Analysis
-
max time kernel
22s -
max time network
18s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-11-2024 10:20
URLScan task
urlscan1
General
Malware Config
Signatures
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
Drops file in Windows directory 1 IoCs
Processes:
chrome.exedescription ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133765716365676406" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chrome.exepid Process 784 chrome.exe 784 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid Process 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
chrome.exedescription pid Process Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe Token: SeShutdownPrivilege 784 chrome.exe Token: SeCreatePagefilePrivilege 784 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
chrome.exepid Process 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
chrome.exepid Process 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe 784 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid Process procid_target PID 784 wrote to memory of 1364 784 chrome.exe 77 PID 784 wrote to memory of 1364 784 chrome.exe 77 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 1352 784 chrome.exe 78 PID 784 wrote to memory of 5036 784 chrome.exe 79 PID 784 wrote to memory of 5036 784 chrome.exe 79 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80 PID 784 wrote to memory of 1884 784 chrome.exe 80
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=nadeem.jabali.93%40gmail.com&lc=DE&item_name=PI12092&amount=1050.00¤cy_code=USD&button_subtype=services1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5836cc40,0x7ffc5836cc4c,0x7ffc5836cc582⤵PID:1364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,17003399642807274488,3038615665283862588,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1796 /prefetch:22⤵PID:1352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,17003399642807274488,3038615665283862588,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2080 /prefetch:32⤵PID:5036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1212,i,17003399642807274488,3038615665283862588,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2376 /prefetch:82⤵PID:1884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,17003399642807274488,3038615665283862588,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:12⤵PID:1800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3068,i,17003399642807274488,3038615665283862588,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:12⤵PID:1104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3992,i,17003399642807274488,3038615665283862588,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4420 /prefetch:12⤵PID:248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4288,i,17003399642807274488,3038615665283862588,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3620 /prefetch:12⤵PID:3556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4920,i,17003399642807274488,3038615665283862588,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:82⤵PID:3920
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD550a04241dde4d61539d4f9ec3c40eda7
SHA1b7add5758f7bca1ec5e93fdbea3181b07a461bc2
SHA256dd277dd93161a8c5d82b98e127cea923f7c0b4f73b22ff45b93aac1494e0c0ec
SHA51225965ca8ac9c9e2b18d3adcf59a990791b039902f359c372015094641eaaa4064bbca58aa873cca071a6b56945bb850a0fa0909a75bc52005b4793bf5d75ef24
-
Filesize
41KB
MD5503766d5e5838b4fcadf8c3f72e43605
SHA16c8b2fa17150d77929b7dc183d8363f12ff81f59
SHA256c53b8a39416067f4d70c21be02ca9c84724b1c525d34e7910482b64d8e301cf9
SHA5125ead599ae1410a5c0e09ee73d0fdf8e8a75864ab6ce12f0777b2938fd54df62993767249f5121af97aa629d8f7c5eae182214b6f67117476e1e2b9a72f34e0b4
-
Filesize
215KB
MD5e579aca9a74ae76669750d8879e16bf3
SHA10b8f462b46ec2b2dbaa728bea79d611411bae752
SHA2566e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf
SHA512df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
857B
MD5ec12f2a4be1855f722241b30d6e4d0cc
SHA1bec744a32c00e0c742c91a4a24afc5e7568f9c8d
SHA256bdf5dac143f6c4c13e9e4e3fce97bb91813203257d5c34981d7fd90ac7a2df40
SHA5124ea3829ac1507f6a098f95b3ad35371f42410442255c0bf17807e0740e5ed4f1f6fcff665cf10dfa7c4e74bd4c15c8f4310deeb8b96e69d286b17591fcace3f9
-
Filesize
857B
MD5443fe0735ac3cbede466a62d63a1e6fd
SHA132975a183960f4883a0158910aee8300bb846042
SHA2561385ab747528b6e5b3618317b0179dddf7490aedbba8246f81b239ceea50e5f9
SHA512ba844b70ccd07937836a0d070ff734cf74fda9b116efa12bbae4ddd635cf42b23b13813bc7682773a8ca5444c375e34e665ad56d2c6ce5448f86787d5088da28
-
Filesize
9KB
MD5f896b95e6267f4b0d3514c57ec764382
SHA1217f4ce013ea5cd1413d0dc05d530ce8869cdad0
SHA256ece27d9a60660e93c18f4dd77c1194facecc079554d4d79eebd474e499f751fd
SHA512c7e7463008c31cbe7447ec9b9475485e8d4707303712527d3dfa1107506009f927ef513411434959f8a2d460b19e299c1e59e1d923662bdd1777a9a5cc0b15c5
-
Filesize
228KB
MD5c87de167bbb08efc0a29da9ed29d9380
SHA1b36fed10a5fcc044c96adcd7a67f024d9bc7f604
SHA25699e4c79edfe9dfdfaddf35476c1ec3633fa1c65897ea756fd57aefe689000121
SHA51269a15256638a7423da53bf992e020615eea67fd55ba4e22cf7b91d37842f7fc9309a810a333623deb37e07599798e846269ee59e6d95b7b9d7dbbd0d4f6b56a8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e