Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 17:19

General

  • Target

    https://www.paypal.com/invoice/payerView/details/INV2-4LS4-7E54-WL7M-3MS9?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000238&utm_unptid=b6cddc8c-9533-11ef-a03b-95edd980ddda&ppid=RT000238&cnac=US&rsta=en_US%28en-US%29&unptid=b6cddc8c-9533-11ef-a03b-95edd980ddda&calc=f775624d07ae6&unp_tpcid=invoice-buyer-notification&page=main%3Aemail%3ART000238&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.288.0&tenant_name=&xt=145585%2C134644%2C150948%2C104038&link_ref=details_inv2-4ls4-7e54-wl7m-3ms9

Malware Config

Signatures

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

  • Detected potential entity reuse from brand PAYPAL.
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.paypal.com/invoice/payerView/details/INV2-4LS4-7E54-WL7M-3MS9?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000238&utm_unptid=b6cddc8c-9533-11ef-a03b-95edd980ddda&ppid=RT000238&cnac=US&rsta=en_US%28en-US%29&unptid=b6cddc8c-9533-11ef-a03b-95edd980ddda&calc=f775624d07ae6&unp_tpcid=invoice-buyer-notification&page=main%3Aemail%3ART000238&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.288.0&tenant_name=&xt=145585%2C134644%2C150948%2C104038&link_ref=details_inv2-4ls4-7e54-wl7m-3ms9
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3532
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb77bbcc40,0x7ffb77bbcc4c,0x7ffb77bbcc58
      2⤵
        PID:1216
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,8581466086628326917,15293739172553126625,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1828 /prefetch:2
        2⤵
          PID:4688
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,8581466086628326917,15293739172553126625,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:3
          2⤵
            PID:4448
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,8581466086628326917,15293739172553126625,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2328 /prefetch:8
            2⤵
              PID:2724
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,8581466086628326917,15293739172553126625,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
              2⤵
                PID:2636
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,8581466086628326917,15293739172553126625,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
                2⤵
                  PID:2436
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4572,i,8581466086628326917,15293739172553126625,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4600 /prefetch:1
                  2⤵
                    PID:888
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5008,i,8581466086628326917,15293739172553126625,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4424 /prefetch:8
                    2⤵
                      PID:3268
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4752,i,8581466086628326917,15293739172553126625,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5024 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1628
                  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                    1⤵
                      PID:1624
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                      1⤵
                        PID:2616

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                        Filesize

                        649B

                        MD5

                        025dad1ecd3b1ad84a1b00637568e63c

                        SHA1

                        8e2054d088eb37e9a6667caaf2a3e5c5cc06e45e

                        SHA256

                        2c6d4d226a1441cb1d2fa81ad682eafb1e5fd8c6d6b38222b9601a078824a473

                        SHA512

                        0e1e57c6deab8d1fd69ead997591da896e4e9ae6df17105735b70fb40ff9b117adc621e605b37129c75f81a1ba4bbba0c3370e008700cb882b9e84b0c03cb49b

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

                        Filesize

                        215KB

                        MD5

                        2be38925751dc3580e84c3af3a87f98d

                        SHA1

                        8a390d24e6588bef5da1d3db713784c11ca58921

                        SHA256

                        1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

                        SHA512

                        1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                        Filesize

                        576B

                        MD5

                        d29acc5a0937e134c7eb8e11900a8495

                        SHA1

                        4f388d2ab2e3dadbfa403b7371db98358293b8e9

                        SHA256

                        1f2ed81b60e5e8eeb76d2990293f8e785f0cd9d92b07621dd2e0ee6986b466e5

                        SHA512

                        086b0f1042c6cc0ec0a83910f202ce339c80462dbeff2aa026d5cf47f3c10b817332ef4db4508e191de9c89af5506ada922c1651e2d49a6c819ed5af7ffba82f

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                        Filesize

                        3KB

                        MD5

                        7dfec70e22b2a0ee2d4e084bcbd77fb5

                        SHA1

                        dce7eb375739a5bfbaa1fe6e2801c8f69c018bdb

                        SHA256

                        291b07b12c3df8362df294fbd5e1471e28082b9b0fb53a03c36cd35a607d1569

                        SHA512

                        c5f5dc6493c8cec854c4750a803b26142cbe94f54de2a6851aa1dda493b3fbee5292e1b00e3006e3390726bc896ad09e87b131ee4ba9aea6fdcd5f805b1f3226

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                        Filesize

                        3KB

                        MD5

                        f0ddf7c2eedc1d8a1574c0c0a89c3428

                        SHA1

                        6048639739cc87421992f09fede634113f301e23

                        SHA256

                        6ccca764ffa3af315bec7e36392eadaf1fbf2b8938910d1864f5fd0d7f5d4b6a

                        SHA512

                        fb49502200514ccc9b8f6428437b1a884c05e3b6438d3a34c91de4c56fb2d5717edf49f276849681c67f00a38e06c74eee8461028b871278f1f89bf13848cf38

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                        Filesize

                        2B

                        MD5

                        d751713988987e9331980363e24189ce

                        SHA1

                        97d170e1550eee4afc0af065b78cda302a97674c

                        SHA256

                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                        SHA512

                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                        Filesize

                        1KB

                        MD5

                        5b257c22d6fe7778adf735d08a0a90ec

                        SHA1

                        63dece8aa4a02cb8e3e68b32353f1dcf92e74f7e

                        SHA256

                        ee60f7e7ca996909dc576af8ba5ddc96349dac53703b6832075e2f7070888216

                        SHA512

                        3c6b7efc9f7a54e854d88fc15b7b0f98736e3e6322432f3cf27c8b4a0a8303be28f91062c46053170a09e78b0a42ed171ab8553e0fe7977812069b5a525f4ca6

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                        Filesize

                        1KB

                        MD5

                        f4af83e01248b30a88a806c51ac3dc6d

                        SHA1

                        f52260a2cf984726be71d6528b718150d81760c7

                        SHA256

                        95bf23e17b1acf3d28996a0d7b369bd9ac00aafa73d501867664f17f3c52717d

                        SHA512

                        f66e1ce853042d68bcf2835f4ac37be649a23f9582bb3b401bfb171bcd4ff4ad9af5a689fb2dee01e3d07848154e04ef0b00f7de7412143d41cf591a7d77e968

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                        Filesize

                        1KB

                        MD5

                        ec4a11bfbaf97413d5ece502c21b50f7

                        SHA1

                        ddac76cc13439dc1d2d8978c422bf68fd7feda82

                        SHA256

                        e79e3bc2696f807b9be573ca2d5ae884baed55c7e85ededd523a4dcf54e6f6fb

                        SHA512

                        c31da30354a4a44d72355a5ae2a60535fa521ee0402fb76d8b780f3fc4244a4d37da0dbf08d395ef979aadeb8af8df0a162c5de99dbc81ae917c2ac8e928622d

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                        Filesize

                        9KB

                        MD5

                        a1b642499712a85770c60ed677d5de51

                        SHA1

                        d73ccd47526f074da2b438347d1f0b5ff7aabb2b

                        SHA256

                        1e1419da0f00bc9823a5325a048bbb73259d2f22b2823921764b7dd05719ef3c

                        SHA512

                        eca4f76b04438483df0508503bc61b9e716979a22cc977b4977770b6100f221ca607acaa49b86fed76633092620517975fa73158a4a79c8cc30bb702bf939663

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                        Filesize

                        9KB

                        MD5

                        f85aff98aaf52e7fdb38575b1564bfae

                        SHA1

                        b6b541b2b7c199682e6e6fad2fe5340a52356ec2

                        SHA256

                        72aa0e092fad716c6dc07455cc3b6d3e726685991b5169d9a7975e113200d0b7

                        SHA512

                        b3d2a622e1a47b824d28bd4ade4d114bc238f8367bd23a9368e42ed01ef844e9bf5b8954e97c124ac69e7fd59b91f8edcaa31401f2b0f36111ea2058ce9d34ab

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                        Filesize

                        9KB

                        MD5

                        4e52bd5989c69513b9d79c2155a4aef0

                        SHA1

                        300b6b22da68fcb2b2fbddd7db99578c28f88ece

                        SHA256

                        2216f75136a477c2c4ac5734640d1d9ebfa9163689ea0a1e5a8a36d6084389dd

                        SHA512

                        78cbcff57149efb97b83cc55808e53515fe60981fcd7da19acc8506bf3267beb5a9a00d62efedefb2e082c8d8f95dc4acb864343903a53a07e97ca4d398bd245

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                        Filesize

                        9KB

                        MD5

                        5cbb0f42d1059357268c1011a3691c1f

                        SHA1

                        cb18f4b541b9891a37e845394a624f0cfb80f802

                        SHA256

                        5423cd1db8a15c5c82e896f7f1b40464bff370f53f92a6cc20b5bf388a3d2ee8

                        SHA512

                        9b21f70c831ab3184ba41403cf43f0919d6e7762b03edcbac2973b3f601694820d08c0cb69b5b8a86dd01b6fe2e5a3709bf459386ae5628f6b90a4c653fdac23

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                        Filesize

                        9KB

                        MD5

                        582905eb87131e72668cf0c9d7d9820c

                        SHA1

                        6d2d6d80e4e58372cd21837e1df3c3bce283584f

                        SHA256

                        ab78024fb5e5643a9cae2d233502a3c0396910ba7f9766723e569a3ad3d1d0f8

                        SHA512

                        0ff0f51b54e3176a37e0cee9a9244ee60a2a8a1cbf6a7dc2650a3d1fe09ea36d25d5aab688cb027d24c80b30a6191f93028e79c61518751dd8209ae898d8ef2b

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                        Filesize

                        9KB

                        MD5

                        80a56a8cf21e5ba98c5d8b361a556cb8

                        SHA1

                        fafd5f115d752bb58745311fa120506fd046a5c9

                        SHA256

                        e5bf3f72a032920efe1eee52058304490507bf0df415c88fb714474c41e11af1

                        SHA512

                        5f0526706d2b4d6edd8103e1fcb53c18ae90fc6358712aa43feecc454c3f3b6a683c3ae307845533e4fe250e4d9cc531b090a19ad1ee07d11099c0da71864522

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                        Filesize

                        9KB

                        MD5

                        fbeeef8fb01a6d0003be520e02f612e2

                        SHA1

                        bc59142646b6c5b07bc2da1f8a409967db4b714b

                        SHA256

                        3bceaaf6a82e4553df5e8e7bee92fcf2a00fbc3323a4c77d8ef27dc4759f2024

                        SHA512

                        10ff928e31237e2e3c19e65ab4c886cec7028601e4d2bb01880e61a0494bdc47cb27a387895e6824c6d77b94ea1e57dc714f50ef235a2e0b64e02514207837ee

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                        Filesize

                        9KB

                        MD5

                        c6e5ed09dd3f499f4bca00b075316fd3

                        SHA1

                        ca8b51e92106a6ca5b7b2bb9e96539958b410a52

                        SHA256

                        c35206495712da423579a5a3cb656d462da2422009753fa46c9188fd427c31df

                        SHA512

                        664f53d217683aba3dd528aa1f3015e7fa6f54e92bf55ac8450c9e5409756ece07487468df6e1839d6272957d7b2fa257e26d69a33086032011d06a3532c8d46

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                        Filesize

                        116KB

                        MD5

                        c7a6ccbb7d7656bfb3d9c65ea181b864

                        SHA1

                        8ccac59b9af6ba8fc98ac2fffe5f4daef1195730

                        SHA256

                        a36263b49e6eb877c8371275dadc1c628fe8650b92cd383929e6d0d1dd973abb

                        SHA512

                        8b00559a28b25553c007f48623e2ba55dd6518ee37ce22906eebe1e1dbb70746a755c2995c0f21f4552ff85a665b234e52638ced250d09d9846c158c0e62baa5

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                        Filesize

                        116KB

                        MD5

                        0a258192aa685ce87a29d43fbc1c5497

                        SHA1

                        a695b9f4527e63c81149ab4429084713098f4d18

                        SHA256

                        beec2d7bf43cefe5ab93dc967b79769bcbf60a1c74f7595b89750f6402024870

                        SHA512

                        f694191a685d861de2ab3ba2aa38ea04631dd8dbef4faef9f76b3f47c8983063b0f7adcb4e3fec56a1164263a874b53c063978f2fac608fdd1d91a80c95b135e

                      • \??\pipe\crashpad_3532_UDIYEGBWNJQGSQMJ

                        MD5

                        d41d8cd98f00b204e9800998ecf8427e

                        SHA1

                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                        SHA256

                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                        SHA512

                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e