Analysis
-
max time kernel
117s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 13:24
Static task
static1
Behavioral task
behavioral1
Sample
DiscordDeveloperUpdate.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DiscordDeveloperUpdate.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
DiscordDeveloperUpdate.exe
-
Size
8KB
-
MD5
c9613a35a654572d3a60b87c1c85ff14
-
SHA1
b716cfb4988a3e884615bf929ecebeed52fe6708
-
SHA256
6abe1f3f2125d635acf5f867832e75129eb8c2b9ac76e5a9325ca08c7ef8e678
-
SHA512
978892e194f30e2e4f940ef0d88055a93dd4dcd35761bd26b9621247575932abd2ad7968914eb5b6fa28a6e1b90fb3c64280473f512f0e70bfcfb7971c1e9d5e
Score
6/10
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 wtfismyip.com 4 wtfismyip.com -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2856 1380 WerFault.exe DiscordDeveloperUpdate.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
DiscordDeveloperUpdate.exeWerFault.exepid process 1380 DiscordDeveloperUpdate.exe 2856 WerFault.exe 2856 WerFault.exe 2856 WerFault.exe 2856 WerFault.exe 2856 WerFault.exe 2856 WerFault.exe 2856 WerFault.exe 2856 WerFault.exe 2856 WerFault.exe 2856 WerFault.exe 2856 WerFault.exe 2856 WerFault.exe 2856 WerFault.exe 2856 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
DiscordDeveloperUpdate.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1380 DiscordDeveloperUpdate.exe Token: SeRestorePrivilege 2856 WerFault.exe Token: SeBackupPrivilege 2856 WerFault.exe Token: SeDebugPrivilege 2856 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DiscordDeveloperUpdate.exe"C:\Users\Admin\AppData\Local\Temp\DiscordDeveloperUpdate.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 19042⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken