Analysis Overview
Threat Level: Likely malicious
The file http://www.agora-mailing.com/clients/icsi/risk-management-covid-19-international-perspectives-on-the-safety-of-tomorrow/28070/[email protected]?lien=https://ceylininsaat.com.tr/supersend/nub/sxl5a7211zkab7icekzxglwh30gpbxsd6oytb5d2njaubnguokoexpvjucrbjlhr3qxk4br4a2dhzexe was found to be: Likely malicious.
Malicious Activity Summary
A potential corporate email address has been identified in the URL: [email protected]
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-07 02:47
Signatures
A potential corporate email address has been identified in the URL: [email protected]
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 02:47
Reported
2024-06-07 02:56
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
114s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133622023523479853" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.agora-mailing.com/clients/icsi/risk-management-covid-19-international-perspectives-on-the-safety-of-tomorrow/28070/[email protected]?lien=https://ceylininsaat.com.tr/supersend/nub/sxl5a7211zkab7icekzxglwh30gpbxsd6oytb5d2njaubnguokoexpvjucrbjlhr3qxk4br4a2dhzexe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb610fab58,0x7ffb610fab68,0x7ffb610fab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1968,i,566442243546638116,4766716074142813626,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1968,i,566442243546638116,4766716074142813626,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1968,i,566442243546638116,4766716074142813626,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2904 --field-trial-handle=1968,i,566442243546638116,4766716074142813626,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2736 --field-trial-handle=1968,i,566442243546638116,4766716074142813626,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4024 --field-trial-handle=1968,i,566442243546638116,4766716074142813626,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3300 --field-trial-handle=1968,i,566442243546638116,4766716074142813626,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1968,i,566442243546638116,4766716074142813626,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=1968,i,566442243546638116,4766716074142813626,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2776 --field-trial-handle=1968,i,566442243546638116,4766716074142813626,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.agora-mailing.com | udp |
| DE | 162.19.154.46:80 | www.agora-mailing.com | tcp |
| DE | 162.19.154.46:80 | www.agora-mailing.com | tcp |
| US | 8.8.8.8:53 | ceylininsaat.com.tr | udp |
| US | 192.185.175.151:443 | ceylininsaat.com.tr | tcp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.154.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.175.185.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gvv6.congbac.com | udp |
| US | 172.67.218.222:443 | gvv6.congbac.com | tcp |
| US | 8.8.8.8:53 | 3xo.peascher.com | udp |
| US | 172.67.218.222:443 | gvv6.congbac.com | udp |
| US | 104.21.91.211:443 | 3xo.peascher.com | tcp |
| US | 8.8.8.8:53 | 222.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.91.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 8.8.8.8:53 | www.ebay.com | udp |
| BE | 23.55.97.51:443 | www.ebay.com | tcp |
| BE | 23.55.97.51:443 | www.ebay.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | srv.main.ebayrtm.com | udp |
| US | 8.8.8.8:53 | i.ebayimg.com | udp |
| US | 8.8.8.8:53 | ir.ebaystatic.com | udp |
| US | 209.140.129.85:443 | srv.main.ebayrtm.com | tcp |
| PL | 93.184.223.214:443 | ir.ebaystatic.com | tcp |
| PL | 93.184.223.214:443 | ir.ebaystatic.com | tcp |
| PL | 93.184.223.214:443 | ir.ebaystatic.com | tcp |
| PL | 93.184.223.214:443 | ir.ebaystatic.com | tcp |
| US | 8.8.8.8:53 | rover.ebay.com | udp |
| US | 8.8.8.8:53 | secureir.ebaystatic.com | udp |
| US | 8.8.8.8:53 | 214.223.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.129.140.209.in-addr.arpa | udp |
| US | 209.140.135.138:443 | rover.ebay.com | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 209.140.129.85:443 | srv.main.ebayrtm.com | tcp |
| US | 8.8.8.8:53 | pages.ebay.com | udp |
| BE | 23.55.97.144:443 | pages.ebay.com | tcp |
| US | 8.8.8.8:53 | 138.135.140.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | backstory.ebay.com | udp |
| US | 209.140.136.167:443 | backstory.ebay.com | tcp |
| US | 8.8.8.8:53 | devicebind.ebay.com | udp |
| US | 209.140.129.71:443 | devicebind.ebay.com | tcp |
| US | 8.8.8.8:53 | 167.136.140.209.in-addr.arpa | udp |
| US | 209.140.129.71:443 | devicebind.ebay.com | tcp |
| US | 8.8.8.8:53 | 71.129.140.209.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pulsar.ebay.com | udp |
| BE | 2.17.107.122:443 | pulsar.ebay.com | tcp |
| US | 8.8.8.8:53 | 122.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.189.173.13:443 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_devicebind.ebay.com_0.indexeddb.leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 3381bc86c79371e1bfa1f0b0cb77ccf6 |
| SHA1 | 4eef8831ddc0e01592de0a632194933fc9ea909c |
| SHA256 | b9ee57ba0497e11f4b6135b9c686f91d6887ae4aa611dae41269f3ebe1528123 |
| SHA512 | 847bf2d0ea05de5575b2fbd2604f6be84b697ed978193bd47547ac6953ff0da6a5e243cf64350868c3d3fa14ee22415a41d84dd62de858734724e8d7e09865a6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | dc508a886471587b4a6af7153c2850ff |
| SHA1 | 763061ed0c1c11f6a0ab502af68a539df9a911eb |
| SHA256 | fd6a8e5b3deb491e2556e3a21b72083d4b060143b7694728927e0feb008e9890 |
| SHA512 | 2f67a6535e535f8846baf32fc8908a7a4fdef277d93dd4a1a801d2bda8e3b3235787ba544062afff61d506929148f08f4a8cc7635940401dbffc127efee3c7dc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 4b548a8524a9947b8af3128e68d9b7e1 |
| SHA1 | 59fc275db4aa146e67c7116523059294461e09c8 |
| SHA256 | a433041bc208649539e025ef20eb2982361fe78544cc53cb9e9cf5294ba7e211 |
| SHA512 | 78a0e6408badaebc3b5ca7d20d866e4de851ba0711169d12352dd7a5c1f312a64fa2b2a191ee5615014b86cc14e44e490e8d17913e774f9a1611c6c2c65beddb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | d1befc7af608ae0c046943b1c586999e |
| SHA1 | 0eee44859d96d203adf1bda9640ff6dda41ddd75 |
| SHA256 | dccea2a23227becc9018ba51d33ddb6b9e873e7e9ef3da8eda0abc6363af1919 |
| SHA512 | d99869e65c5617b3ed7c01ba0f02b24eabb53548b51001fe8ebe67d356e3b44ec9eeffb9ee68221d8b40472e5892ad1655707af8b97117acd90781847a4589f1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 6720b2cf5f764a61a2f65901630c74a7 |
| SHA1 | 59922faeda789116ef18a651e99b6f1e05c49c04 |
| SHA256 | 850452fa30bca8170b430907aa03e89eb9782d73e95d890261aea5b31870195a |
| SHA512 | 605beaef98e24514946ec0ab8eb505f0b613a447ed2df96bae3530519635eba956e09909fb1d09d0f0058dc07a4a94b6ca0a4512649b3bb6865b64ec5613f76c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_devicebind.ebay.com_0.indexeddb.leveldb\MANIFEST-000001
| MD5 | 3fd11ff447c1ee23538dc4d9724427a3 |
| SHA1 | 1335e6f71cc4e3cf7025233523b4760f8893e9c9 |
| SHA256 | 720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed |
| SHA512 | 10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 3114fdd0cb45aa3f7c7d96c04564867a |
| SHA1 | a59ee6f8505c3eb2e89c2809618ff6c7be5b67f3 |
| SHA256 | 3e539e49c15ae3605cc23285cf8a762254ae722702a87712ded34d084160366e |
| SHA512 | 10b55751bd3b463ba3bd177ced00e65c13b909530e655c97e4806923c8cc7c4435ea47d33a061225d7da7e5e368a12c2ca4bbfa7077dd8e965d1d33cdc7254b8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 97c6e018290b6f84d6ee85f2413b531e |
| SHA1 | eedfeebb06356d36a620ae4cfb19ef5b150b9825 |
| SHA256 | 27b98c8748d1ffb7fe817073de090ee4200ac97edb334cf5585748515358301c |
| SHA512 | 220fe887fa4ec880090b355eb0928589b4058825f895558d6930daacc40e30fe9ba1c96832ea7fad258fef557e4e8d9532c03990d1c7eaacf6d516661bdc8d5e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | b5456dcfa9048405707d1d076dfc64e5 |
| SHA1 | f2a147091a9589faf42210a867318187bde95400 |
| SHA256 | 69d695a2ec1359a072b28434f8b2bcbaf25b55824447f181068853748d109565 |
| SHA512 | 7ec9939b29002e9330f48e02eab682da7144903f78c8b5f197209beb92b6d1568416bbb6369ba491bfcc047acbf8b531ce346c8f471a5f0c23debac9755feaf8 |