hxxp://discord[.]gg/blockate

Analysis

max time kernel
43s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 00:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://discord.gg/blockate

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133424096236710992"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1574508946-349927670-1185736483-1000\{079F6DCF-5D7A-4B17-8357-4869523A80F0}	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 3464	4544	chrome.exe	83
PID 4544 wrote to memory of 3464	4544	chrome.exe	83
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 3516	4544	chrome.exe	86
PID 4544 wrote to memory of 4432	4544	chrome.exe	85
PID 4544 wrote to memory of 4432	4544	chrome.exe	85
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87
PID 4544 wrote to memory of 2864	4544	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://discord.gg/blockate
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdefcf9758,0x7ffdefcf9768,0x7ffdefcf9778
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1900,i,11070551616030317141,16185412217048985097,131072 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1900,i,11070551616030317141,16185412217048985097,131072 /prefetch:2
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1900,i,11070551616030317141,16185412217048985097,131072 /prefetch:8
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1292 --field-trial-handle=1900,i,11070551616030317141,16185412217048985097,131072 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1900,i,11070551616030317141,16185412217048985097,131072 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4480 --field-trial-handle=1900,i,11070551616030317141,16185412217048985097,131072 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1900,i,11070551616030317141,16185412217048985097,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3476 --field-trial-handle=1900,i,11070551616030317141,16185412217048985097,131072 /prefetch:8
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 --field-trial-handle=1900,i,11070551616030317141,16185412217048985097,131072 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 --field-trial-handle=1900,i,11070551616030317141,16185412217048985097,131072 /prefetch:8
  2⤵
  PID:5008

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
d46fed70d0f4946b44ee887068c03526

SHA1
399f59e31be7b9d46969a8b7cb5b771f84a627d8

SHA256
39936fd103dda2c4b6f35035ef483154bcf151490fcc372c0eaeca7294c7eeae

SHA512
ac9ca204d32c5dd00b3c669ead8234a7a49c7dc03c3762dc546e52c953399ee75fc2391d3cebb2f24cd71ce0c3a98a907474d24e79648d6999c7e9a76f09839b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
1dd8cbaac73c9d5f5407711cf2c97538

SHA1
98dbe54d3257838d73beee0b864cbf756c6b7091

SHA256
909ffd53fff548647d5f8cfb92891f9d9c783af3227ba87c9eedfed4ac56346e

SHA512
e09b9e01243222fba5e4d3f662e628961c84fe2fb42234a43f2925b5b82493c87dc943281f617af8051d4cad578f9e8e9f7858bf448a8c975e6d2b3a151beb8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
01fd840388b14ae693d77a667c223421

SHA1
2959336e8edc31d1e7489107dcf8b6f1a4f8d3aa

SHA256
1ec5bd5df59f426768f4120fe81e61952dbda2fbdc0f54903807a624442ff8f4

SHA512
1b981bf1a9adb197e11162b2ba5345146e51134734026083a349bd7034f244a0469b8f1b1185b0992a7ae7d5cfb05fc0dea56bc6f158694a2b5621e0ab581532

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e86d3df7596d3445b8cecc9479d340a5

SHA1
7ff324aead0e30962746b103525dc8851c2e8b0b

SHA256
97b7e39e043d19a29359ac687a7d56a5ca2caff0bb1c08d4d4c460c9b754762e

SHA512
76de33918ba29cd505cb650026828b55ba1de2679d80efd68d9edd4610d135e6f9555786d5107af5302eb0ef0288eba8213e58c7fc8735f4b471ce6a189d90fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
e6f96dfb75c0ad5f006330aef13fa967

SHA1
8df9d468c74fbb365c3440fd78ff8f72edbad1a1

SHA256
c13d9f893e5fa84a8ba391e75edf0031b871a5900ec5437864ebac2b71aec6bc

SHA512
57d100e46fac64fb65a38a4f8fc603a60472a9ac07cc8292e69262bbac72fa06ddf65a86f9d010cdeb8fa1d4bdcc2046c899ef3bb72480a1fc105041918df92f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit