49a3b199025018458e69db1fcf9db5b7f9dd1f9e825c5ed94caff4103ad4fa0b

Resubmissions

01-07-2022 14:29

220701-rtnqfsgbcp 9

01-07-2022 12:59

220701-p717lafbf4 9

Analysis

max time kernel
14s
max time network
83s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-07-2022 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38e3ff2c1ad395cc854e2b620adc1a0f.exe
Size

7.6MB
MD5

38e3ff2c1ad395cc854e2b620adc1a0f
SHA1

ff1f4c054615337476ec558d22c69f578c5a9af2
SHA256

49a3b199025018458e69db1fcf9db5b7f9dd1f9e825c5ed94caff4103ad4fa0b
SHA512

0bd5b7b8dd03f9099504d6271e2bcd4aac0fd8a24b6097ac71ce33328bf4e7c305183919c40c1a64271eebf48643040ad4d0f0311bcd04a5143f237e39f16d98

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 38e3ff2c1ad395cc854e2b620adc1a0f.exe
Executes dropped EXE 4 IoCs

Processes:

update.exeSecurityHealthService32.exeDiscordUpdate.exeSecurityHealthService32.exe

pid process

1924 update.exe
1628 SecurityHealthService32.exe
1816 DiscordUpdate.exe
1720 SecurityHealthService32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	38e3ff2c1ad395cc854e2b620adc1a0f.exe

pid	process
1924	update.exe
1628	SecurityHealthService32.exe
1816	DiscordUpdate.exe
1720	SecurityHealthService32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	38e3ff2c1ad395cc854e2b620adc1a0f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	38e3ff2c1ad395cc854e2b620adc1a0f.exe

Deletes itself 1 IoCs

Processes:

update.exe

pid process

1924 update.exe
Loads dropped DLL 3 IoCs

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exeupdate.exeSecurityHealthService32.exe

pid process

1892 38e3ff2c1ad395cc854e2b620adc1a0f.exe
1924 update.exe
1628 SecurityHealthService32.exe

pid	process
1924	update.exe

pid	process
1892	38e3ff2c1ad395cc854e2b620adc1a0f.exe
1924	update.exe
1628	SecurityHealthService32.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1892-55-0x00000000002B0000-0x0000000000EEB000-memory.dmp	themida
behavioral1/memory/1892-56-0x00000000002B0000-0x0000000000EEB000-memory.dmp	themida
behavioral1/memory/1892-57-0x00000000002B0000-0x0000000000EEB000-memory.dmp	themida
behavioral1/memory/1892-58-0x00000000002B0000-0x0000000000EEB000-memory.dmp	themida
behavioral1/memory/1892-59-0x00000000002B0000-0x0000000000EEB000-memory.dmp	themida
behavioral1/memory/1892-85-0x00000000002B0000-0x0000000000EEB000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	38e3ff2c1ad395cc854e2b620adc1a0f.exe

Drops file in Windows directory 4 IoCs

Processes:

SecurityHealthService32.exeSecurityHealthService32.exeupdate.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe	SecurityHealthService32.exe
File created	C:\Windows\ServiceProfiles\LocalService\tempfile.tmp	SecurityHealthService32.exe
File created	C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe	update.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe	SecurityHealthService32.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

update.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	update.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	update.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	update.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\update.exe = "11001"	update.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

update.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	update.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SecurityHealthService32.exeDiscordUpdate.exe

pid	process
1628	SecurityHealthService32.exe
1628	SecurityHealthService32.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe
1816	DiscordUpdate.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exe

pid process

1892 38e3ff2c1ad395cc854e2b620adc1a0f.exe

pid	process
1892	38e3ff2c1ad395cc854e2b620adc1a0f.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exeupdate.exeSecurityHealthService32.exeDiscordUpdate.exe

description	pid	process	target process
PID 1892 wrote to memory of 1924	1892	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1892 wrote to memory of 1924	1892	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1892 wrote to memory of 1924	1892	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1892 wrote to memory of 1924	1892	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1892 wrote to memory of 1924	1892	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1892 wrote to memory of 1924	1892	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1892 wrote to memory of 1924	1892	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1892 wrote to memory of 1924	1892	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1892 wrote to memory of 1924	1892	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1892 wrote to memory of 1924	1892	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1892 wrote to memory of 1924	1892	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1892 wrote to memory of 1924	1892	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1892 wrote to memory of 1924	1892	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1892 wrote to memory of 1924	1892	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1924 wrote to memory of 1696	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1696	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1696	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1696	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1736	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1736	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1736	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1736	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1544	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1544	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1544	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1544	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1552	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1552	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1552	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1552	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1048	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1048	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1048	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1048	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 396	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 396	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 396	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 396	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 2024	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 2024	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 2024	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 2024	1924	update.exe	powershell.exe
PID 1924 wrote to memory of 1628	1924	update.exe	SecurityHealthService32.exe
PID 1924 wrote to memory of 1628	1924	update.exe	SecurityHealthService32.exe
PID 1924 wrote to memory of 1628	1924	update.exe	SecurityHealthService32.exe
PID 1924 wrote to memory of 1628	1924	update.exe	SecurityHealthService32.exe
PID 1628 wrote to memory of 1816	1628	SecurityHealthService32.exe	DiscordUpdate.exe
PID 1628 wrote to memory of 1816	1628	SecurityHealthService32.exe	DiscordUpdate.exe
PID 1628 wrote to memory of 1816	1628	SecurityHealthService32.exe	DiscordUpdate.exe
PID 1816 wrote to memory of 1720	1816	DiscordUpdate.exe	SecurityHealthService32.exe
PID 1816 wrote to memory of 1720	1816	DiscordUpdate.exe	SecurityHealthService32.exe
PID 1816 wrote to memory of 1720	1816	DiscordUpdate.exe	SecurityHealthService32.exe

C:\Users\Admin\AppData\Local\Temp\38e3ff2c1ad395cc854e2b620adc1a0f.exe
"C:\Users\Admin\AppData\Local\Temp\38e3ff2c1ad395cc854e2b620adc1a0f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionProcess "SecurityHealthService.exe"
3⤵
PID:1696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionProcess "SecurityHealthServiceManager.exe"
3⤵
PID:1544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionProcess "SecurityHealthService32.exe"
3⤵
PID:1736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Windows\System32"
3⤵
PID:1552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Windows\Temp"
3⤵
PID:2024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64\Tasks\Microsoft\Windows"
3⤵
PID:396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64"
3⤵
PID:1048

C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
"C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe
"C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
"C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe"
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.exe
Filesize
7.3MB

MD5
41f159509017d234e08eb4f820bab935

SHA1
1c27a70f922a95f66f58d8e4b7e91d92c84da6e3

SHA256
4460dd8114b5609ea4e9644a659de0f5b188696d27dc8846d633628b3ade7c31

SHA512
0fdbad1473708fbf1116638195881026caab40a5b64ab31ca25a027af81189bf94af403d5b1c35c5561970adaeef648b8ed5ef8c3ba63b163e931787e82636ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe
Filesize
7.3MB

MD5
41f159509017d234e08eb4f820bab935

SHA1
1c27a70f922a95f66f58d8e4b7e91d92c84da6e3

SHA256
4460dd8114b5609ea4e9644a659de0f5b188696d27dc8846d633628b3ade7c31

SHA512
0fdbad1473708fbf1116638195881026caab40a5b64ab31ca25a027af81189bf94af403d5b1c35c5561970adaeef648b8ed5ef8c3ba63b163e931787e82636ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
a2ab5cf36c0dd97e6612fcff107620a1

SHA1
eb842938ea332eb20a74ec3c9cdf00ca35428e11

SHA256
1889f473a137f13919fbde5baa85e45553cda3ba47576632478ff93e2bcd18cd

SHA512
9f75600ce74e76650bf7d26ee8e08c585ea68d0f7c29b814351df23606341686749bda6175d9091c39073e4e205846d50d63b38a58c23d9b973f254ecbf982d5

Download Submit
C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe
Filesize
7.3MB

MD5
41f159509017d234e08eb4f820bab935

SHA1
1c27a70f922a95f66f58d8e4b7e91d92c84da6e3

SHA256
4460dd8114b5609ea4e9644a659de0f5b188696d27dc8846d633628b3ade7c31

SHA512
0fdbad1473708fbf1116638195881026caab40a5b64ab31ca25a027af81189bf94af403d5b1c35c5561970adaeef648b8ed5ef8c3ba63b163e931787e82636ab

Download Submit
\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
memory/396-113-0x0000000073720000-0x0000000073CCB000-memory.dmp

Filesize
5.7MB

Download
memory/396-91-0x0000000000000000-mapping.dmp

Download
memory/1048-90-0x0000000000000000-mapping.dmp

Download
memory/1048-112-0x0000000073720000-0x0000000073CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1544-114-0x0000000073720000-0x0000000073CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1544-88-0x0000000000000000-mapping.dmp

Download
memory/1552-111-0x0000000073720000-0x0000000073CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1552-89-0x0000000000000000-mapping.dmp

Download
memory/1628-101-0x0000000000000000-mapping.dmp

Download
memory/1696-86-0x0000000000000000-mapping.dmp

Download
memory/1720-108-0x0000000000000000-mapping.dmp

Download
memory/1736-87-0x0000000000000000-mapping.dmp

Download
memory/1736-110-0x0000000073720000-0x0000000073CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1816-105-0x0000000000000000-mapping.dmp

Download
memory/1892-55-0x00000000002B0000-0x0000000000EEB000-memory.dmp

Filesize
12.2MB

Download
memory/1892-85-0x00000000002B0000-0x0000000000EEB000-memory.dmp

Filesize
12.2MB

Download
memory/1892-56-0x00000000002B0000-0x0000000000EEB000-memory.dmp

Filesize
12.2MB

Download
memory/1892-57-0x00000000002B0000-0x0000000000EEB000-memory.dmp

Filesize
12.2MB

Download
memory/1892-58-0x00000000002B0000-0x0000000000EEB000-memory.dmp

Filesize
12.2MB

Download
memory/1892-54-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1892-59-0x00000000002B0000-0x0000000000EEB000-memory.dmp

Filesize
12.2MB

Download
memory/1924-68-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/1924-75-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download
memory/1924-84-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download
memory/1924-83-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/1924-82-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download
memory/1924-80-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download
memory/1924-77-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download
memory/1924-115-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/1924-73-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download
memory/1924-72-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/1924-70-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/1924-71-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/1924-66-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/1924-62-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/1924-61-0x0000000000000000-mapping.dmp

Download
memory/2024-92-0x0000000000000000-mapping.dmp

Download