hxxps://cdn[.]discordapp[.]com/attachments/1244905285567516755/1245253542760022080/XylexV2[.]zip?ex=6658143c&is=6656c2bc&hm=37281ae4a5cf809ff31c532b3414ab2e58aa1d76926f80fbb17a55d821238f75&

Analysis

max time kernel
299s
max time network
301s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30/05/2024, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1244905285567516755/1245253542760022080/XylexV2.zip?ex=6658143c&is=6656c2bc&hm=37281ae4a5cf809ff31c532b3414ab2e58aa1d76926f80fbb17a55d821238f75&

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615531816142883"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4748	chrome.exe
4748	chrome.exe
5024	chrome.exe
5024	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4748	chrome.exe
4748	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 4640	4748	chrome.exe	74
PID 4748 wrote to memory of 4640	4748	chrome.exe	74
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 2860	4748	chrome.exe	76
PID 4748 wrote to memory of 928	4748	chrome.exe	77
PID 4748 wrote to memory of 928	4748	chrome.exe	77
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78
PID 4748 wrote to memory of 4384	4748	chrome.exe	78

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1244905285567516755/1245253542760022080/XylexV2.zip?ex=6658143c&is=6656c2bc&hm=37281ae4a5cf809ff31c532b3414ab2e58aa1d76926f80fbb17a55d821238f75&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbc4c59758,0x7ffbc4c59768,0x7ffbc4c59778
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1804,i,7501194070867156216,15471517340917244258,131072 /prefetch:2
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1788 --field-trial-handle=1804,i,7501194070867156216,15471517340917244258,131072 /prefetch:8
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 --field-trial-handle=1804,i,7501194070867156216,15471517340917244258,131072 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2824 --field-trial-handle=1804,i,7501194070867156216,15471517340917244258,131072 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2832 --field-trial-handle=1804,i,7501194070867156216,15471517340917244258,131072 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1804,i,7501194070867156216,15471517340917244258,131072 /prefetch:8
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1804,i,7501194070867156216,15471517340917244258,131072 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4592 --field-trial-handle=1804,i,7501194070867156216,15471517340917244258,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5024

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
936B

MD5
7086a7fc6ab2c1231f7fec22b593bf04

SHA1
f86438a52a61c69b62faab69488c63f4fdb47896

SHA256
77e83beb8fc56d6101352d6bf8f952936179b7ace0c31c6c82a5bef4434e58be

SHA512
0ab797d6f2fab2e496a77c54f677b367e01ed31fdfbac4a53c51de415322c8b01e9aafecf032bae7c9a1d8843adb1ce32c3b7f14cc81e41a1e808cb61bbc13dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
936B

MD5
6261818ee86e2103194f936858cd0e19

SHA1
e07323180c7baea63cd894bd5641aea35edb6480

SHA256
39e89aeb21889ceb3bcc2befaa251833bc167147d8964b7fd9c00369c718b076

SHA512
124d6ab5de36db09600bc3fd474a5179cc9fb5ccdf39e715c7e6d196a024d44c9504369e291a8525c00c24f5578d6fd84d91d5cdf6b27110b37bb84b2cbe970f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
df929d97a470508df3941b41569dbe49

SHA1
a50badd4ae65ae82df85c01e80a06e93f79d0aba

SHA256
def65459152b0a6dd7fed470a49b1c5f23ed370b1dae279ea9cdd62f14661be5

SHA512
146a2e0fc7ae1105d862f8c01d4d1bb87cad99d0e96e5707b7ba2511c11021efc0b8a67fff4857ce190c7c1fd8fd78815b14dbfd7804931bba2945f726a21766

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
519dea011c3e8278e54a5a1baf98504d

SHA1
4b8d1ff205a794e24bd37938a56bbb30b96059f4

SHA256
f48daf5bcce3f3019de75d8cd4ff163e7ada9d41de1f4039752b3ba3bef0e5f0

SHA512
9e73bae862d56ac6c16b79a8b53f11510c5e735fc2fdbf72ddbf42b0e1807e847365c41a73a71d8b1f2c46c24da4459b3314c1bb0285597fe600dd7373e33b6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
058b1730fb2da95371671b3540f08850

SHA1
5ca8dfed3d3d49af7b16db593c8e26708116474c

SHA256
e14bbbf304592ffbd5a7e8c524e3ac12b20c241f22cd743555f18a196e1e806a

SHA512
809a0d18ec3f8e55aea8fe7b892ad3d44e7292e80c7fcf89b574006260ec79717c59410e1c529755fd2d521cb252662b57910df2e0221aeb5de76e24056cfd02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
5d058720eca35ecfddf2ce70d21516d2

SHA1
8725fd61fce46c0136d8ecfa52f861d0f9ba73dc

SHA256
7e20487862be0d1fd2100c00c2143194efa202fa06242ea0f0087e8d276b1496

SHA512
ce329c458e1d1ea8bc656979f610ddb1388b9cdc597ce3d9557f1201032d1bcdb7b0c2aa0e276c89719af93280e63449d5393116911bdec2672f5c69127e44d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit