hxxp://185[.]225[.]74[.]161/xaxa

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 07:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://185.225.74.161/xaxa

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133425202264338828"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3908	chrome.exe
3908	chrome.exe
2296	chrome.exe
2296	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3908	chrome.exe
3908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 2888	3908	chrome.exe	83
PID 3908 wrote to memory of 2888	3908	chrome.exe	83
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 220	3908	chrome.exe	86
PID 3908 wrote to memory of 4200	3908	chrome.exe	87
PID 3908 wrote to memory of 4200	3908	chrome.exe	87
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88
PID 3908 wrote to memory of 400	3908	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://185.225.74.161/xaxa
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa44e59758,0x7ffa44e59768,0x7ffa44e59778
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1924,i,7712868327680660167,2420174132659736222,131072 /prefetch:2
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1924,i,7712868327680660167,2420174132659736222,131072 /prefetch:8
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1924,i,7712868327680660167,2420174132659736222,131072 /prefetch:8
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1924,i,7712868327680660167,2420174132659736222,131072 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2892 --field-trial-handle=1924,i,7712868327680660167,2420174132659736222,131072 /prefetch:1
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4328 --field-trial-handle=1924,i,7712868327680660167,2420174132659736222,131072 /prefetch:8
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4448 --field-trial-handle=1924,i,7712868327680660167,2420174132659736222,131072 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1924,i,7712868327680660167,2420174132659736222,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2296

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6203d176a61d5039ee4d28841bca03cc

SHA1
7cee825eed05b81baaef022836a0fb906680e6f2

SHA256
e9fd933b5cf26df5e560d3b56f22fd198490f07fd6cc820c002bc4f43eafc544

SHA512
a1ba8fc35a4bee28f7c655a4ff34b9cab573e3b89cf8d2ac7d47b99d397dcdad0b6d90ce3c0d8cd7bff9f8e5d9945c6f460d0ccfccd27151501057ced41253d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9e6e71269942d362ea9532927558d34d

SHA1
e76a2afba3ccba375366c402e87c00dd0d050af7

SHA256
104e201c5a4af5dc6fa2000f00b1cdcfff699cfb71cb3a728678d5d8c4a3edb0

SHA512
72ac8141ed65a3dbef416d86a49c91cb9a45504c044fa596adf1006958603cc3ada9a0b3b976a6bed855a47b0a6c7a45c88919f79b8749ddea53146344b6d1f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fcc0da54cb392ec1a7ab8909647e681b

SHA1
42fc493612024cde1d55e8298906ba2a56899568

SHA256
819c80d531512fd5260701b21085128592fa24d4db00410e00fdaaf7eb515cea

SHA512
30392734d21e6f3b41a2eabb328d036e9210022ae04982b07787dc61b749154603681e88947237920944d081dbf9844b8face18c840c11041cda860a33223c2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a8bef00f-ef74-4393-989f-43a0c002f181.tmp

Filesize
6KB

MD5
20a1a3d34ddb290f687f2f5415346eb8

SHA1
7d6609f2c4af12d394adaf92adee2c01c563c10f

SHA256
fe7a70d6d001cccf8a26113934eec6531b77ea7f5a2eafd0e5a0f7ef695aec4c

SHA512
9a614902be1b0a30ef85b8ce661854ca6a6d68a64a01d8bc30035a0df2e0fadf4f44235c0b22cd81e0d7669c16fb62d40c5debdc84617edb878f63bb28401ef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
5652638f50f5cf37ecfa204bb681486b

SHA1
c84de6fa7eaf02580937f71629f55cea6ba7d2ff

SHA256
44772127ee6250e867c7f30274ae2e0f4fad2b0d80beb4954fa22ea12d2eb845

SHA512
b340641962678ae7d77a2241eed4ac676198520a3e7ffb345ce9ae571a29e060537ce69dd5fd53a41cc50c225b13bb3957fdf0d05c977e52f223273637047eb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit