Analysis Overview
Threat Level: Shows suspicious behavior
The file https://www.paypal.com/invoice/payerView/details/INV2-XYXV-BUDQ-WNVT-DRN2?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000238&utm_unptid=96022f14-9c40-11ef-8ec1-a7c5e732ad0a&ppid=RT000238&cnac=US&rsta=en_US%28en-US%29&unptid=96022f14-9c40-11ef-8ec1-a7c5e732ad0a&calc=f997034978f20&unp_tpcid=invoice-buyer-notification&page=main%3Aemail%3ART000238&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.291.0&tenant_name=&xt=145585%2C134644%2C150948%2C104038&link_ref=details_inv2-xyxv-budq-wnvt-drn2 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Network Share Discovery
Detected potential entity reuse from brand PAYPAL.
Drops file in Windows directory
Browser Information Discovery
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-05 15:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-05 15:06
Reported
2024-12-05 15:08
Platform
win11-20241007-fr
Max time kernel
60s
Max time network
63s
Command Line
Signatures
Network Share Discovery
Detected potential entity reuse from brand PAYPAL.
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133778848352923598" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.paypal.com/invoice/payerView/details/INV2-XYXV-BUDQ-WNVT-DRN2?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000238&utm_unptid=96022f14-9c40-11ef-8ec1-a7c5e732ad0a&ppid=RT000238&cnac=US&rsta=en_US%28en-US%29&unptid=96022f14-9c40-11ef-8ec1-a7c5e732ad0a&calc=f997034978f20&unp_tpcid=invoice-buyer-notification&page=main%3Aemail%3ART000238&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.291.0&tenant_name=&xt=145585%2C134644%2C150948%2C104038&link_ref=details_inv2-xyxv-budq-wnvt-drn2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff8c031cc40,0x7ff8c031cc4c,0x7ff8c031cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,11997760499838197481,3768761486965784513,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1808 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,11997760499838197481,3768761486965784513,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2088 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,11997760499838197481,3768761486965784513,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2260 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2996,i,11997760499838197481,3768761486965784513,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3036 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3012,i,11997760499838197481,3768761486965784513,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3080 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,11997760499838197481,3768761486965784513,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4516 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4932,i,11997760499838197481,3768761486965784513,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3940 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.paypal.com | udp |
| US | 151.101.65.21:443 | c.paypal.com | tcp |
| US | 151.101.65.21:443 | c.paypal.com | tcp |
| US | 151.101.195.1:443 | t.paypal.com | tcp |
| US | 151.101.195.1:443 | t.paypal.com | tcp |
| US | 151.101.195.1:443 | t.paypal.com | tcp |
| US | 151.101.195.1:443 | t.paypal.com | tcp |
| US | 151.101.195.1:443 | t.paypal.com | tcp |
| US | 151.101.195.1:443 | t.paypal.com | tcp |
| US | 151.101.195.1:443 | t.paypal.com | tcp |
| US | 151.101.67.1:443 | t.paypal.com | tcp |
| US | 151.101.67.1:443 | t.paypal.com | tcp |
| GB | 142.250.178.3:443 | www.recaptcha.net | tcp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | b.stats.paypal.com | udp |
| US | 8.8.8.8:53 | c6.paypal.com | udp |
| GB | 34.147.177.40:443 | b.stats.paypal.com | tcp |
| US | 151.101.129.35:443 | c6.paypal.com | tcp |
| GB | 142.250.178.3:443 | www.recaptcha.net | tcp |
| GB | 34.147.177.40:443 | b.stats.paypal.com | tcp |
| GB | 216.58.201.106:443 | content-autofill.googleapis.com | tcp |
| GB | 142.250.178.3:443 | www.recaptcha.net | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 50.19.89.137:443 | api.sprig.com | tcp |
| US | 50.19.89.137:443 | api.sprig.com | tcp |
| US | 50.19.89.137:443 | api.sprig.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
\??\pipe\crashpad_4964_NPEIXGGXKUQZCPQK
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010
| MD5 | 2be38925751dc3580e84c3af3a87f98d |
| SHA1 | 8a390d24e6588bef5da1d3db713784c11ca58921 |
| SHA256 | 1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b |
| SHA512 | 1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 0fb409391cb1d3acbcfd67203e781022 |
| SHA1 | 2439a6055262dcf4127ffae0729ab2f9d1d66668 |
| SHA256 | 932a2631f9c14af48f042fd6e343e9cdf9f24163839ea67220015629f9a13f08 |
| SHA512 | 2e7e9ed34e3e67dffc2ba20d458beae1002afd8bff94cb97319f70628197048e285aead1b3bf5aa144f3b0487e7b7657f56a956369bf2559807d8aa25fb404fb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | b7ceb6f55e6a69a39d3e1bffaaf077a4 |
| SHA1 | 89972b551e55765a2ee4dfab4dc5d7e39a810cb0 |
| SHA256 | 3db14a0cf428b523b2683cc0fefac02f6c4ae91ddfdd9ee9dc24dbbf8a8f73ca |
| SHA512 | 3522b3140e60293d27655a5ecefb74630dc85fd204bb8b96e3bc6b7ccce464e5a33aa8c1917d53fd31a6e61dc7f52418089d9db1afde500eb301d9acd4e7ec2b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5dedc87fd115be3957874ccafef782e1 |
| SHA1 | 643f9e23431ff1999abf9cb121929cc9438ac0f9 |
| SHA256 | d94742507658f005d31db6dcf6e403d392aa52bb60333d7e8eb2fec4fcbf3b15 |
| SHA512 | ae96253bb95755028aa593bf417e8ad5e7a9c19e546b77f9556c5ef0866a1546e7f786d88069ede3595a6e9be26b9d006c0eeb2fc08150ed760fedbcd852141c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4752e949abf53686b6197bf914449f19 |
| SHA1 | 71449cac81b804c9430b464fd53d760f7a2acf3c |
| SHA256 | ddf862ac42eec68230b8a8a86750754c1d7a39b1cc047b6c4c99e485ed035a5b |
| SHA512 | a0a641d41f97f203c01494439c53da4af6e14dc5f8cf98b292a5c91af86f6f32c6bcccafd8c6a582a931dc8392a40fd170e6da4ec03e5c89abb67d6f70efa85f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b972eebd793e908d2fa1d3d9562ed118 |
| SHA1 | d6308264a3337cd5dcd036801c7cfe0ba67d6161 |
| SHA256 | 8e8e06132be8455aba18aab4786e6cf62854990e0fe2488c6dc7f2a6dc0bf214 |
| SHA512 | 43fef2bef91d96afe9f2cc1e1370db2f5b0169c06c5b3ac6c7eaa6ca5dc95062067fa558f02be7cb6439858d301e43816d4721d478813c14b34faea9ac1aa6aa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 85b134673419019b091aa8d702a5db1f |
| SHA1 | 6880348d488f5c2fa9552524430e6d88bc656923 |
| SHA256 | 139b316a5800bf47d6848e70dd54dc507eff45b0e37183b412b0906e85b41a6e |
| SHA512 | 6b721e32b449fbd4fc6509391d5111f8b8a8036fa8ccc04d8e93d7fecb0fe412f13881f1205a3ac4474f5bd122af2a9b81fe6546ba4bb9e4c947699122a0e2e1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | bbe9ccc48d10cbbe24941fbe015ebcca |
| SHA1 | b96a8965e8195c8003c5ad45ea1caaaf06ed0960 |
| SHA256 | 89edf871c21854bae015520a85f40dfa8c8a7463a93b778da3572576f6cfe1f8 |
| SHA512 | 4ca1023deecc9e2a8eda4d1cc929267a45c3af078d6f9f5ffc07c3214cfe6f9ac4639bdc08342cb972ae682ccde394b5d0a4e266e339a6523a8c6c74aa7b654e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 81eaba9eb858da2ad5ea8cbde5c7bc9d |
| SHA1 | 78bbb49ec2fe6f2113e13a449bf06438fa9c5d10 |
| SHA256 | 30a12cadcf34091a50673e509e2c9ffe8a10cde9765d46a90ffb8b32b4fa9ae8 |
| SHA512 | 51f6a4f4dca281e142cbefb6fa48313b621b1ff2668bf0172a24283e4cd0dc20cae0394c836b171b0ba2954ca7ab41bf6291fc69ef88a625d088685dcb785597 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 6368183f8a71ae9d69552696862dc167 |
| SHA1 | 3f7666d6b4bf21aa87fc4d91e76ab9eeac37e22d |
| SHA256 | 3b4a8a8000acf7a73da09cf2f72dfcdae4c69402604fa101215ff5d5f6afcb97 |
| SHA512 | fa84848cd8de38fad99e0f0ec6d91ecc2f481a08b54a66aa89cfeeb61f2009c2831e3f39605d731676d816528ddd9596fb01d2130866cf9cc319d205339cf865 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 96e852461f968e7520ac58682e6224cf |
| SHA1 | 67253a5be4aa53039b5d98b67f8a5ca0d9e2aab1 |
| SHA256 | 501c0e954c417f620369e791a70e6f645050c0854720c5c17a18fd85f502cd0e |
| SHA512 | a2ee682c43244cb9565c4527e9c9b827d68d51185460003cfabdb39185f66792e271bc5e6d462696a65a718e2bfdfcd6b5b312dbfb8c0157bbb36e1638c9b9c1 |