hxxp://www[.]xiting[.]ch/

Analysis

max time kernel
59s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2023 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.xiting.ch/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133286850164887036"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 4668	1436	chrome.exe	85
PID 1436 wrote to memory of 4668	1436	chrome.exe	85
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2280	1436	chrome.exe	86
PID 1436 wrote to memory of 2524	1436	chrome.exe	87
PID 1436 wrote to memory of 2524	1436	chrome.exe	87
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88
PID 1436 wrote to memory of 3360	1436	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://www.xiting.ch/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad1eb9758,0x7ffad1eb9768,0x7ffad1eb9778
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1808,i,13729866205278964302,9592323086715065721,131072 /prefetch:2
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1808,i,13729866205278964302,9592323086715065721,131072 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1808,i,13729866205278964302,9592323086715065721,131072 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1808,i,13729866205278964302,9592323086715065721,131072 /prefetch:1
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1808,i,13729866205278964302,9592323086715065721,131072 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4488 --field-trial-handle=1808,i,13729866205278964302,9592323086715065721,131072 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3480 --field-trial-handle=1808,i,13729866205278964302,9592323086715065721,131072 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1808,i,13729866205278964302,9592323086715065721,131072 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 --field-trial-handle=1808,i,13729866205278964302,9592323086715065721,131072 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5332 --field-trial-handle=1808,i,13729866205278964302,9592323086715065721,131072 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5396 --field-trial-handle=1808,i,13729866205278964302,9592323086715065721,131072 /prefetch:1
  2⤵
  PID:4956

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4d5db39375cc25bfc58728b5ec529194

SHA1
51379f4edd74c016aab4267b854a911c5335d62a

SHA256
7688994c76c2dff3443f02e1f5cb0978606c3631890ec3e43888e036091a6c5e

SHA512
567eec72e24a33b62d9f2bb647321ee5f168dec5ef3eb91022e4e545c772d3a874d7367ceb0c8ecdaba325300d939932bff5bbcc8f63fdaa616f562d71bbf230

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
072c9d9f67141edc7e92d7c86c788281

SHA1
4b60a90999053bf773dddeb1adaed03a0ef76870

SHA256
8381198223c0d49aabeca77f7f7a3bc8ecd4571efdb5fd637e32eab7e7e9e6aa

SHA512
56c8d0c69d5e0329685003ebcaee445e2e88f32b0f9543993a42fe93b26118d6646e9e4de2e5342055bbfa37595dd3c45f4b040e799a8a3b166e3086cf90c0fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a0d508cd64dec0f2969a20b7e4b037b3

SHA1
e851751ca71d6286eb4c6321fe9fb0dfaefbc8a2

SHA256
2181e14a333360a9f9f50881e00ed0bf5e7a93e1685efa932af4194059d84649

SHA512
e69abf3dd1e6a6c8d25523c1119c562a2e6b4fe54751d7bf758d7338c02a90b04f9b959541bf88aa2098dd0a0f7fb88bbdd5d807e1e30297bd1c5e97be864ed4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
5da0f99d9c5c2d4b00e8bd8d963323c1

SHA1
fbc586984c78007196c11407e8dc77d5574b814a

SHA256
37080f4cf7304194130e0d0dc8d16e0f2db50cc07547df0dd6011c2cf0708581

SHA512
cd7ba4530237cba29ea714ce003f80956900aaf5a5dc3417d5ea477ef021e1c4054ae84ac529962ed3af2f4c6a1cdfb4219f3ee39244778b56df46f6c6f3a0ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
2b193e4c62e3455d3e1285128f591270

SHA1
65fc664d3ac1cef20ed02e284944cbc1e08f3bd3

SHA256
87a9e3ec6cd4703cdaca347d2097fe7f4e80527b9818e03d069cfafedef4fd0b

SHA512
1532acaf2881968fc4f440dc4685e3798c58f84cf9cecf7c64016eb428a7c0b1255d5682bd59fd69d1f741edcca0a629280b0a997b9af4c5b7237dad41e8768c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
d9b2cb5cc6b9d291116a465eb747f07c

SHA1
1db5d814ad8bd54f1d491f836cb314235450b928

SHA256
0eadf57999fdc88a9f7c888b99ebd7c7cebd2b0c881177bf40951fd52a122c19

SHA512
af98530f4ec50b40137e5fc2e6c3efa63bcc87a117aed8ec4138be548a6827e1ff33aa8cae93e31b1037820b4bc2235697c39cf32c50b96ea6042d1247ecff64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
7e829494b001d14147f7aaef7af844c9

SHA1
fa56fae6d8df0c782488f3c035ccf1ec4d986152

SHA256
d8297ba61bbc86e2a93d168fdc5ac140e024aeda3189b566c5bbac81c52fc809

SHA512
6b4c07b6a64a7515aff66e944b3a3c27c9ab0531bbdc1b45986ae622ffc9e6a5bddd11316806fe2c66548edb680e80dd656ba2cad52d312dfdcbab3bc76d19e7

Download Submit