Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2023 10:36
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://Clicked url Verdict changed to malicious - https://www.msn.com/en-ca/lifestyle/rf-buying-guides/redirect?rf_click_source=list&rf_client_click_id=000000000&rf_dws_location=&rf_item_id=502238318&rf_list_id=3519472&rf_partner_id=353781453390&rf_source=ebay&url=aHR0cHM6Ly9zdXBwb3J0b25saW5lbTM2NS54eXovP1djS0FYPVlXeHNaVzVpY21GdVpHdGxRR1ZzWVc1amJ5NWpiMjA9
Resource
win10v2004-20230220-en
General
-
Target
http://Clicked url Verdict changed to malicious - https://www.msn.com/en-ca/lifestyle/rf-buying-guides/redirect?rf_click_source=list&rf_client_click_id=000000000&rf_dws_location=&rf_item_id=502238318&rf_list_id=3519472&rf_partner_id=353781453390&rf_source=ebay&url=aHR0cHM6Ly9zdXBwb3J0b25saW5lbTM2NS54eXovP1djS0FYPVlXeHNaVzVpY21GdVpHdGxRR1ZzWVc1amJ5NWpiMjA9
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133281021978260813" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2504 chrome.exe 2504 chrome.exe 4048 chrome.exe 4048 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe Token: SeShutdownPrivilege 2504 chrome.exe Token: SeCreatePagefilePrivilege 2504 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 3496 2504 chrome.exe 90 PID 2504 wrote to memory of 3496 2504 chrome.exe 90 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 2748 2504 chrome.exe 92 PID 2504 wrote to memory of 1772 2504 chrome.exe 93 PID 2504 wrote to memory of 1772 2504 chrome.exe 93 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94 PID 2504 wrote to memory of 1288 2504 chrome.exe 94
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" "http://Clicked url Verdict changed to malicious - https://www.msn.com/en-ca/lifestyle/rf-buying-guides/redirect?rf_click_source=list&rf_client_click_id=000000000&rf_dws_location=&rf_item_id=502238318&rf_list_id=3519472&rf_partner_id=353781453390&rf_source=ebay&url=aHR0cHM6Ly9zdXBwb3J0b25saW5lbTM2NS54eXovP1djS0FYPVlXeHNaVzVpY21GdVpHdGxRR1ZzWVc1amJ5NWpiMjA9"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffddc129758,0x7ffddc129768,0x7ffddc1297782⤵PID:3496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1780,i,3211295167178459814,4060531572817634993,131072 /prefetch:22⤵PID:2748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1780,i,3211295167178459814,4060531572817634993,131072 /prefetch:82⤵PID:1772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=1780,i,3211295167178459814,4060531572817634993,131072 /prefetch:82⤵PID:1288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1780,i,3211295167178459814,4060531572817634993,131072 /prefetch:12⤵PID:4196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1780,i,3211295167178459814,4060531572817634993,131072 /prefetch:12⤵PID:1184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4008 --field-trial-handle=1780,i,3211295167178459814,4060531572817634993,131072 /prefetch:12⤵PID:5072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4616 --field-trial-handle=1780,i,3211295167178459814,4060531572817634993,131072 /prefetch:12⤵PID:5104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1780,i,3211295167178459814,4060531572817634993,131072 /prefetch:82⤵PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4328 --field-trial-handle=1780,i,3211295167178459814,4060531572817634993,131072 /prefetch:82⤵PID:1932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4928 --field-trial-handle=1780,i,3211295167178459814,4060531572817634993,131072 /prefetch:12⤵PID:1580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2792 --field-trial-handle=1780,i,3211295167178459814,4060531572817634993,131072 /prefetch:12⤵PID:4724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=212 --field-trial-handle=1780,i,3211295167178459814,4060531572817634993,131072 /prefetch:12⤵PID:1912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4948 --field-trial-handle=1780,i,3211295167178459814,4060531572817634993,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4048
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1892
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5504ba021a4738c2875131752f9008ad6
SHA1d73875266de0d1e63c34d4abf79e84bc97bc016b
SHA256e3f948db4eb3df49b7cfd76d35a22c76d7c43b9e03f605d88224fd6d193592ac
SHA5123d547924c36924260970fa07216362de1e273b73fb33aa0c861068043ad3466eb38727c726dfd254e07cd907a3a57a29db3a1dc50507ebeddef2f92fe11723f1
-
Filesize
5KB
MD5f139d1e1903262a0066eeb3bc80a8389
SHA14e48d456722e014c5f136f2d34d23a40d740bade
SHA256055244dc38e3220777545404b5ed982d36822ad6546b681ca17cfaac8d06e7c3
SHA512053f6eb08d0c0a0ab540bdf38245651d241520637fbfd6368ab66a87f4d0621d35d99b469aae53b4dd67f859de6a992973c07a0983d752e70e7e0f40e4dd96c3
-
Filesize
5KB
MD54ae0fa045b392d03c8b446e64ca92035
SHA13e68db00a9ef2f7fa8821fad2206ecb8cf2f52e4
SHA25676eecf6282ebf598fd6a80f33a4b6a49382e3e81219df2bf7737757384157f5b
SHA512878d8edf7670e7b7fe30ea566bf23f2ed0ac1a4d04fa039fdebdbb472c8ff134c5b355c7190516013a2d0b7b4f8f8ab9ed838c6219ccb0e1f4e64d4bbbc09694
-
Filesize
149KB
MD5492137e7b95917dc9bbda18fc79d0f82
SHA1ac50efd30a05082392df036f8d5c504aaffa96c8
SHA25658e84fb700a4388b7d079ae0c24b15bbd6b7c603cd6fe84776e44c8e171d2991
SHA512c9eb960e686484b875cf5a910a9577b917273cebfb4a61c285f2d4ac769ee04a5c0da9708c9fe42cd840fb27816cc86aa442a0202a988447b8d3707b36dc66c4
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd