hxxp://xn--r1a[.]website

Analysis

max time kernel
127s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2023, 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://xn--r1a.website

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133413137307730294"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
1020	chrome.exe
1020	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 636	4240	chrome.exe	82
PID 4240 wrote to memory of 636	4240	chrome.exe	82
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3196	4240	chrome.exe	86
PID 4240 wrote to memory of 3204	4240	chrome.exe	85
PID 4240 wrote to memory of 3204	4240	chrome.exe	85
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87
PID 4240 wrote to memory of 828	4240	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://xn--r1a.website
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa69139758,0x7ffa69139768,0x7ffa69139778
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=1976,i,13382469071870490928,11862830710858814249,131072 /prefetch:8
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1976,i,13382469071870490928,11862830710858814249,131072 /prefetch:2
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1976,i,13382469071870490928,11862830710858814249,131072 /prefetch:8
  2⤵
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1976,i,13382469071870490928,11862830710858814249,131072 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1976,i,13382469071870490928,11862830710858814249,131072 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 --field-trial-handle=1976,i,13382469071870490928,11862830710858814249,131072 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1976,i,13382469071870490928,11862830710858814249,131072 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=968 --field-trial-handle=1976,i,13382469071870490928,11862830710858814249,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1020

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
1024KB

MD5
ad1412245ff312b9f5799728ec1db6ab

SHA1
f7a7e9ddbacd4c06e808e8911de7971e3689b696

SHA256
6ed903d589ed57d8d670e74c239f060b7640b9445cfcbc1236dad417f094108f

SHA512
40823dafa5b3bafb6b5cc44be9ac8f25cbcadfadd7426e72438069ccf55eb544d8a9c3101f3e723795b0e29c4bb3dceb8d8064c36d209eedb5c094717bde7035

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000034

Filesize
175KB

MD5
10908b5775207b384d97c1b8f68abb5b

SHA1
5ce1e4d9bc57e31138a402edd44a9908c61fa55b

SHA256
51c5a5824f3cae3d0bc614261a1e263aa42a0fca95aced6b94d567d952695db8

SHA512
7b80a7d7d70c9e08e86e7cd72efbd3d11e13597d33016e1f90e4f94c0d17ffb80fe343fabd15ae6e39b380d589f898f9f23f192c476ab2c61c982d5d6399ad7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
1c9fac552b69872b12fc5439a4d0f607

SHA1
353f70e8d5cc111c3e14e5a334c2a72ad341165a

SHA256
58e052de55ad600a4962e22b3df229545f56e3df59de1f0a12225f7cf130ae7c

SHA512
7eba360872f22a5672280244e09cc39d4aefe90476e5d8ebb0f9aaadd94b6e54c83650f30d8e612a8ed5689a32bb39a441ab6e37a31af154621fb7198cb1aaaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6fd7547842f298a1e8101b58744028f2

SHA1
7e559ee5e600f1d358b108b96d52ba4b0ef963e7

SHA256
35953a681ad57e5a541416bc915d2e75a6f92e00e0a3da0fd6a099de9fd2fb72

SHA512
d754b2a75a9f8dd03f34a6129065a26304b92350ebbef5d2cc7c70b0a163e8e14d5448bb7bc6ff87341c2d5d432611bef26d418e13f610b9f5f9abc72045d8d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9f4a358ec81a481a7a0231e15fafc5b9

SHA1
3c40798d76c19f757eff414ea868e742a8c0c2a5

SHA256
d718e27ea84ef0449d6e0156c5200da730d638e8a2842fd9a644310d60743887

SHA512
e58fd9d80c1c72b7c458485bcde137e72beb0c35236de690b369b250db440f487b8537fe0b99dbd2d67fce298973704b2eb719e1c77e2d3ac2db59be60a79ae3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c3f9814bf41946dcda37f690ddfadda1

SHA1
136453a8aad155e84716dc499187e50af0c01630

SHA256
58974643f0b73f2cc8e1cb76db73316d76a63160590ff048bee102c4c081a7e1

SHA512
218c780f095f3aca60d8eea373cbf02ed78d41ba30df05dee130f1011f4a17ceedad138c7c6c7aab8f2ba38adfaa0f625d4208c91a4a95df82ba2e2a61617fa5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
099461cd81e27d45428ebfdce059c5a7

SHA1
1efb4a5861d2f0c2f5dd20c7d721c5136042b77c

SHA256
45e227469617f9c583e71f4e284e950c214c72fff22570a23535b5991d858b2c

SHA512
a9faecfd7a74b6ce93d465461962a582ca7dcaab0e7ea47de8ed3d220a909d4f04cbbd340f5af6c76efa5cfc78065cdd3fdf9f88f2a87e4755516747e7b74945

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit