hxxp://www[.]xiasnf[.]monster/penalize/dc86z2k39s5z8Is613C228re1H70e1H25HhDvwFEiwtfxvDrwZvs4tEGsi8aR29mdnK7bW1hX0g6GpckqY

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.xiasnf.monster/penalize/dc86z2k39s5z8Is613C228re1H70e1H25HhDvwFEiwtfxvDrwZvs4tEGsi8aR29mdnK7bW1hX0g6GpckqY

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133244942486097167"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4920	chrome.exe
4920	chrome.exe
3208	chrome.exe
3208	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 4420	4920	chrome.exe	85
PID 4920 wrote to memory of 4420	4920	chrome.exe	85
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1332	4920	chrome.exe	86
PID 4920 wrote to memory of 1320	4920	chrome.exe	87
PID 4920 wrote to memory of 1320	4920	chrome.exe	87
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88
PID 4920 wrote to memory of 1200	4920	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://www.xiasnf.monster/penalize/dc86z2k39s5z8Is613C228re1H70e1H25HhDvwFEiwtfxvDrwZvs4tEGsi8aR29mdnK7bW1hX0g6GpckqY
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0c6b9758,0x7ffb0c6b9768,0x7ffb0c6b9778
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1820,i,17490204270390582980,7191259923954217795,131072 /prefetch:2
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1820,i,17490204270390582980,7191259923954217795,131072 /prefetch:8
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1820,i,17490204270390582980,7191259923954217795,131072 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1820,i,17490204270390582980,7191259923954217795,131072 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1820,i,17490204270390582980,7191259923954217795,131072 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4804 --field-trial-handle=1820,i,17490204270390582980,7191259923954217795,131072 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5180 --field-trial-handle=1820,i,17490204270390582980,7191259923954217795,131072 /prefetch:8
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 --field-trial-handle=1820,i,17490204270390582980,7191259923954217795,131072 /prefetch:8
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1820,i,17490204270390582980,7191259923954217795,131072 /prefetch:8
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2840 --field-trial-handle=1820,i,17490204270390582980,7191259923954217795,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
f60fdc6052754763fc4564fcefe8e9b9

SHA1
d7e97fe10818d4e2a551a952854ec66af3bb04b4

SHA256
f078be81eee6d656c26604d258d79c08a25fe78d788bd2b01455578a84e27e50

SHA512
75a85320601740878f00c985bea5d46316b52a7c2b06f09885436820384914d87ebfa94068e2d0b2861f4aace054b9c70bf2f6b116a9a4aaa40eab5411811e12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
aefb202eca2d9fa9594931269764d296

SHA1
6ad829139d8db62ce6b54f3170e6afe3e6630ea8

SHA256
6c22507d8e9300f5d88dd8fc5b19949c6c3e795872bbe6cd1eda8c5436ee4dc9

SHA512
abbd8197986dac47919986de687a2f934eaba44ce5982cc60f6c6112799510ed623f41264b269686db0e23caa5a88fd1df7b82f49dcfc3e75eaae5a1ed617c96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fc8d5fdc57f898d8f22bc3f5d2479070

SHA1
e9b7c7932015a3d2d632b77eea36ccb6533edac7

SHA256
6c83d401d5472f399f68da6b904d36d946f07d69b47b1ea3c29832d3bcc21eb2

SHA512
e746f5038c44f58c83ba380b8177b40b166cea409e5112f472c13acc9f8a9e85c2ca75be8772e17469f51af8ba99fb5c260426a114b39e0f569ed6b50b959dcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
166f24969cf0a8b01f51cacc7e7e0689

SHA1
74457cab1b69d0959b6c0d7cd93da8357a1927b9

SHA256
524247e470cb7aa19a9303f5de28dd5e00962c355b5ef636929be094fac41f7f

SHA512
2672fb12a0acebf74f3929ca251ce499fb28e7c90b89b21a5e368440e9aa00387bbc1d419fe6fd3eb47203765bb6326e5095a8398d101213e785f504d8e270e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d7063f7a6ca6356c2e1289a212ef6f53

SHA1
40ad45ea906d1b0782647cb5214dfc65cd5470af

SHA256
33cd07f978398cf6fc20762bcc842237d2742ddad321a7feea3e17f1aeff3771

SHA512
958cb324b4e38db5d4d06c93dd1287939db220f3d23511c5c8e66971818539bf1aa3f87bea6fa0cf334e5eb1ebe67c575d565064de783b4a722f5790beab0c8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
46abd97a0757aec3255eb35c160e28a5

SHA1
57ecb971b40cd9356d75d2779c26b8d4debb61f8

SHA256
8d86909bbd86592cf2459adefee7fa51b269a75c638903306563507d5306c0f6

SHA512
f3b1641970a0fbe474371cbdb27b2c06fa5dcec70b84967bb45e7428e937141e24729899a35a7e64c8f1c2801a189627bdbb96ad2a5e176ff19c62660e4f886e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit