4286f05225b773ba95830a248e111cb47a12f4a3cb60d8f823a6cb8a461ccb98

Resubmissions

04/06/2023, 16:31

230604-t1hh5acf88 9

04/06/2023, 16:30

230604-tzxlnacf87 9

Analysis

max time kernel
261s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2023, 16:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DiscordSetup.exe
Size

5.3MB
MD5

9cce9ee0020b6f3771ffea7f00fddae0
SHA1

9b35d27cc87d54413ba920fb0ba46d437bb2a285
SHA256

4286f05225b773ba95830a248e111cb47a12f4a3cb60d8f823a6cb8a461ccb98
SHA512

d71b4cd71369e0befc95770faff086be529455b6e281dc728dbbf6e568ec8b41ce926b61b70a998c14080094c5a25d74ad313dbcead1d960ecbf6ac118e0f038
SSDEEP

98304:aKoJzvhoTYC61CGlcnn2pL3+Skbr7oOCvpn3sgJxzz5sjwiYHJf:aTR5okC61CGlcn2V6bvU2grzijMl

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DiscordSetup.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DiscordSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DiscordSetup.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DiscordSetup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4564	DiscordSetup.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2144	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4564	DiscordSetup.exe
4564	DiscordSetup.exe
4564	DiscordSetup.exe
4564	DiscordSetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4564	DiscordSetup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4564	DiscordSetup.exe
Token: SeIncBasePriorityPrivilege	4564	DiscordSetup.exe
Token: SeIncBasePriorityPrivilege	4564	DiscordSetup.exe
Token: SeDebugPrivilege	2144	taskkill.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4564	DiscordSetup.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 1016	4564	DiscordSetup.exe	83
PID 4564 wrote to memory of 1016	4564	DiscordSetup.exe	83
PID 1016 wrote to memory of 2144	1016	cmd.exe	85
PID 1016 wrote to memory of 2144	1016	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe
"C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /T /IM wordpad.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wordpad.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4564-133-0x00007FF7E3FC0000-0x00007FF7E4E00000-memory.dmp

Filesize
14.2MB

Download
memory/4564-141-0x00000194B07B0000-0x00000194B08B0000-memory.dmp

Filesize
1024KB

Download
memory/4564-142-0x00007FF7E3FC0000-0x00007FF7E4E00000-memory.dmp

Filesize
14.2MB

Download
memory/4564-143-0x00000194B07B0000-0x00000194B08B0000-memory.dmp

Filesize
1024KB

Download