Analysis Overview
Threat Level: Likely malicious
The file https://www.chk-homeopathy.jp/?wptouch_switch=mobile&redirect=https://quintetretail.com/plmoknijb/[email protected] was found to be: Likely malicious.
Malicious Activity Summary
A potential corporate email address has been identified in the URL: httpsquintetretail.complmoknijbindex.htmluseridandre.bening@helaba.de
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-29 21:37
Signatures
A potential corporate email address has been identified in the URL: httpsquintetretail.complmoknijbindex.htmluseridandre.bening@helaba.de
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 21:37
Reported
2024-05-29 21:37
Platform
win10-20240404-en
Max time kernel
16s
Max time network
18s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133614922367941552" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.chk-homeopathy.jp/?wptouch_switch=mobile&redirect=https://quintetretail.com/plmoknijb/[email protected]
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa8db89758,0x7ffa8db89768,0x7ffa8db89778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1824,i,16162313694897844627,9935842069559945781,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1824,i,16162313694897844627,9935842069559945781,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1824,i,16162313694897844627,9935842069559945781,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2804 --field-trial-handle=1824,i,16162313694897844627,9935842069559945781,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2812 --field-trial-handle=1824,i,16162313694897844627,9935842069559945781,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1824,i,16162313694897844627,9935842069559945781,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 --field-trial-handle=1824,i,16162313694897844627,9935842069559945781,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1824,i,16162313694897844627,9935842069559945781,131072 /prefetch:8
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2552.0.2043400722\1983890770" -parentBuildID 20221007134813 -prefsHandle 1708 -prefMapHandle 1700 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e989b51-213e-4ac5-9842-bc36c88c5558} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" 1780 22f326de458 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2552.1.1183316092\1143147461" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7334ef4-81c8-4de4-9976-1b2c07761d56} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" 2136 22f20072b58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2552.2.453638338\140066069" -childID 1 -isForBrowser -prefsHandle 2872 -prefMapHandle 2668 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a12d7ee-fba2-4dcc-95d3-3592900aa1ef} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" 2876 22f3265ce58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2552.3.782295876\175302843" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3484 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b242ceb6-e7ef-41b5-ab11-9a5fe196327a} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" 3504 22f20067b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2552.4.767277412\1639938222" -childID 3 -isForBrowser -prefsHandle 4308 -prefMapHandle 4304 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d39cefa2-13ae-4ac1-bd16-df4d11b0c6e8} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" 3824 22f384de858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2552.5.159890806\1766638688" -childID 4 -isForBrowser -prefsHandle 4440 -prefMapHandle 4308 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6620448e-28ec-401a-9f22-48a4354f1578} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" 4452 22f20062258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2552.6.901359777\1801889352" -childID 5 -isForBrowser -prefsHandle 4828 -prefMapHandle 4832 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62509066-9efc-4c32-8baa-0d3b4790fb38} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" 4820 22f38b0d158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2552.7.197826657\1462302042" -childID 6 -isForBrowser -prefsHandle 5028 -prefMapHandle 5032 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6761721f-46a8-4d44-9e9b-315e7c27d646} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" 5016 22f38b0f558 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.chk-homeopathy.jp | udp |
| JP | 164.46.125.60:443 | www.chk-homeopathy.jp | tcp |
| JP | 164.46.125.60:443 | www.chk-homeopathy.jp | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 60.125.46.164.in-addr.arpa | udp |
| US | 8.8.8.8:53 | quintetretail.com | udp |
| US | 172.93.120.161:443 | quintetretail.com | tcp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| GB | 142.250.200.10:443 | ajax.googleapis.com | tcp |
| US | 8.8.8.8:53 | 161.120.93.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.24.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 216.58.212.234:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:49814 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 44.237.98.207:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| N/A | 127.0.0.1:49821 | tcp | |
| US | 8.8.8.8:53 | 207.98.237.44.in-addr.arpa | udp |
Files
\??\pipe\crashpad_2812_RLASTLKTDPMAKJFV
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | bf26fea585d64f44cb9bd9d2121e23ad |
| SHA1 | 0b2310b3f08139e6123751b7b63b2de8f3ca3640 |
| SHA256 | 2c75536a278d60a1acd72cd4c7faf24a22af74b55c418b7d7863f8826cb81f53 |
| SHA512 | 3d5b8abfde4bfeb531276bb007322c5b4a5b715492cb478a9bfc57ad7c79412df94c7526fe92f6020c0ce73cf7a1b1e756b98f862aecccd4a1a5b591071ffb07 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 827ef561b417b0873e1d0c11ad4c008c |
| SHA1 | 3ac97960c082751aa56d9d86ee6a763a5007ea0f |
| SHA256 | cad47dd6de4f6d98c5d4c5af86df61b7a164cd90f141e490a3aa510d7c49d5be |
| SHA512 | 1e9f8853dc063e39d4f0a2af21f6b838542ecc5b18e878cb4181aa5cb16f311cf144af66b4204522eec679e938cf3272115fd327552b0f273e5b0d3ac061c8ea |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\02747686-b638-49d0-abbf-e55e5442e323
| MD5 | d88efee8b7f29401f4e366fcc073745c |
| SHA1 | e74bc9f5f382bdfea9fcb221d41282a381c3749b |
| SHA256 | 334ee891386d5fdc69d0d04e75619c5abded5472b5d3dcaddc48d626619aa76d |
| SHA512 | 1a24643a40359a5259ea8e43b8a96e9abaad17c8ec3630aa06554b1601dfcd9677afd4c945f82cd3c679ff4cfdaab1a4a831e67c5f90a8cc07299804a8ceacb5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\b5e8247e-d7b7-49a0-b915-ad42d76f5a88
| MD5 | 424b684b4ca23fcebe0438eee5e746b8 |
| SHA1 | 7bc3e869c6acd24e1df473c2df781492339f0534 |
| SHA256 | 9e79d9c6690dc1ee7c443e49b6931572eca48484f658d6b21c9a3664f5263aa7 |
| SHA512 | 97e3d03b5cef4b01242ac522005366acc7853ff019ed6e6b4ce3ca11a24184d1951f909eb5f3850d4bdcb0803ab28fec326c2988c7007b07a1b6083d3e3894be |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 6c8462971c6e2a0c056529302c0ad9af |
| SHA1 | 089e089e38a96bd8b4c27a404fd3f7d8a20a825c |
| SHA256 | 67a11a8d792d40d3576acce4b5ca26cba4057d52e6ee11a3843f288f48a252b4 |
| SHA512 | 97527e96825cc35f6bc66432f626bbd0c6bcb0f8918ec30cfa84f43b63483764de680677396f24830b666fdeeff3ef730ab507daa21c9a9f5c5d851989ecfefc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 96e106efd13ad675c2c4ed9af457882e |
| SHA1 | 12ca7265a0be21a758949c3586c048540149a43d |
| SHA256 | 2e503c8c734dfd81f762233891e8cc88ac774fc3f5ecaee80e506f4cafc8f950 |
| SHA512 | d730f0212f69b38d3493f61749ea8d194d9c555a0852494b124f61f0d2f0ad00e71c3c35f76a143ebac5bc9a7ddfef87abf0f67fb88943333fe5a0d06b131289 |