49a3b199025018458e69db1fcf9db5b7f9dd1f9e825c5ed94caff4103ad4fa0b

Resubmissions

01-07-2022 14:29

220701-rtnqfsgbcp 9

01-07-2022 12:59

220701-p717lafbf4 9

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01-07-2022 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38e3ff2c1ad395cc854e2b620adc1a0f.exe
Size

7.6MB
MD5

38e3ff2c1ad395cc854e2b620adc1a0f
SHA1

ff1f4c054615337476ec558d22c69f578c5a9af2
SHA256

49a3b199025018458e69db1fcf9db5b7f9dd1f9e825c5ed94caff4103ad4fa0b
SHA512

0bd5b7b8dd03f9099504d6271e2bcd4aac0fd8a24b6097ac71ce33328bf4e7c305183919c40c1a64271eebf48643040ad4d0f0311bcd04a5143f237e39f16d98

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 38e3ff2c1ad395cc854e2b620adc1a0f.exe
Executes dropped EXE 4 IoCs

Processes:

update.exeSecurityHealthService32.exeDiscordUpdate.exeSecurityHealthService32.exe

pid process

1708 update.exe
4708 SecurityHealthService32.exe
2308 DiscordUpdate.exe
4424 SecurityHealthService32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	38e3ff2c1ad395cc854e2b620adc1a0f.exe

pid	process
1708	update.exe
4708	SecurityHealthService32.exe
2308	DiscordUpdate.exe
4424	SecurityHealthService32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	38e3ff2c1ad395cc854e2b620adc1a0f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	38e3ff2c1ad395cc854e2b620adc1a0f.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4628-130-0x00000000002C0000-0x0000000000EFB000-memory.dmp	themida
behavioral2/memory/4628-131-0x00000000002C0000-0x0000000000EFB000-memory.dmp	themida
behavioral2/memory/4628-132-0x00000000002C0000-0x0000000000EFB000-memory.dmp	themida
behavioral2/memory/4628-133-0x00000000002C0000-0x0000000000EFB000-memory.dmp	themida
behavioral2/memory/4628-134-0x00000000002C0000-0x0000000000EFB000-memory.dmp	themida
behavioral2/memory/4628-143-0x00000000002C0000-0x0000000000EFB000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	38e3ff2c1ad395cc854e2b620adc1a0f.exe

Drops file in Windows directory 4 IoCs

Processes:

SecurityHealthService32.exeSecurityHealthService32.exeupdate.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe	SecurityHealthService32.exe
File created	C:\Windows\ServiceProfiles\LocalService\tempfile.tmp	SecurityHealthService32.exe
File created	C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe	update.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe	SecurityHealthService32.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

update.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\update.exe = "11001"	update.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

update.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	update.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SecurityHealthService32.exeDiscordUpdate.exe

pid	process
4708	SecurityHealthService32.exe
4708	SecurityHealthService32.exe
4708	SecurityHealthService32.exe
4708	SecurityHealthService32.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe
2308	DiscordUpdate.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exe

pid process

4628 38e3ff2c1ad395cc854e2b620adc1a0f.exe

pid	process
4628	38e3ff2c1ad395cc854e2b620adc1a0f.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exeupdate.exeSecurityHealthService32.exeDiscordUpdate.exe

description	pid	process	target process
PID 4628 wrote to memory of 1708	4628	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 4628 wrote to memory of 1708	4628	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 4628 wrote to memory of 1708	4628	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 4628 wrote to memory of 1708	4628	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 4628 wrote to memory of 1708	4628	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 4628 wrote to memory of 1708	4628	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 4628 wrote to memory of 1708	4628	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 4628 wrote to memory of 1708	4628	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 4628 wrote to memory of 1708	4628	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 4628 wrote to memory of 1708	4628	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1708 wrote to memory of 3660	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 3660	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 3660	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 3460	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 3460	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 3460	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 3420	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 3420	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 3420	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 1492	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 1492	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 1492	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 4356	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 4356	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 4356	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 4300	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 4300	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 4300	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 1480	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 1480	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 1480	1708	update.exe	powershell.exe
PID 1708 wrote to memory of 4708	1708	update.exe	SecurityHealthService32.exe
PID 1708 wrote to memory of 4708	1708	update.exe	SecurityHealthService32.exe
PID 4708 wrote to memory of 2308	4708	SecurityHealthService32.exe	DiscordUpdate.exe
PID 4708 wrote to memory of 2308	4708	SecurityHealthService32.exe	DiscordUpdate.exe
PID 2308 wrote to memory of 4424	2308	DiscordUpdate.exe	SecurityHealthService32.exe
PID 2308 wrote to memory of 4424	2308	DiscordUpdate.exe	SecurityHealthService32.exe

C:\Users\Admin\AppData\Local\Temp\38e3ff2c1ad395cc854e2b620adc1a0f.exe
"C:\Users\Admin\AppData\Local\Temp\38e3ff2c1ad395cc854e2b620adc1a0f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4628

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionProcess "SecurityHealthService.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionProcess "SecurityHealthService32.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionProcess "SecurityHealthServiceManager.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Windows\System32"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64\Tasks\Microsoft\Windows"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Windows\Temp"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
"C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe
"C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
"C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe"
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
99c62207467a72666bbf00a662790ec9

SHA1
8328b35e61c838bddfad401b89f3fd73ef5bc599

SHA256
6c0415e9e3628914905f700f8d60da79560105063da47e8e97297d9629a6feaf

SHA512
f884b86af566bf234d2fe9f330d9cd044f0df71e7805aaf5f6efcea2bf8e1e7c9e908a773312667e7efbdc91aded1d39698e48e6052065be0ebc733b1f30acac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
99c62207467a72666bbf00a662790ec9

SHA1
8328b35e61c838bddfad401b89f3fd73ef5bc599

SHA256
6c0415e9e3628914905f700f8d60da79560105063da47e8e97297d9629a6feaf

SHA512
f884b86af566bf234d2fe9f330d9cd044f0df71e7805aaf5f6efcea2bf8e1e7c9e908a773312667e7efbdc91aded1d39698e48e6052065be0ebc733b1f30acac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
97c184cc68103d216da67a8291c81057

SHA1
1cfdb53266d98b8c180b37bf911e7420f45c3f97

SHA256
1ade6ac0177bc798ed71661cd9d1f9cba7da601bca7caf2cbfdca91773176edc

SHA512
c500e8aacc4569b5559c589b69f54c1b144543b866f8e435ac3cffc3e65e0ead2bcba4654a8a6b30bcc34c1c8ce16495f2044c0bb5569d727f1979ab7c150646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
97c184cc68103d216da67a8291c81057

SHA1
1cfdb53266d98b8c180b37bf911e7420f45c3f97

SHA256
1ade6ac0177bc798ed71661cd9d1f9cba7da601bca7caf2cbfdca91773176edc

SHA512
c500e8aacc4569b5559c589b69f54c1b144543b866f8e435ac3cffc3e65e0ead2bcba4654a8a6b30bcc34c1c8ce16495f2044c0bb5569d727f1979ab7c150646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
97c184cc68103d216da67a8291c81057

SHA1
1cfdb53266d98b8c180b37bf911e7420f45c3f97

SHA256
1ade6ac0177bc798ed71661cd9d1f9cba7da601bca7caf2cbfdca91773176edc

SHA512
c500e8aacc4569b5559c589b69f54c1b144543b866f8e435ac3cffc3e65e0ead2bcba4654a8a6b30bcc34c1c8ce16495f2044c0bb5569d727f1979ab7c150646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
aa6e0fa1dba7d63917d59ad43e00f923

SHA1
ccd7b7a332db17dc09a5bd9f161024a9a539737b

SHA256
26d40c0d57a0a0ef9e38158afb5b5bf8ec16486b3dab49e781fdad0af771b359

SHA512
9a7ea2e50e0d5d0b5c19bfd21daaee6fd5fc57e0ca6c624f4b5b4bc993332bae798a8be537b8c4895cc8b1e7af93410ad6ed8efa6186db5a9c3255393610fdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe
Filesize
7.3MB

MD5
41f159509017d234e08eb4f820bab935

SHA1
1c27a70f922a95f66f58d8e4b7e91d92c84da6e3

SHA256
4460dd8114b5609ea4e9644a659de0f5b188696d27dc8846d633628b3ade7c31

SHA512
0fdbad1473708fbf1116638195881026caab40a5b64ab31ca25a027af81189bf94af403d5b1c35c5561970adaeef648b8ed5ef8c3ba63b163e931787e82636ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe
Filesize
7.3MB

MD5
41f159509017d234e08eb4f820bab935

SHA1
1c27a70f922a95f66f58d8e4b7e91d92c84da6e3

SHA256
4460dd8114b5609ea4e9644a659de0f5b188696d27dc8846d633628b3ade7c31

SHA512
0fdbad1473708fbf1116638195881026caab40a5b64ab31ca25a027af81189bf94af403d5b1c35c5561970adaeef648b8ed5ef8c3ba63b163e931787e82636ab

Download Submit
C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
memory/1480-165-0x000000006F760000-0x000000006F7AC000-memory.dmp

Filesize
304KB

Download
memory/1480-177-0x0000000007DA0000-0x0000000007DA8000-memory.dmp

Filesize
32KB

Download
memory/1480-175-0x0000000007CB0000-0x0000000007CBE000-memory.dmp

Filesize
56KB

Download
memory/1480-161-0x0000000006770000-0x000000000678E000-memory.dmp

Filesize
120KB

Download
memory/1480-153-0x0000000005A50000-0x0000000006078000-memory.dmp

Filesize
6.2MB

Download
memory/1480-147-0x0000000000000000-mapping.dmp

Download
memory/1492-168-0x000000006F760000-0x000000006F7AC000-memory.dmp

Filesize
304KB

Download
memory/1492-144-0x0000000000000000-mapping.dmp

Download
memory/1708-138-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/1708-139-0x000000006B800000-0x000000006B8F0000-memory.dmp

Filesize
960KB

Download
memory/1708-135-0x0000000000000000-mapping.dmp

Download
memory/2308-152-0x0000000000000000-mapping.dmp

Download
memory/3420-164-0x000000006F760000-0x000000006F7AC000-memory.dmp

Filesize
304KB

Download
memory/3420-172-0x0000000007590000-0x00000000075AA000-memory.dmp

Filesize
104KB

Download
memory/3420-142-0x0000000000000000-mapping.dmp

Download
memory/3420-149-0x0000000002950000-0x0000000002986000-memory.dmp

Filesize
216KB

Download
memory/3460-160-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/3460-169-0x000000006F760000-0x000000006F7AC000-memory.dmp

Filesize
304KB

Download
memory/3460-141-0x0000000000000000-mapping.dmp

Download
memory/3460-158-0x0000000005650000-0x0000000005672000-memory.dmp

Filesize
136KB

Download
memory/3660-140-0x0000000000000000-mapping.dmp

Download
memory/3660-176-0x0000000007080000-0x000000000709A000-memory.dmp

Filesize
104KB

Download
memory/3660-170-0x000000006F760000-0x000000006F7AC000-memory.dmp

Filesize
304KB

Download
memory/3660-174-0x0000000006FC0000-0x0000000007056000-memory.dmp

Filesize
600KB

Download
memory/4300-173-0x0000000007200000-0x000000000720A000-memory.dmp

Filesize
40KB

Download
memory/4300-162-0x0000000006430000-0x0000000006462000-memory.dmp

Filesize
200KB

Download
memory/4300-146-0x0000000000000000-mapping.dmp

Download
memory/4300-167-0x000000006F760000-0x000000006F7AC000-memory.dmp

Filesize
304KB

Download
memory/4356-166-0x00000000063F0000-0x000000000640E000-memory.dmp

Filesize
120KB

Download
memory/4356-171-0x00000000077A0000-0x0000000007E1A000-memory.dmp

Filesize
6.5MB

Download
memory/4356-159-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/4356-163-0x000000006F760000-0x000000006F7AC000-memory.dmp

Filesize
304KB

Download
memory/4356-145-0x0000000000000000-mapping.dmp

Download
memory/4424-156-0x0000000000000000-mapping.dmp

Download
memory/4628-130-0x00000000002C0000-0x0000000000EFB000-memory.dmp

Filesize
12.2MB

Download
memory/4628-143-0x00000000002C0000-0x0000000000EFB000-memory.dmp

Filesize
12.2MB

Download
memory/4628-134-0x00000000002C0000-0x0000000000EFB000-memory.dmp

Filesize
12.2MB

Download
memory/4628-133-0x00000000002C0000-0x0000000000EFB000-memory.dmp

Filesize
12.2MB

Download
memory/4628-132-0x00000000002C0000-0x0000000000EFB000-memory.dmp

Filesize
12.2MB

Download
memory/4628-131-0x00000000002C0000-0x0000000000EFB000-memory.dmp

Filesize
12.2MB

Download
memory/4708-148-0x0000000000000000-mapping.dmp

Download