Analysis Overview
Threat Level: Shows suspicious behavior
The file https://kfj5nknggr.wreollyane.tech/m/6d3c1a839b5a51a8a044be604150a111.htm was found to be: Shows suspicious behavior.
Malicious Activity Summary
Looks up external IP address via web service
Detected potential entity reuse from brand microsoft.
Browser Information Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-07 13:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 13:47
Reported
2024-08-07 13:48
Platform
win10v2004-20240802-en
Max time kernel
52s
Max time network
50s
Command Line
Signatures
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Detected potential entity reuse from brand microsoft.
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133675120542824304" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://kfj5nknggr.wreollyane.tech/m/6d3c1a839b5a51a8a044be604150a111.htm
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff85405cc40,0x7ff85405cc4c,0x7ff85405cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2044,i,18257760047666069657,10171094474914055839,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2036 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1884,i,18257760047666069657,10171094474914055839,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2148 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,18257760047666069657,10171094474914055839,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2244 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,18257760047666069657,10171094474914055839,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3144 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,18257760047666069657,10171094474914055839,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3188 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3748,i,18257760047666069657,10171094474914055839,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4516 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3384,i,18257760047666069657,10171094474914055839,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4728 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4440,i,18257760047666069657,10171094474914055839,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4932 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kfj5nknggr.wreollyane.tech | udp |
| FR | 89.116.110.38:443 | kfj5nknggr.wreollyane.tech | tcp |
| US | 8.8.8.8:53 | 106.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.110.116.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| FR | 89.116.110.38:443 | kfj5nknggr.wreollyane.tech | tcp |
| FR | 89.116.110.38:443 | kfj5nknggr.wreollyane.tech | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.179.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 196.179.250.142.in-addr.arpa | udp |
| FR | 89.116.110.38:443 | kfj5nknggr.wreollyane.tech | tcp |
| FR | 89.116.110.38:443 | kfj5nknggr.wreollyane.tech | tcp |
| FR | 89.116.110.38:443 | kfj5nknggr.wreollyane.tech | tcp |
| FR | 89.116.110.38:443 | kfj5nknggr.wreollyane.tech | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| NL | 142.251.36.10:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.36.251.142.in-addr.arpa | udp |
| FR | 89.116.110.38:443 | kfj5nknggr.wreollyane.tech | tcp |
| FR | 89.116.110.38:443 | kfj5nknggr.wreollyane.tech | tcp |
| US | 8.8.8.8:53 | aadcdn.msauth.net | udp |
| US | 13.107.246.64:443 | aadcdn.msauth.net | tcp |
| NL | 142.251.36.10:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
Files
\??\pipe\crashpad_3400_CAWIGJWOTDIZLMEX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | f03358956398f0831faf1271a00ced22 |
| SHA1 | ad79e793769fbd77ae1af52fee3045388cd00768 |
| SHA256 | 27331e896ba38e213dd44d824535214af8f883efaca93e2f215f331621f39fa8 |
| SHA512 | 3c48ca78bf3ed2ab139b05f7fdd72fd129641481d7775721980a176a9d05ebbcb5c3cc2e7c10a5ff1988ef4a90e71982bb17e014cae42f42762f63f625d4ca85 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d3565f496f979df5d9d02f7c6e99b046 |
| SHA1 | c4ee68b3b4afdd69266d472ce79a2a2bc1fc735d |
| SHA256 | bb729d25dad13e46c1c00d22e2222ba680dd069727333187506348b5c0d56fb1 |
| SHA512 | 309246ddafaf346914dfd674a3f2fb4bf129f67867af3be89bba5d2666ca49e990d9b69af62f1d0e4005863d49c30b9cd04673ef78ae3a1aab61f2ab610904bf |
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9bece0e93bc20d18ef971253008a122a |
| SHA1 | e24dc6de477a326b3730a5562c88140ecb26e0cd |
| SHA256 | c632af2eeb638ebbb9e1675695d74cf77d4acfcff7a674bdf4e59fb7c4f9c3eb |
| SHA512 | bdb6aa1c1d0e629b24d3afbe2e7173585e8196f8057d0d13936b72ff0ff0806f306c1c9a7a8b8d025f259de6c32161e3f47e6656ec66929013a3aa3e6f7b8199 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 09966b881d37297d9ca8a524e54cad4b |
| SHA1 | 5735f34ea0479decce0247ccef7a2423552a15d9 |
| SHA256 | 6574d1f376157d36b4cf371af8f3a88cea4a17c8e4576c70bc022222122b5598 |
| SHA512 | 7f7a85146dbad20fa2d3bd0d5e704ac536782876c67daa66bd00b0cb366f3ba12e2a67423c743863951f230745cf74c87814ac4bda66fcea8e41cfb005702601 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | a9ccc9c8b4bf5f3b45494a97848fbf5d |
| SHA1 | ff3581df2559823974ec91f072a46dc8b60b46ed |
| SHA256 | bb5c60494992a14574285fbb6ddee20c2a91c1ae9d877883b1c8c078829ce4a6 |
| SHA512 | 983a3200f29a9306d5a2bad70fe57e636f79814e73db2bbfb1a38e46a7cfb19129ba6863cdc5b50b9f5aa0b6a64c972e2f80cd9bb5bd019a7f6a95584d67b97f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9d892fa4c7c84a17b2fd516e3050c2e1 |
| SHA1 | bbdb58ea56a302502e32e874b2c886dcad4cd73a |
| SHA256 | b0e8aa59dd04d1505d716c206946f0c2c3237c079d8973047fd0cdc49220b33b |
| SHA512 | a4170c8a78938e6c24a8c351a2b5d844959097b14981a02ef980c98b9bfb6fa1fc85f659d77657a7c054b9f1463ae809ca82f125cf72260f66455df716c17899 |