6284749beb1d6773e265524485d68268c9c90a385b82c229c16123f9839d087f

General

Target

Free Discord Nitro.exe
Size

662KB
MD5

98d08b7942589fe9e468a91f048dcd3d
SHA1

af2950a505dd6e594f6f22305b939d5befafbe6f
SHA256

2d18c676d4c1bbfa2939d36e88d95ece52af4220f0579a15d68642906a42f3c2
SHA512

6672b5b900412a167d1d4e2bfaf4a2d901ed800cdb65f25645d498178839529dfb0de51610e59fb1de867a76fa8a82cdeb11ed4bfc55a4eefd356b510d62f4c5

Score

10^/10

agilenet

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 2648 created 2340	2648	WerFault.exe	79
PID 1640 created 3924	1640	iexplore.exe	82
PID 1640 created 3924	1640	iexplore.exe	82

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinNetwork.exe	Free Discord Nitro.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinNetwork.exe	Free Discord Nitro.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral4/memory/424-120-0x0000000004B40000-0x0000000004B4A000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 424 set thread context of 2340	424	Free Discord Nitro.exe	79

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2648	2340	WerFault.exe	79

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4B1DE54F-B93F-11EB-B2DB-6EE0A42A1E5F}.dat = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4B1DE54D-B93F-11EB-B2DB-6EE0A42A1E5F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2340	Free Discord Nitro.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	424	Free Discord Nitro.exe
Token: SeRestorePrivilege	2648	WerFault.exe
Token: SeBackupPrivilege	2648	WerFault.exe
Token: SeDebugPrivilege	2648	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1640	iexplore.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1640	iexplore.exe
1640	iexplore.exe
3924	IEXPLORE.EXE
3924	IEXPLORE.EXE
3924	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 424 wrote to memory of 2416	424	Free Discord Nitro.exe	78
PID 424 wrote to memory of 2416	424	Free Discord Nitro.exe	78
PID 424 wrote to memory of 2416	424	Free Discord Nitro.exe	78
PID 424 wrote to memory of 2340	424	Free Discord Nitro.exe	79
PID 424 wrote to memory of 2340	424	Free Discord Nitro.exe	79
PID 424 wrote to memory of 2340	424	Free Discord Nitro.exe	79
PID 424 wrote to memory of 2340	424	Free Discord Nitro.exe	79
PID 424 wrote to memory of 2340	424	Free Discord Nitro.exe	79
PID 424 wrote to memory of 2340	424	Free Discord Nitro.exe	79
PID 424 wrote to memory of 2340	424	Free Discord Nitro.exe	79
PID 424 wrote to memory of 2340	424	Free Discord Nitro.exe	79
PID 424 wrote to memory of 2340	424	Free Discord Nitro.exe	79
PID 424 wrote to memory of 2340	424	Free Discord Nitro.exe	79
PID 1640 wrote to memory of 3924	1640	iexplore.exe	82
PID 1640 wrote to memory of 3924	1640	iexplore.exe	82
PID 1640 wrote to memory of 3924	1640	iexplore.exe	82

C:\Users\Admin\AppData\Local\Temp\Free Discord Nitro.exe
"C:\Users\Admin\AppData\Local\Temp\Free Discord Nitro.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:424
- C:\Users\Admin\AppData\Local\Temp\Free Discord Nitro.exe
  "C:\Users\Admin\AppData\Local\Temp\Free Discord Nitro.exe"
  2⤵
  PID:2416
- C:\Users\Admin\AppData\Local\Temp\Free Discord Nitro.exe
  "C:\Users\Admin\AppData\Local\Temp\Free Discord Nitro.exe"
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  PID:2340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1116
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3924

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\34bde6cbdc2348db954c4db977d3e8a5 /t 3868 /p 3924
1⤵
PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/424-114-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/424-116-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/424-117-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/424-118-0x00000000048E0000-0x0000000004DDE000-memory.dmp

Filesize
5.0MB

Download
memory/424-119-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/424-120-0x0000000004B40000-0x0000000004B4A000-memory.dmp

Filesize
40KB

Download
memory/1640-124-0x00007FF8936B0000-0x00007FF89371B000-memory.dmp

Filesize
428KB

Download
memory/2340-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-123-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-126-0x000000006A560000-0x000000006BD16000-memory.dmp

Filesize
23.7MB

Download

Analysis

Sharing