hxxps://github[.]com/DevilXD/TwitchDropsMiner

Analysis

max time kernel
599s
max time network
590s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/DevilXD/TwitchDropsMiner

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
17	camo.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133646803410965485"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
608	chrome.exe
608	chrome.exe
4444	chrome.exe
4444	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
608	chrome.exe
608	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 608 wrote to memory of 1228	608	chrome.exe	82
PID 608 wrote to memory of 1228	608	chrome.exe	82
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 3268	608	chrome.exe	83
PID 608 wrote to memory of 4764	608	chrome.exe	84
PID 608 wrote to memory of 4764	608	chrome.exe	84
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85
PID 608 wrote to memory of 2804	608	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/DevilXD/TwitchDropsMiner
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad8feab58,0x7ffad8feab68,0x7ffad8feab78
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1860,i,10768977907331085388,12391402544944950756,131072 /prefetch:2
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1860,i,10768977907331085388,12391402544944950756,131072 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2176 --field-trial-handle=1860,i,10768977907331085388,12391402544944950756,131072 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1860,i,10768977907331085388,12391402544944950756,131072 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1860,i,10768977907331085388,12391402544944950756,131072 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1860,i,10768977907331085388,12391402544944950756,131072 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1860,i,10768977907331085388,12391402544944950756,131072 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1860,i,10768977907331085388,12391402544944950756,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4444

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5cb0bf3649af79cfe9519c5510db4cb3

SHA1
4a96795eb68d01a5663d19a0f0191be6bb83b3c8

SHA256
3915bedbc444baf9fc4f1ed0b56c1cbfefbf96a83fa15e26d02b0c1f99b9cd3e

SHA512
f953931f5df7582639936e1cef0bfa374cf373e468c62442cd76eb98658cc870556d7c14f97b022f390353febf4bff75e9e61cd37f9fbbd4e259a552ae00d82d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fa7d2c12f535b86c4ffc0c822cf802ea

SHA1
d8273c997a037204d0e06d987e117b2457628e55

SHA256
af7b2de7ef3a99d9f0130a4974db9354e8fe03f0590b018b856371afabf531d8

SHA512
292b18e1ef1bd8d032b7f32033162424526539d05594f52ad49a57d23ea389c187a9435df238c38237d58a986b927aa3ffa698ea0aac090211fda68b8ffb5919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
18a2449a90ad61d1491c21cc3ce75b29

SHA1
de9c1fe67609986cb9b1b553a6e8dbc108c98c51

SHA256
8261b3080996c3f9e0ee494f36c8e725068d4a3da29771dc4dabe69ae64348b5

SHA512
b677cf4e316792189a9f69f13a1eee0abc99401776d72db4bfbdc10168cf80fc35d11a77a1564b8e56d197beeb7362d1d359c8d542ca24b149f90dafec6d9c3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ab50fb2809d98204da37a61c2b369097

SHA1
0e51b5fed08b105d7924194eaebbadd742188bb8

SHA256
9568f7260c449d4ee129822411a59ba9095f547faee2f9e02f207ca737d01878

SHA512
214aabebdc92ea78702fec7b704662469d4eff27c2781ffc8bea6ce2c28b595c5999b2f34cae35a43ae271350ea96c569036a8d65ab12d44e68ec23470be863a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
d5dd1f5ff4ac3480b0ba9b8f4cbcee49

SHA1
dedd55758b6c840f8bc2375ac261a77ecf4f0da9

SHA256
c5ccbb83dad7f0672be7d6c331f86b15437f889174f81707e28b1b07fafeaf2f

SHA512
a26543e40c547d744b8117f8028d5ce5bac5fa2448b5fc78b1a37c8cba1ede3f2bb31872f9ac27afa93216b3ead867e0689253c0ed40926fc5e6659d73a182a3

Download Submit