Analysis Overview
Threat Level: Likely malicious
The file https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=http://qantas.com.au.beautyandbait.com/re/qantas.com.au/[email protected] was found to be: Likely malicious.
Malicious Activity Summary
A potential corporate email address has been identified in the URL: httpqantas.com.au.beautyandbait.comreqantas.com.auamatahlija@qantas.com.au
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-27 00:29
Signatures
A potential corporate email address has been identified in the URL: httpqantas.com.au.beautyandbait.comreqantas.com.auamatahlija@qantas.com.au
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 00:29
Reported
2024-06-27 00:35
Platform
win10v2004-20240611-en
Max time kernel
389s
Max time network
383s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639217676665960" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=http://qantas.com.au.beautyandbait.com/re/qantas.com.au/[email protected]
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd08ddab58,0x7ffd08ddab68,0x7ffd08ddab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4364 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4372 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3656 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3100 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4656 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4488 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1548 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4404 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3164 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=212 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4360 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4136 --field-trial-handle=1792,i,236941127247687614,4779723798148749581,131072 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tracker.club-os.com | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 35.170.14.114:443 | tracker.club-os.com | tcp |
| US | 8.8.8.8:53 | qantas.com.au.beautyandbait.com | udp |
| US | 192.185.77.115:80 | qantas.com.au.beautyandbait.com | tcp |
| US | 192.185.77.115:80 | qantas.com.au.beautyandbait.com | tcp |
| US | 8.8.8.8:53 | beautyandbait.com | udp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.14.170.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.77.185.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 192.185.77.115:80 | beautyandbait.com | tcp |
| US | 192.185.77.115:80 | beautyandbait.com | tcp |
| US | 192.185.77.115:80 | beautyandbait.com | tcp |
| US | 192.185.77.115:443 | beautyandbait.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | challenges.cloudflare.com | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 104.17.3.184:443 | challenges.cloudflare.com | tcp |
| US | 104.17.3.184:443 | challenges.cloudflare.com | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.3.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ckdkd.bestcommercialroofattorney.com | udp |
| IN | 43.225.52.75:80 | ckdkd.bestcommercialroofattorney.com | tcp |
| IN | 43.225.52.75:80 | ckdkd.bestcommercialroofattorney.com | tcp |
| IN | 43.225.52.75:80 | ckdkd.bestcommercialroofattorney.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| IN | 43.225.52.75:80 | ckdkd.bestcommercialroofattorney.com | tcp |
| IN | 43.225.52.75:80 | ckdkd.bestcommercialroofattorney.com | tcp |
| IN | 43.225.52.75:80 | ckdkd.bestcommercialroofattorney.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| IN | 43.225.52.75:80 | ckdkd.bestcommercialroofattorney.com | tcp |
| IN | 43.225.52.75:80 | ckdkd.bestcommercialroofattorney.com | tcp |
| IN | 43.225.52.75:80 | ckdkd.bestcommercialroofattorney.com | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| IN | 43.225.52.75:80 | ckdkd.bestcommercialroofattorney.com | tcp |
| IN | 43.225.52.75:80 | ckdkd.bestcommercialroofattorney.com | tcp |
| IN | 43.225.52.75:80 | ckdkd.bestcommercialroofattorney.com | tcp |
| IN | 43.225.52.75:80 | ckdkd.bestcommercialroofattorney.com | tcp |
| IN | 43.225.52.75:80 | ckdkd.bestcommercialroofattorney.com | tcp |
| IN | 43.225.52.75:80 | ckdkd.bestcommercialroofattorney.com | tcp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
\??\pipe\crashpad_2608_IKQJNSIGGGTCUDNZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 40c97cd3601b943002748ef48c010096 |
| SHA1 | 7f8816a0f48b5ca464f37d0713a8f186685dd2dd |
| SHA256 | 1f39343b8221b659bf74efa650292e868fcfd1e570e49ef9e7b14075bd758cd2 |
| SHA512 | 15d539795e930d70e3dcf0a62725545e24677bae6a37e185cb8465f31c22b38e856df2a3a1981fc1020ab461f4405e56e81d1d9849a8de95ee4f9be0b3c2c144 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d145438b19cf712d628aa0948599c4a8 |
| SHA1 | 4e2e6e997731ab836b340dddc6972c8a992ecdf7 |
| SHA256 | 46ee73783fea575f24fe28d950e2187d07d6417d50eccf6b601914fa9605ecdb |
| SHA512 | 8752b8e463ff0dd6618f55fcf4dc8b79dbd0cd79b99991881f9acb01ad95715db5b4db4554a28d1ba68390240f9204aaec09c43fca6d5b1b4e232aea4ad50f1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 47ab813145625a1806006c2a933fb30c |
| SHA1 | b4d9d8b05a7f2026a1d9fbb44fea055904da9be1 |
| SHA256 | bc09182b0e6c5616d8be32b7e212bb3f2b655acf53fe4a5fc7748af4739985ca |
| SHA512 | 785c23f7b68777dfe2e116368cab85bccd096ed10d0ece92497b8df93535482317fb09221c2b3b710b63698e979fa647b48d46190413455d869e91d7e9124779 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | a219f397958f9e3ac7f438bea0559ed9 |
| SHA1 | bda9abec811bd7c399192fa004144fff97336727 |
| SHA256 | 48126b25040dde68877308452c4c94601fc43e4956b844b00a67f4deb1dd73fc |
| SHA512 | 892329865656773d1702573b9d20c7e62d98dd2bdf27df9bef5dc4aa9a5e6fb6816d68a34437ad22f4b1f3d96bee14ce81aa2af8d4e10094b9c7c67885003a04 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 37bf30e02fe3e08e01cfe7bf0ee566b6 |
| SHA1 | 93fe98fea76ba26ab7b1bec741fd7df6a1bbd6a5 |
| SHA256 | 844525343633144c0427fc3ece2db149191c8f51cf4d2b601f3bd4f920fe5d66 |
| SHA512 | 5613ac92948f0af49f5c55a1b7f8374cc2bb217d4d54daa1cfd351d352fe6e367313cef2d0dcd603554057a8915e6d0adc897ac040826c78228a231187e6145d |