hxxps://github[.]com/Testabots22/Bloxflip

Analysis

max time kernel
1800s
max time network
1804s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
02-03-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Testabots22/Bloxflip

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133538504461217560"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
1540	chrome.exe
1540	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1232	3052	chrome.exe	77
PID 3052 wrote to memory of 1232	3052	chrome.exe	77
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 3384	3052	chrome.exe	79
PID 3052 wrote to memory of 2080	3052	chrome.exe	80
PID 3052 wrote to memory of 2080	3052	chrome.exe	80
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81
PID 3052 wrote to memory of 2136	3052	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Testabots22/Bloxflip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbb8f29758,0x7ffbb8f29768,0x7ffbb8f29778
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1552 --field-trial-handle=1832,i,7552503328252098884,18276920272929610805,131072 /prefetch:2
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1972 --field-trial-handle=1832,i,7552503328252098884,18276920272929610805,131072 /prefetch:8
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2156 --field-trial-handle=1832,i,7552503328252098884,18276920272929610805,131072 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3160 --field-trial-handle=1832,i,7552503328252098884,18276920272929610805,131072 /prefetch:1
  2⤵
  PID:248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3296 --field-trial-handle=1832,i,7552503328252098884,18276920272929610805,131072 /prefetch:1
  2⤵
  PID:732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1832,i,7552503328252098884,18276920272929610805,131072 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1832,i,7552503328252098884,18276920272929610805,131072 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3744 --field-trial-handle=1832,i,7552503328252098884,18276920272929610805,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1540

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
12303194de8cc4bf7470387b408d1759

SHA1
abdd6cbb2798356902ff9a1091ed477493e26bf5

SHA256
5f72583a346aa83dbd3b7172fc786af497e00e8318c3020558621b62a8ce388c

SHA512
ca87022aeed3d8f8ac286cfbcfdace95a200a55d97a4727af7802749b0e41d847a6b62c5a874eb4997742993e6b6fee0f59c9126cf92741c081232ed2d7c5d27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f9018bfe087056761037e0279ede8ce7

SHA1
a8faff5de66146a3eea2445fe0589e1b3da58393

SHA256
d3e47a68c307ff1eaddffc14d764adff40afc1ff7fbb923894b50fa1ad10b944

SHA512
074e55547158835623fe6d9fb5d243dca522db42d6d76392043a6f7b57ec1acabe4e1551f1bf8ad99210e262ee2defad27a025bc9cb7beb3515f532a49352d01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6fd7343754b6bb235a67953d329c535c

SHA1
6bbd10b4a0a4a54d271a3896497677ce17a24570

SHA256
6c451b0ee8fd400aff978212c95c2dd11c40b9c7a7646404ab458d93d487e504

SHA512
34ad0cd402750b164ada04436af6ae8914b4832b1c67e5eb663a65474cffd0af73cb65d564c1f3b94b7131ccbd288458cc4cb70a3009a7a774e22e4215e4bfd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8f77912cc27f4a84c3e272092742354f

SHA1
304268ee3614945f90d29b75ac70463969acd8e9

SHA256
bfbb3f6d09983a182a86360a0eb324af0a615b2694d279e44ad393865da164cd

SHA512
d7da81f5da37e8b246150aee834388039877f4f9e5ec9fefae5cef8cd03221209f9204b62a57bef28e6db2d28a04f1ca064df734f167e2b94999ca109040e203

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5cc1ad8faf00637b6b27c44b47312676

SHA1
2e7576126fa8811a8b5254ec007e393b4e6c888c

SHA256
00596e6c8d6d44b7fef04f55f67a860730bd16d039ef1b7c4f9398c617b311a2

SHA512
38563900e17077d356ba269285ba8933d000501dfbfbc4322f0d0c88a3aba65dd2597e0e0df28bf5d524221397d3acde47b464970e505b502ac9cba0fde5b69c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
47adf33f5e7966bb29ff14cd122c0b2f

SHA1
0aebc07646b4555ac799422e0663de67dc57c873

SHA256
71f389bd35cdc82881ddb2d020e85d222e3b1a449e1e3d135913aaca47951119

SHA512
46eacc9c45891143546230f468799b1f31bea88f8552cc839e2b40e8422fc2b1191ce3914e3e18e7f0b99480ccbd4160655c939aac65d69c7f2e850a445cd117

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
e956681c3ba0b9dca447d39607629565

SHA1
41e3a3bf73adfe8108fe6fce739ba05550b091a6

SHA256
c53d22ad0df703620890efd023607118b892dc30cbe8cee1afbb7e261fce52b7

SHA512
bbce4bb10807d29876519e32cbbc11b6e436d93eaeffd35d76de4a2bba9b33d87aac10650b1c26acd945425f57718383e823fe47ec78d6b7e9a5db720396e7e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cd5d58db0218d4dd0781deef3e91fcde

SHA1
041605efb786dcee64370298407bc82bf0ad3742

SHA256
4d180df920df218b59ac2fa67223bc0ea367af835035e960670034c692ee982c

SHA512
bca7cb841ecb89c6a38377840c6fff131368200df978ad99408562f4c57e7e4a08e4f43ec840d1e2ed1f527c418f9c6cff5d3b8b344b75c8c312462c277853ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
c340d24690a6241015d02ce9d73ebdce

SHA1
8c788679b6273173b0d4878cef36f08d8ee05b36

SHA256
6c8c171105aca7c6f6f8d46478907b8eda2d11d6054a3715f1764c2cb67c838e

SHA512
0da3edbadf9d5365fae603a4e59b04bf408fa9f959c063182f35dbce37897fe3e16ad823acfbdee37eff9b34cade7bc90d38fb577259f3adc77a88926472f910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit