hxxps://discord[.]com/oauth2/authorize?client_id=1218966084951085207&response_type=code&redirect_uri=https%3A%2F%2Falix[.]seijuro-oauth[.]com&scope=identify+guilds[.]join

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://discord.com/oauth2/authorize?client_id=1218966084951085207&response_type=code&redirect_uri=https%3A%2F%2Falix.seijuro-oauth.com&scope=identify+guilds.join

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
11	discord.com
14	discord.com
15	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133552985308847419"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-566096764-1992588923-1249862864-1000\{BB5F77F2-5D6C-4173-ADC8-28CF8EFD38B2}	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4492	chrome.exe
4492	chrome.exe
1724	chrome.exe
1724	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4492	chrome.exe
4492	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 3136	4492	chrome.exe	89
PID 4492 wrote to memory of 3136	4492	chrome.exe	89
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 764	4492	chrome.exe	91
PID 4492 wrote to memory of 4956	4492	chrome.exe	92
PID 4492 wrote to memory of 4956	4492	chrome.exe	92
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93
PID 4492 wrote to memory of 3644	4492	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://discord.com/oauth2/authorize?client_id=1218966084951085207&response_type=code&redirect_uri=https%3A%2F%2Falix.seijuro-oauth.com&scope=identify+guilds.join
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6b999758,0x7ffc6b999768,0x7ffc6b999778
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1688,i,5118514233216918116,17923798797927556837,131072 /prefetch:2
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1688,i,5118514233216918116,17923798797927556837,131072 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1688,i,5118514233216918116,17923798797927556837,131072 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1688,i,5118514233216918116,17923798797927556837,131072 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1688,i,5118514233216918116,17923798797927556837,131072 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4796 --field-trial-handle=1688,i,5118514233216918116,17923798797927556837,131072 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1688,i,5118514233216918116,17923798797927556837,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 --field-trial-handle=1688,i,5118514233216918116,17923798797927556837,131072 /prefetch:8
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1688,i,5118514233216918116,17923798797927556837,131072 /prefetch:8
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5256 --field-trial-handle=1688,i,5118514233216918116,17923798797927556837,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1724

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0b23087d9ad34f6b274e4fb095910ade

SHA1
24aed807ef13a71e6facbca9a69bb2abcf4bbf35

SHA256
a130f98df926a585a37d25ac71dbc23d23cb6427f38ebb7c220fbf9804e5d861

SHA512
a36c127da678d13f66f46cfabae10b407333f907f86d1ede5dee0565c0f91b606e9673eadd4366346071b8706a61804f296ddfb5e68a0f6c69af5abe6447a99b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1ec2e64283cab933934ec1ce9a8561ba

SHA1
5b01cf19d531a8b861f9fd11ff75cbd547b6294f

SHA256
4906e0f6e2b081b9c3c5157634e02f990c177c09cd372eb2dc2d87b05b299b3b

SHA512
003eb400c5c3b43b21fb299b17f06348c68db3ff21959b7847eb1005e14fe7e6c223bb74317bbb5e27761d81d79807f0f6478c242abd4b40004489ebe68aae47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5a20a18a140893feddcdbfd915433d65

SHA1
c8052b11efe9116f03b7771ace559407da97c27b

SHA256
6423b576a22d0159b8c1f36ea3e457f3fa8be524ba27121b53836c235310c906

SHA512
8f4deeefb02df472ee9bfbc3c55bd9a5028e523c61007886f87bb9a3163fb90efcd22e6748b4cc267f7e9c40db58493faa690734b0ad1f77666745e6b59a4baf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
699B

MD5
a2466b7390020ffd5855d66080d8e8eb

SHA1
e64437b1c06b84a59d5d92848a8d074bc481cbca

SHA256
fd2c61314c80abc5766324af72b4288174e4a92224f6d873a98a34d0cbcbb8b9

SHA512
8c2be61488c42c6719fe4118c5a4f743b873f2640e0a28f2c348abc46ab97136148e50fb6fcea6004a1b9e5118bafecb59d909deade8885054408f632c9c677a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
90ab196b5f710183f757548d3dac0f83

SHA1
411e65bc8bc234e1d02be2a82b6745761a041a4a

SHA256
2e74b33b9b165ee600ad7e2f444ef9c5beb9a093c5e0ded356e85535ce7b6e07

SHA512
907f9b4c6733535e58bae130ca9d5a0a286aa9e7560d29b39407301c2c564b6eb1e3267d2831118fd2b49b4180f82f73e581bc71e772a976b0776a9f285c3564

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
c3788ef290465d57d71e2b7f44890f0f

SHA1
71b387fa3ca99330cc9ffbab75e7a2d0fb5e1cf0

SHA256
f8731f1747a297ddc23b447f2b3293eb07035c101dd7865005af499a2a5ca598

SHA512
ad739885fd1e53a26db873d2f5d0887233e3b1cd50c441c55fe7fc9a8682d3c549908c3c7776dc7bca621e4ec12de8ca99217875c700fd943769e1109c89cae8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit