hxxps://discord[.]gg/Xca89k5KvU

Analysis

max time kernel
20s
max time network
20s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://discord.gg/Xca89k5KvU

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133333906614858050"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{826A6CE5-8BF7-4BFA-8FBE-7D05CB8E48C3}	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1304	chrome.exe
1304	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 3792	1304	chrome.exe	70
PID 1304 wrote to memory of 3792	1304	chrome.exe	70
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 2900	1304	chrome.exe	86
PID 1304 wrote to memory of 1080	1304	chrome.exe	87
PID 1304 wrote to memory of 1080	1304	chrome.exe	87
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88
PID 1304 wrote to memory of 1988	1304	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://discord.gg/Xca89k5KvU
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffe2fa29758,0x7ffe2fa29768,0x7ffe2fa29778
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=2020,i,2213041974795637691,4660391058928491698,131072 /prefetch:2
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=2020,i,2213041974795637691,4660391058928491698,131072 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 --field-trial-handle=2020,i,2213041974795637691,4660391058928491698,131072 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=2020,i,2213041974795637691,4660391058928491698,131072 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=2020,i,2213041974795637691,4660391058928491698,131072 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3744 --field-trial-handle=2020,i,2213041974795637691,4660391058928491698,131072 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=2020,i,2213041974795637691,4660391058928491698,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4688 --field-trial-handle=2020,i,2213041974795637691,4660391058928491698,131072 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5376 --field-trial-handle=2020,i,2213041974795637691,4660391058928491698,131072 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 --field-trial-handle=2020,i,2213041974795637691,4660391058928491698,131072 /prefetch:8
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 --field-trial-handle=2020,i,2213041974795637691,4660391058928491698,131072 /prefetch:8
  2⤵
  PID:4700

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1c58ce75-2888-4ca5-9ed6-dd196d9e5511.tmp

Filesize
89KB

MD5
477366d127239036fbe7b9b997f0dabe

SHA1
bae76ca11d1eae71983f3339074f4c3b38852209

SHA256
0e236ab8d4319b4f44121e9c9f3cac8825079bc39d8d24f0343ea1fedb100f8e

SHA512
559107d0a17930e6e585d4eec577058dd7c9c1c4e2dbfec87497a1f27cb730d81450eadadf3535e7c4cd89350921013880ae7ca92fcfeb1b096a76d169331ddf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
c6a1150b2d6d30565eee62dfe3c186ff

SHA1
2c26fde2e14657931b71b7140dcfb97f1c6c7380

SHA256
29f34b734ce76107138cc0531fb0e442d4d3475298a93caaae0c37cd12191981

SHA512
bfae973321b6f12a07f0de65e1f5a68d9d472e00485ebc8510ee9a4ac92b0310466ee37f6b6ed066bc2dd6097b572520ae41fdc260d461b581d6d52cbc2234c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2808f2bf6178b1df1a67f28f44ced8ef

SHA1
113c393375ae6b3f4b9b502426d8a4a06c375fd7

SHA256
ebc96837e880fe350ffd1dec47a3ef4a0090c548d5d09b62f84ba653192aa27a

SHA512
5dacf94792b61ffbe40a854569f7adb31a8eef57ce57b0795c9c0c24059a07c759764af1dda482da90704b583576a7b2394178bdeda76c9c9d5777da6a2f503e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
174KB

MD5
2bf744e6c4e239dfa600076d7e0efca8

SHA1
a43242b0112337fa847f7925c02b35940d7e5d1f

SHA256
65c939bce6b4001aed2c33d51fc731520b6ac8f3023dd207fa83f35da40b3325

SHA512
c98deceddfde2088d69ea223f6acb2831200cc2eaa73dffae2f592a9fccdb96cd816b992a07819c0f3c474cd258f22fd4bdc594feb0d0686b29a6686762bc1f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit