hxxp://www[.]xerox[.]com

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 15:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://www.xerox.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1648	chrome.exe
1648	chrome.exe
2228	chrome.exe
2228	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 248	1648	chrome.exe	79
PID 1648 wrote to memory of 248	1648	chrome.exe	79
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 2408	1648	chrome.exe	82
PID 1648 wrote to memory of 1356	1648	chrome.exe	81
PID 1648 wrote to memory of 1356	1648	chrome.exe	81
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83
PID 1648 wrote to memory of 5036	1648	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.xerox.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e4d79758,0x7ff9e4d79768,0x7ff9e4d79778
  2⤵
  PID:248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1868,i,5662590264418788494,1587414615000339578,131072 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1868,i,5662590264418788494,1587414615000339578,131072 /prefetch:2
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1868,i,5662590264418788494,1587414615000339578,131072 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2812 --field-trial-handle=1868,i,5662590264418788494,1587414615000339578,131072 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2820 --field-trial-handle=1868,i,5662590264418788494,1587414615000339578,131072 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4600 --field-trial-handle=1868,i,5662590264418788494,1587414615000339578,131072 /prefetch:1
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3780 --field-trial-handle=1868,i,5662590264418788494,1587414615000339578,131072 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 --field-trial-handle=1868,i,5662590264418788494,1587414615000339578,131072 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 --field-trial-handle=1868,i,5662590264418788494,1587414615000339578,131072 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1868,i,5662590264418788494,1587414615000339578,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2228

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2640

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x2f8
1⤵
PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
9b2441362e7e8a878bbebe45fa47ec2c

SHA1
9daa0c5d9716f51db333de5de49f7734cb3e4487

SHA256
1989855b2665a1f38eb2b3d04da79c12f022f201afb8002cd3700400f2166d5c

SHA512
cdbcb64ff3dfcf5bc08eda1deb77dc6218301c45e9c566f6e62e4fc014a575817028a8f75623fff2830f34a8f306e975d5084a27d260c8445e914ad73a8dbd82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
74a124b74e3771101557d60f7d61960a

SHA1
f9e5979385146755eb35cdd704ea6e3690f87b43

SHA256
a2e1e2cfcda02fcb19b8c150870689bfeaeaf93b7f79c860107b0415928b339d

SHA512
fa9d84a6d5e661a9aa2bb6e9da70db5a69f19c555bb7000261636c12840cf7a7f6a45ab8aa6362b29fdee06c72b8a65ae88dead2ff437908679e1f4415be2799

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
144e6e341bc7738492ddd0ce40b6f88a

SHA1
ce44b85bf3e4f94b3c7914092c27b1a1a6d59ca4

SHA256
989fa73cab0351e8a19f4881387b803882a9c037cc64e797e7c5dad7881bff50

SHA512
fb2fb93af5623170b7c326e6108400f5268c272d40294143223df5f6f758da1e7b05a3d6433da24166074b37f39754369ebe138a41632672c883f2058dead0e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8e261093e359aef05d39f13a59d5b2ba

SHA1
905e41240a05f6ff8124ddfe6230d6cf9160eae4

SHA256
0fa6cc700cb9a872a0c27b0f5f63f815c1621b7659d643aacef2b6351ff84eb4

SHA512
587c63f71033fdf217ed0f2ef1712a5f3ce5df83d089f93371f507e83dc62d1eceef38b8816c4a74d14e6840a84dda7ba54610ae4fbf1ab749565de6cd6207fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c3e0a6aa2a6d5ffa289cdc1a6e080b3b

SHA1
4425b0bc4e6c504097c8fb1e6b54538693a0854e

SHA256
e79d2fb874046a4ee0ac309fbc177838c1d471a36fb3a2fa52bf6f443e47282f

SHA512
645041addb31e16703e3cefb27368aee4b4cdf4a44d667e64401a97342b0a36811c41187ca280ad908f027a9e308772442d13283544db3561879896b076b71fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
d130f5fba9ebe0109e4f6c9d00f27987

SHA1
59fe130c4657f98ce50b2efd49354a423de63bf7

SHA256
b3340567bdfce8c5d7b3e6e22cb2288a19e7f33e7c127df2d73bab76bad66d24

SHA512
b134b56007c54e7f452c2847834b4a75bec64f185bc7735959b8f19e3d15ecb2038d89eb242bcf7e1f78338c25db3172a17b8ea97694828b26ee5a741f7a9a61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit