Analysis Overview
Threat Level: Likely malicious
The file https://outlook.office365.com/owa/?viewmodel=ReadMessageItem&InternetMessageID=%3cMW5PR22MB341725DA6D7605297F639C13CAF22%40MW5PR22MB3417.namprd22.prod.outlook.com%3e was found to be: Likely malicious.
Malicious Activity Summary
A potential corporate email address has been identified in the URL: <MW5PR22MB341725DA6D7605297F639C13CAF22@MW5PR22MB3417.namprd22.prod.outlook.com>
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 13:46
Signatures
A potential corporate email address has been identified in the URL: <MW5PR22MB341725DA6D7605297F639C13CAF22@MW5PR22MB3417.namprd22.prod.outlook.com>
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 13:46
Reported
2024-05-30 13:49
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
139s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615504331958729" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://outlook.office365.com/owa/?viewmodel=ReadMessageItem&InternetMessageID=%3cMW5PR22MB341725DA6D7605297F639C13CAF22%40MW5PR22MB3417.namprd22.prod.outlook.com%3e
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb8843ab58,0x7ffb8843ab68,0x7ffb8843ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1920,i,2298782044107286148,1884168348706625235,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1920,i,2298782044107286148,1884168348706625235,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1920,i,2298782044107286148,1884168348706625235,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=1920,i,2298782044107286148,1884168348706625235,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1920,i,2298782044107286148,1884168348706625235,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4244 --field-trial-handle=1920,i,2298782044107286148,1884168348706625235,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4492 --field-trial-handle=1920,i,2298782044107286148,1884168348706625235,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1920,i,2298782044107286148,1884168348706625235,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 --field-trial-handle=1920,i,2298782044107286148,1884168348706625235,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1920,i,2298782044107286148,1884168348706625235,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 --field-trial-handle=1920,i,2298782044107286148,1884168348706625235,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4072 --field-trial-handle=1920,i,2298782044107286148,1884168348706625235,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2420 --field-trial-handle=1920,i,2298782044107286148,1884168348706625235,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | outlook.office365.com | udp |
| GB | 40.99.151.162:443 | outlook.office365.com | tcp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| IE | 20.190.159.23:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | aadcdn.msauth.net | udp |
| US | 13.107.246.64:443 | aadcdn.msauth.net | tcp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.151.99.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| IE | 20.190.159.23:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | identity.nel.measure.office.net | udp |
| BE | 2.17.107.176:443 | identity.nel.measure.office.net | tcp |
| BE | 2.17.107.176:443 | identity.nel.measure.office.net | tcp |
| US | 8.8.8.8:53 | aadcdn.msftauth.net | udp |
| US | 152.199.23.37:443 | aadcdn.msftauth.net | tcp |
| US | 152.199.23.37:443 | aadcdn.msftauth.net | tcp |
| US | 152.199.23.37:443 | aadcdn.msftauth.net | tcp |
| US | 152.199.23.37:443 | aadcdn.msftauth.net | tcp |
| GB | 40.99.151.162:443 | outlook.office365.com | udp |
| US | 8.8.8.8:53 | 176.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.23.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r4.res.office365.com | udp |
| US | 8.8.8.8:53 | outlook.office365.com | udp |
| FR | 96.16.249.46:443 | r4.res.office365.com | tcp |
| US | 8.8.8.8:53 | privacy.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 216.58.201.106:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 46.249.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | e8e0d3dc0679e23c1e7f3221f9921138 |
| SHA1 | 37193f4b850034d4204fe48c5efb458702554263 |
| SHA256 | 1a783b344e886ab2ca40df08b56d5eb47f159472c962660346c3926cf6b44d73 |
| SHA512 | 4e7ca4938f8db4895a1035772483af37bfcec77e7ab44f6d98ed8f3d8dd848941462ceecfa7876109c5e9554c8c7a45162f9fe4ad66a29cc19b0225df1a05dca |
\??\pipe\crashpad_5072_JMFMWQRLZPPHURTG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\7f9ab135-1d74-4074-a86e-bbf9ebd6f5e8.tmp
| MD5 | 4b6111ce78ccda1d9b77d66db1d8f978 |
| SHA1 | 21ac6d243428d4a69214507956703e7efbcd7a18 |
| SHA256 | ae2f05dae91327a373e9dae85e648646b368a8a0b13353b6ea2aafa738461bd3 |
| SHA512 | 658591dde471ea0236b44b0b6260b181761c94bfe90c5db24d73e993eb7f82c33e0a843fe78ae4c7493536d5a52a400c23bd0c348d75140351f615a26016a7e6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 49a39b21b7251ad340eb700e6c8700d4 |
| SHA1 | c31f0155699547a120269abc72195c6e18d97ba7 |
| SHA256 | 4a08f47051bf26d3956a404dfadfd3c67cbec3b98c978bd1265e1576b9e793ee |
| SHA512 | 86bff7668f5ef68393b27d12c03652399286a30cf86fd8b8221e0b12e9a7f4fe8604a4e7afa73c2084944610912151fbd54f7e97d514e44636e126354cdebfe6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | f69293cc4e620593bb42b8f888f09776 |
| SHA1 | 05cd3ec8ba56adfc4119a9674a94574924aef4c4 |
| SHA256 | e899398144a7b196f3d857ab2dda718db98d219e7f7a50db11b38143913a5c37 |
| SHA512 | a50ef67f1c4b3584b2ac119f5be632b7026faed3a4300034551b563a6afabe6a1381a2bed81893dbaaab805aa9df510122bffd1128f018a2fe2af3f3b8f37fe8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 08090d85918564abca2d468bddcdf33e |
| SHA1 | 4a33bcdfd2c483c6037a6af2804bf055c604b10b |
| SHA256 | 42b0065979d36a12228574db6d966cea620af088a3e5991ae403599ec28842d0 |
| SHA512 | 311194b2cff452881fb1c5a372ee6b98df51b50de1c05f0dd6d12190784b6f15008aa7cabbc43ed59ee9504f9b14f84d68b80f9df44c08e5e71e5c2d2e83ed10 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2f94271b9b691987de0aa1b0ec1db08a |
| SHA1 | c0ea1555a3e659cc6af6570430a1126e47431c10 |
| SHA256 | 26a2913f42371f591522ef30fd3412bf3019c770c400a360b728f97a7422e7c0 |
| SHA512 | 8e0370e7f7012a38e8d1d45794e08ea2ad522c5220293b726f6e566ebb58e5187cbc586436b7cd4518917761d7c3284d4744cf2578a9d424382b66c2b826dc40 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | d30f47b98cb61dee04ec7586d865927a |
| SHA1 | d93765b14b786d117c618ca59335a8009ee9fa25 |
| SHA256 | d7a35bf8fe6d9568b30f0f557b4caad5031c59a5406b22d8705b6c2fd3109047 |
| SHA512 | a7577dacd874ec06e9763ba19432461cc37d28d49f897870e7c891985fa436a844589ee03a6314559ef1aabe8387d650e4fa4fead0dde1c5de10b6b4361eccf3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f0f7.TMP
| MD5 | c7f5a3b725f51a0f7154119dadc4daf2 |
| SHA1 | 72d8d531bb6334cfe083b85a1a221c80d0719306 |
| SHA256 | 739fbb584bb53c6a9a6c77b59f996c58c75c6a515ad45c25e77e3ee90e25e50a |
| SHA512 | 8f5f64d3d79d5cd5f34a90f7621908a80a6d63f151fe84e51cebe047c322924f2d6d4c823ae7a92aa3e8acad9b25dc422d1e11d6110b428cc52a08b936571bff |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | bd25a202a4d0a8b5dc4bf711b03ad6e3 |
| SHA1 | c18f2945759fa814b6eef969a301936d98514945 |
| SHA256 | 3bedc966f6759cc37eb6db332c5362e2fffa82af881c8ea2b442b02b6c0efc4b |
| SHA512 | bd10e3625f49a231cda0a8b72cffaa44aef842c13a185b360245618c03dc417312085a2442f87c0b7ef4d8ecebdf391a989b3e06c06db9fbbe2ffaf5e29a292a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7d6c08f74e34e0902605fa0868b6fda4 |
| SHA1 | b796c4ae9044dc594f063f6d5f002788c462bcd5 |
| SHA256 | 66e59c71019007d86892d35c059b82acfd0fc5e99f81b06f164704e1e7b73632 |
| SHA512 | 2c6183d94ff25fd3a940134cdc744a60705a17337200155c2daab196e01ebdf8f33ad070a8ee58f672407ba0e94e6724efcb3a380e903ce57f993ee79fc3ede7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | a3e4d4a7f1c8bb966632ee756ecc6633 |
| SHA1 | 20769bbf96f0a028fae4bb6fc8d8ed9ecfab1c58 |
| SHA256 | 262ff1422416b566d5ef4f99c1f3b4859e7a83f08a068333380aaf49bd503457 |
| SHA512 | e5317c6c186c22f24640addc59b9d9d421b54b8d177e02f0e75d4266aeb6a090f4c168d0e3ef8a018c3ead6621ad97299ed6f1fca41bee74d856835dc9355547 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 8770055f92ca0db0d7a2eeb821b76380 |
| SHA1 | b914cc4b28be0c084099e4befc323ce3bb651966 |
| SHA256 | ce190c0e2a2e716b2cd4de39c40dd4d4ebae27f009ff011de7126ca89f0bd302 |
| SHA512 | 3024b08a164b110ff0a2386782ceb028ef6a95ce4111cb65851890a151d4cf340b3153a48fb2fe472f3dba1588e666453c4010aa4cc5f0edbe402e9c1ee0af05 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | cb151a7990555626949a25d03f8e5c6a |
| SHA1 | 523e0fc4a7d51bcfbb0545ecb044ee06a39a1f92 |
| SHA256 | fe29a00699c183edcb8ba7ee0d43e96d885878ef6e8011a7af29e6f0ed09ba39 |
| SHA512 | 2f07ce12538eb73b5dd578b70bd3cd160d1b244df79a5deafe1e7f3a31abdbdab886da4f2bacf2d2e6b913fe3a915706d6cf8bb1254fec44944e8175ede47de6 |