hxxps://assets[.]msn[.]com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=0971df9e-1e1a-4086-82ee-bb7582f91ad5&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2023, 22:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=0971df9e-1e1a-4086-82ee-bb7582f91ad5&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133244376244036972"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4680	chrome.exe
4680	chrome.exe
1504	chrome.exe
1504	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4680	chrome.exe
4680	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 1512	4680	chrome.exe	83
PID 4680 wrote to memory of 1512	4680	chrome.exe	83
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 792	4680	chrome.exe	84
PID 4680 wrote to memory of 3116	4680	chrome.exe	85
PID 4680 wrote to memory of 3116	4680	chrome.exe	85
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86
PID 4680 wrote to memory of 3840	4680	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=0971df9e-1e1a-4086-82ee-bb7582f91ad5&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7fffab769758,0x7fffab769768,0x7fffab769778
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1816,i,1060242971678105375,4564975511233204994,131072 /prefetch:2
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,1060242971678105375,4564975511233204994,131072 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1788 --field-trial-handle=1816,i,1060242971678105375,4564975511233204994,131072 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3148 --field-trial-handle=1816,i,1060242971678105375,4564975511233204994,131072 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3340 --field-trial-handle=1816,i,1060242971678105375,4564975511233204994,131072 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4760 --field-trial-handle=1816,i,1060242971678105375,4564975511233204994,131072 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1816,i,1060242971678105375,4564975511233204994,131072 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1816,i,1060242971678105375,4564975511233204994,131072 /prefetch:8
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2860 --field-trial-handle=1816,i,1060242971678105375,4564975511233204994,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1504

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
954B

MD5
5e9aebf2cffcff784d927c7764f957c8

SHA1
9c3eb0132918b3f8e0cae5837990a288ae79ae4f

SHA256
3c5cab588387bc8ca912b57f2145eab43ddb80686f4d9ac4f676103d24b9b1df

SHA512
e52f01babff59a8e9ca514611bda007f6c8e015938c14979c400acdd8abe7b9d9a4e67020501e0e7162c1abccbcff33a480bca727ad03c1f85ea2eb0fa5b1137

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
54c81cb25f54eff6de7ea271f2f60857

SHA1
723fde9ec157088f94e7b43ab9deb33aaa6b1e15

SHA256
b6c72651b82d3590450d7a871b0a1bdd607ed1f91dfc2c12c0dcfc4bb42f4de0

SHA512
4904256b6af8d1ca36ad87fa3154299f938a2c63baca713cc6c28ee891b25a4dafe7138f24a3d435661463c817676dc602275708673a33ca149d77d6caac1d6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bf8eecfb6649afe2ccabdc6ce7710e0f

SHA1
dc72285a2f1b43cfcf56ea443cec3e0c9288c278

SHA256
0b022a4d4233720993b6b47a3e457aa86b56e4843e76d0271b2325a74180a82d

SHA512
99d54a5a0fa9c709552ba0be74a18cd124ea348d563b3982de235cd1e48e0b777c16b6d6144d1ce7f81f8f3d8f958bca30b071d35f149412a96c3fc0453ba1a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9167bb1bd9e49815e1806a547e93068a

SHA1
b70865363764a066a4594bf97c1b88c45ce68266

SHA256
df7f979458b49ce48bae0da53c8321650d21e150c85d8d788812e843fb6f015f

SHA512
5d1e9f37793cd601695a67dd8c0e376a85b3620c7de5534f13b29980627118c9e888ea24494a612811a46717e07d5fc2d573874c4eb06c94055e8da43f19f091

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
96527c94cfb9c7e9386b22624f34cd30

SHA1
3342d8ce09236f3a0b6477044f1db64507d7aaa7

SHA256
1f847650c26ac809f4d367ea5124a1c7a76702820050605a8abe5adb4ad4de9f

SHA512
49f4cdc65b8313a274af8fe7dc662b1ba72c4a0a375a5f25f7287bd600667a68ac395b4cded575eaaba0f50efcb8171c323f76f2dcc87c4a6b10f950818b8c37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit