hxxp://bluediamondsystems[.]xyz

Analysis

max time kernel
150s
max time network
159s
platform
windows11-21h2_x64
resource
win11-20240319-en
resource tags

arch:x64arch:x86image:win11-20240319-enlocale:en-usos:windows11-21h2-x64system
submitted
27-03-2024 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://bluediamondsystems.xyz

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133560419692785526"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1192	chrome.exe
1192	chrome.exe
4216	chrome.exe
4216	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 4696	1192	chrome.exe	77
PID 1192 wrote to memory of 4696	1192	chrome.exe	77
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 3748	1192	chrome.exe	79
PID 1192 wrote to memory of 2716	1192	chrome.exe	80
PID 1192 wrote to memory of 2716	1192	chrome.exe	80
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81
PID 1192 wrote to memory of 404	1192	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://bluediamondsystems.xyz
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fface899758,0x7fface899768,0x7fface899778
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1912,i,1907466323374908694,5392489123339282013,131072 /prefetch:2
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1912,i,1907466323374908694,5392489123339282013,131072 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1912,i,1907466323374908694,5392489123339282013,131072 /prefetch:8
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1912,i,1907466323374908694,5392489123339282013,131072 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1912,i,1907466323374908694,5392489123339282013,131072 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3804 --field-trial-handle=1912,i,1907466323374908694,5392489123339282013,131072 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4900 --field-trial-handle=1912,i,1907466323374908694,5392489123339282013,131072 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 --field-trial-handle=1912,i,1907466323374908694,5392489123339282013,131072 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1912,i,1907466323374908694,5392489123339282013,131072 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3056 --field-trial-handle=1912,i,1907466323374908694,5392489123339282013,131072 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4700 --field-trial-handle=1912,i,1907466323374908694,5392489123339282013,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4216

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
402b602d0bc0701f3382a2453e6269a7

SHA1
cc18ff5574cce8545661fedc97c46d15f62bb9ca

SHA256
2f3b1c481233f2d8ba65924325c2a682bf9c03b5ead93c58d05970e36bbd6f86

SHA512
c8139d872528e369d8c8465a34954abb5817468bcc41625b3dc7092114b133c4be070bd78278d28dce59ff286cc021d1d28bb763de2e73a36834cba676612b36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
306258695bc8f32c8d12bc1cf9fb8060

SHA1
f8197d477b09a964c0b6ead12c4bae6e6527b652

SHA256
47e22834af3cff7a306f45cc930efc9d3fa3d633e0e216d271fb771786e1b8a9

SHA512
618fffc82ca61a324e3cff1ae4231adc6fe0388845296154a663ca93405d1c1f390451f46de2927eeaf2b606f99b2f0547979bddf0cc128bbf2431fe6e230313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e516c1b8cd73269917e7eb848f7b2655

SHA1
a98f0b7527e31e79edef4fb9a5c47c7c01198863

SHA256
633eb868fa39c72996d90832a079f1d3b6707566f57d40d43a13a45d9a2f93a4

SHA512
0eed635b36d872d36b443be12847e5ba93d2a3cb382a43faf1d87c1280022b58a3b69159115d4a122dc5e751ace280e9061feb21eb741e614b4a43f04ea7db19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d51decc18dcdf145caf355893beb1329

SHA1
d3896ceb01d58f37d08aca6eb0763a7ca99274fb

SHA256
75d3aee0e89508a96d5e54fe0856f757ad73a65c0bb5434d8c6b081423cd7663

SHA512
a2132a7fdd8734ad1edff9868ce9d4453904c3b9cbd65e82758032ddc152086210d8ff8cf6378bc7265e47567796fea6e745469e9826ed9b71865b0ffae8e4f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
13d586690c9af62023478c7fa0e8086a

SHA1
9845472fad886ec2927790b7403b4c0f8ffcd1d6

SHA256
887ca6bc4862c7b3ce5a4e516984db133f689f0a339819fcce5697cc9734b174

SHA512
5db64da321079a3b2a9003c54ce5ced89326b2f95d266062fb935041a13d55b2e516e08438fa3da3435e16944803fd5acbdb09d788578d71c3271e5d8da269f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
134KB

MD5
3fb4a476d2f90cefe95da1d55699c27a

SHA1
3815d6d7522e03637d8eede67058bc3125896664

SHA256
6dcb60d93ca0b00bc1ae6ca3d8bb0e7c365c4a1ef707d107bc873776b52d4706

SHA512
2ffb083d2e573845d5fd6add48bcdde87e4a29e2c74649dff2e2eb5099fa27f7ccf873a2ce90fbb0a94cab5d13f134627fa61647c1d6f486e7afd15f1b596cda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit