d599f1df279 |
| SHA1 | 96aff2db857890fd238d1449ce447b077258aeb3 |
| SHA256 | fa6ba302c15d0b9bcb7e3fb31a72b5fccb91c867a9979b7fcd01a5edc4f7c47b |
| SHA512 | b25bb09d521e8d421ed198be46a114ffb24951b8b7f8a4f9b373dde502d03fef2448286539e010bc18139e5139bf7c12894e23a110225fe7a76bb06ac03de876 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | df9d962268c80a88d64f2df743efbd3b |
| SHA1 | efae07b9d66cceb3fe398abc5094b4316f2126d8 |
| SHA256 | ef0a8b35756d5c13b351351af0735a83f07e6bec89d6e300435344dea7172dd0 |
| SHA512 | c48ce77740a8f41931621e03d10d9e3f4eef6d7de6381cb3e14fcd23ce2a206a8c6b61b651154da3fd470d790f514de473715c7c2fa7bba1b8570a828709b342 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 37517548e361aed2a7933a31897a785a |
| SHA1 | ca42d2339d3625bed632b93f5b5db0fcceff3b7e |
| SHA256 | 036328d519212e7f19078a42b2be7e266ea932928a90e93f5b0f74fdf64efd01 |
| SHA512 | 4a8fc461af0ce8d1faf8118dee0ae3b576fe7e05fd0f35b0925db03d38c36ba9a7b99c87b3d18fe547fdfb4713e9defeb5a8afb490b61de9a8193689a126fe74 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | f04f026cec738c20d30e83ff789ec4ec |
| SHA1 | b28facc8c74d29c71b612b43c58411c71df498cf |
| SHA256 | 374905d8843759039561d9f8f318eba50287257d27781308e83a59b0f5f23d2c |
| SHA512 | fea3af13e5db65d6feb58ef7e6b22a88a383b4e388f6cfbda208c9b9f4b6c3241069fbeafaa299b88f23c5d46e97f0bcc1e69ec7f95ca68f295adeea126a9d4c |