hxxps://u[.]to/EzXBIA

Resubmissions

28/06/2024, 21:18

240628-z5218avgll 1

28/06/2024, 21:16

240628-z4ymeascrc 3

Analysis

max time kernel
599s
max time network
599s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://u.to/EzXBIA

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640843572829571"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
396	chrome.exe
396	chrome.exe
3444	chrome.exe
3444	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
396	chrome.exe
396	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 2944	396	chrome.exe	91
PID 396 wrote to memory of 2944	396	chrome.exe	91
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 784	396	chrome.exe	92
PID 396 wrote to memory of 3628	396	chrome.exe	93
PID 396 wrote to memory of 3628	396	chrome.exe	93
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94
PID 396 wrote to memory of 3764	396	chrome.exe	94

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://u.to/EzXBIA
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda2bcab58,0x7ffda2bcab68,0x7ffda2bcab78
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1820,i,5744259130378644113,14297717848789541166,131072 /prefetch:2
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1820,i,5744259130378644113,14297717848789541166,131072 /prefetch:8
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1820,i,5744259130378644113,14297717848789541166,131072 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1820,i,5744259130378644113,14297717848789541166,131072 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1820,i,5744259130378644113,14297717848789541166,131072 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 --field-trial-handle=1820,i,5744259130378644113,14297717848789541166,131072 /prefetch:8
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3836 --field-trial-handle=1820,i,5744259130378644113,14297717848789541166,131072 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=940 --field-trial-handle=1820,i,5744259130378644113,14297717848789541166,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3444

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1324,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:8
1⤵
PID:1000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3636,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=4920 /prefetch:8
1⤵
PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
127aad20fa821e34958fa57a102609d3

SHA1
b48a9f8577168a11042aa620cb0a161d3f89975a

SHA256
4c1d1453c577912ecffbb2d026e64d80130eaf97e10ddfc2fea171ef96a1bc34

SHA512
2204513f09636802edafa68cd23084b327362a72c831455d40d997c2f1d298a927ce6a4b667fa75512a863cb4c41e2651b17dd170da9badf00d6278b6c2e4aed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f53b0decf5d815a668aa60cd67356d30

SHA1
0e93c9add3f3a11aff5979d0ea488e0fc0f8ea51

SHA256
f076aa1fa819fda72bc8a64fa22dea75cd3c29ebd6397127f87b63dc82b04ebf

SHA512
76e223f9346e43ceace86a3f98c23f48c5abf4942743c4a5dfa651eb2abe8f0a81c598d4e65e2df09b357767730bbf176fa5f273a7730df29f77564022566e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
860B

MD5
ea610a3c299cf2ac1e0a320cf8b1c198

SHA1
1f36d6df9acb10a58992c395f46e7374730f245f

SHA256
56336ccfb274277873cb492bb820dc3a69ff8c7dc4bf99b7adf481ee6ddac5d1

SHA512
b431f2849e6bd9c1c37ba3d7a0531264d890b60a37c0ef2c6d601251cae9d6c8bf9d2c0cb75941d39a11d3e45875229cff4444775aaecee2e1a9d0f21653959a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
860B

MD5
2c6f750d266f59b226a2acefa2336a5e

SHA1
eb172e91083a8b9e0905ded4b69b0157a010f62e

SHA256
757f3c0989e0b7ef337345f21990ea6ba335e97a20df6e78dc0815e8568c4d68

SHA512
25813f17d00046d230efb45f0d8cb7ae3613ed629e0dd3c174c51904e7887bfc511b6e2003f99c8e33fe5092174ce97a00050e53d6f872e5c7b62cdec8a2fd21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f52b3a43ecd3c4181e4a0685a631db61

SHA1
f5699d28597fbc5fb1643413b607358f04a72a97

SHA256
91e2f10f198facd5075acce63197f6b3c60f3f3ef2e5538a896b64d318da779d

SHA512
5c1348e88b470f207144016ec8f8463de90e47163a507b5315bb44b408a3c686f084864e923a2a5e0201fdccf94193354a4ceda8356e45c14a1c4a692cf4175e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
f3909f1cdda14c1f524788b62a345d5f

SHA1
d4579587434d7b822b5d9bdec7dd226f340cc73b

SHA256
bf7006ba94020cb64f30a31a8659be1c87eeaf3955b8957087996dc9bead1b61

SHA512
6fc6c337522344b54c49ccc85d7f4b2da185e025aecb3803805cdc7b161cf3683d31e7debc7b62707a2c298d61b7c8411678411cf2a6e6531a4fe5961c4e98c1

Download Submit