4286f05225b773ba95830a248e111cb47a12f4a3cb60d8f823a6cb8a461ccb98

Resubmissions

04/06/2023, 16:31

230604-t1hh5acf88 9

04/06/2023, 16:30

230604-tzxlnacf87 9

Analysis

max time kernel
16s
max time network
18s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
04/06/2023, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DiscordSetup.exe
Size

5.3MB
MD5

9cce9ee0020b6f3771ffea7f00fddae0
SHA1

9b35d27cc87d54413ba920fb0ba46d437bb2a285
SHA256

4286f05225b773ba95830a248e111cb47a12f4a3cb60d8f823a6cb8a461ccb98
SHA512

d71b4cd71369e0befc95770faff086be529455b6e281dc728dbbf6e568ec8b41ce926b61b70a998c14080094c5a25d74ad313dbcead1d960ecbf6ac118e0f038
SSDEEP

98304:aKoJzvhoTYC61CGlcnn2pL3+Skbr7oOCvpn3sgJxzz5sjwiYHJf:aTR5okC61CGlcn2V6bvU2grzijMl

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DiscordSetup.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DiscordSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DiscordSetup.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DiscordSetup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3536	DiscordSetup.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4396	taskkill.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3536	DiscordSetup.exe
3536	DiscordSetup.exe
3536	DiscordSetup.exe
3536	DiscordSetup.exe
3536	DiscordSetup.exe
3536	DiscordSetup.exe
3536	DiscordSetup.exe
3536	DiscordSetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3536	DiscordSetup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3536	DiscordSetup.exe
Token: SeIncBasePriorityPrivilege	3536	DiscordSetup.exe
Token: SeIncBasePriorityPrivilege	3536	DiscordSetup.exe
Token: SeDebugPrivilege	4396	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4632	WMIC.exe
Token: SeSecurityPrivilege	4632	WMIC.exe
Token: SeTakeOwnershipPrivilege	4632	WMIC.exe
Token: SeLoadDriverPrivilege	4632	WMIC.exe
Token: SeSystemProfilePrivilege	4632	WMIC.exe
Token: SeSystemtimePrivilege	4632	WMIC.exe
Token: SeProfSingleProcessPrivilege	4632	WMIC.exe
Token: SeIncBasePriorityPrivilege	4632	WMIC.exe
Token: SeCreatePagefilePrivilege	4632	WMIC.exe
Token: SeBackupPrivilege	4632	WMIC.exe
Token: SeRestorePrivilege	4632	WMIC.exe
Token: SeShutdownPrivilege	4632	WMIC.exe
Token: SeDebugPrivilege	4632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4632	WMIC.exe
Token: SeRemoteShutdownPrivilege	4632	WMIC.exe
Token: SeUndockPrivilege	4632	WMIC.exe
Token: SeManageVolumePrivilege	4632	WMIC.exe
Token: 33	4632	WMIC.exe
Token: 34	4632	WMIC.exe
Token: 35	4632	WMIC.exe
Token: 36	4632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4632	WMIC.exe
Token: SeSecurityPrivilege	4632	WMIC.exe
Token: SeTakeOwnershipPrivilege	4632	WMIC.exe
Token: SeLoadDriverPrivilege	4632	WMIC.exe
Token: SeSystemProfilePrivilege	4632	WMIC.exe
Token: SeSystemtimePrivilege	4632	WMIC.exe
Token: SeProfSingleProcessPrivilege	4632	WMIC.exe
Token: SeIncBasePriorityPrivilege	4632	WMIC.exe
Token: SeCreatePagefilePrivilege	4632	WMIC.exe
Token: SeBackupPrivilege	4632	WMIC.exe
Token: SeRestorePrivilege	4632	WMIC.exe
Token: SeShutdownPrivilege	4632	WMIC.exe
Token: SeDebugPrivilege	4632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4632	WMIC.exe
Token: SeRemoteShutdownPrivilege	4632	WMIC.exe
Token: SeUndockPrivilege	4632	WMIC.exe
Token: SeManageVolumePrivilege	4632	WMIC.exe
Token: 33	4632	WMIC.exe
Token: 34	4632	WMIC.exe
Token: 35	4632	WMIC.exe
Token: 36	4632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1552	WMIC.exe
Token: SeSecurityPrivilege	1552	WMIC.exe
Token: SeTakeOwnershipPrivilege	1552	WMIC.exe
Token: SeLoadDriverPrivilege	1552	WMIC.exe
Token: SeSystemProfilePrivilege	1552	WMIC.exe
Token: SeSystemtimePrivilege	1552	WMIC.exe
Token: SeProfSingleProcessPrivilege	1552	WMIC.exe
Token: SeIncBasePriorityPrivilege	1552	WMIC.exe
Token: SeCreatePagefilePrivilege	1552	WMIC.exe
Token: SeBackupPrivilege	1552	WMIC.exe
Token: SeRestorePrivilege	1552	WMIC.exe
Token: SeShutdownPrivilege	1552	WMIC.exe
Token: SeDebugPrivilege	1552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1552	WMIC.exe
Token: SeRemoteShutdownPrivilege	1552	WMIC.exe
Token: SeUndockPrivilege	1552	WMIC.exe
Token: SeManageVolumePrivilege	1552	WMIC.exe
Token: 33	1552	WMIC.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3536	DiscordSetup.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 4624	3536	DiscordSetup.exe	66
PID 3536 wrote to memory of 4624	3536	DiscordSetup.exe	66
PID 4624 wrote to memory of 4396	4624	cmd.exe	68
PID 4624 wrote to memory of 4396	4624	cmd.exe	68
PID 3536 wrote to memory of 3928	3536	DiscordSetup.exe	70
PID 3536 wrote to memory of 3928	3536	DiscordSetup.exe	70
PID 3928 wrote to memory of 4632	3928	cmd.exe	72
PID 3928 wrote to memory of 4632	3928	cmd.exe	72
PID 3536 wrote to memory of 4540	3536	DiscordSetup.exe	73
PID 3536 wrote to memory of 4540	3536	DiscordSetup.exe	73
PID 4540 wrote to memory of 1552	4540	cmd.exe	75
PID 4540 wrote to memory of 1552	4540	cmd.exe	75

C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe
"C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /T /IM wordpad.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wordpad.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic PATH Win32_DesktopMonitor GET PNPDeviceID
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_DesktopMonitor GET PNPDeviceID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic PATH Win32_DesktopMonitor GET PNPDeviceID
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_DesktopMonitor GET PNPDeviceID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3536-119-0x00007FF6C63D0000-0x00007FF6C7210000-memory.dmp

Filesize
14.2MB

Download
memory/3536-125-0x00000220AA920000-0x00000220AAA20000-memory.dmp

Filesize
1024KB

Download
memory/3536-134-0x00000220AA920000-0x00000220AAA20000-memory.dmp

Filesize
1024KB

Download