hxxps://url[.]us[.]m[.]mimecastprotect[.]com/s/6mFVCXDA9VUOrMzoNU6fASWmUxo?domain=paypal[.]com

Analysis

max time kernel
13s
max time network
12s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06/01/2025, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://url.us.m.mimecastprotect.com/s/6mFVCXDA9VUOrMzoNU6fASWmUxo?domain=paypal.com

Score

9^/10

paypal discovery phishing

Malware Config

Signatures

sample_rule 1 IoCs

resource	yara_rule
behavioral1/files/0x001e00000002abc1-98.dat	sample_rule

Detected potential entity reuse from brand PAYPAL.
phishing paypal

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133806792773204473"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3200	chrome.exe
3200	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 1828	3200	chrome.exe	77
PID 3200 wrote to memory of 1828	3200	chrome.exe	77
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 2984	3200	chrome.exe	78
PID 3200 wrote to memory of 1716	3200	chrome.exe	79
PID 3200 wrote to memory of 1716	3200	chrome.exe	79
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80
PID 3200 wrote to memory of 3776	3200	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://url.us.m.mimecastprotect.com/s/6mFVCXDA9VUOrMzoNU6fASWmUxo?domain=paypal.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaca9acc40,0x7ffaca9acc4c,0x7ffaca9acc58
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1752,i,13846312502034912908,469147218304698942,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1748 /prefetch:2
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,13846312502034912908,469147218304698942,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2044 /prefetch:3
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,13846312502034912908,469147218304698942,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2376 /prefetch:8
  2⤵
  PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,13846312502034912908,469147218304698942,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,13846312502034912908,469147218304698942,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4332,i,13846312502034912908,469147218304698942,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4328 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3256,i,13846312502034912908,469147218304698942,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4360 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,13846312502034912908,469147218304698942,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3316 /prefetch:8
  2⤵
  PID:2276

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
53ae940b3b5f1107a87bc21ca8b19a25

SHA1
c8ba6ed4e963f5ba5d1d26922ca36a6bb0976987

SHA256
1371aabc6ee9767d81a51f2aad7e7793f8483b93277f8a1ded521ed1903db482

SHA512
a9f5f213d73fc61691d3c26e9492d20e5a4b909387650cc19c0ce9c09116433ba85af55f4eefd2aa8b983e707c01ffad8a81235fd179a46d7c60197e1f2d36bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0730964b9515d2aa2f59560f31f47182

SHA1
94f68b54ae8a6b154458f39904c3535d8aa2bb14

SHA256
613161268f87067425e76fb8e6ab49da4c6f38e0ab38ff1a1a7a45cf2cd0adbb

SHA512
f67a5110c8f96bb3fe14ae5d5abb99ab1132c0f1ea1c04db6c5da4615ff8e5d6c9641125bd329bc7578428c59f32a93d1e27ff500d43a55e46bae4b583499e52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
217bd4f63d0e1fe8ed13092bcff6f966

SHA1
a48a0e634375056c5c4514289b881585e4887f22

SHA256
fe617c53ac493d763c0e60741eb53369e9dd85f410712750fd0c0e478cc35905

SHA512
48df2c2018ffb676ea88a4121fff03b356a8f3fd99b53e3a15fede3bb7d26a765fc260514075de759d03b96b96fda248784c008fae3331ed0157efcaa9a36d9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
f0ac0656fbdadd4c83c357a22bc57359

SHA1
9731055b4f27d8c8520d9b271ccc1ffb18024448

SHA256
06af4a40526c55420d7e9e54a7637f5bd54d29a3d6a5f3742910ef52f8990c7e

SHA512
d506f9de23fe1d4b9fb7a34f14e1855a60144c5bdde75b448535f8d6720fadca6549d133251c164ec038a1e3838c81671ade188122f9adb8d1113fbd1d44f7e7

Download Submit