1399d5b620c625e02dc9873240b3cc9cdafc451673a82275f0da8b9c6a5ae486

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2023, 13:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Discord.AIO.exe
Size

6.5MB
MD5

7adc6022bb09db5e263fb294aaab2566
SHA1

77746a413c35573521c14eba036a2da5da68526a
SHA256

54bb1a394197df666003cd83a607b364b373c32df999c51f3c14bb830fc776ee
SHA512

21922589a3dc6fd2ccf4545dceb15249ca8882d946d9a29a90248dec55ed41b719d9d835381e0115a10d58957dbbc7ac3a277c2e1e88f398c672bed8e249a11a
SSDEEP

98304:27w0WYwOYA4vWVU4fgcmnH3EPIL6yFs9u/FpboNe7mZD7JOu9mq2Jo2N/03FIgcG:ts4vkmXas+6cOGR2JFNmWZCZ

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral4/memory/4656-134-0x0000000000880000-0x0000000000EFA000-memory.dmp	disable_win_def

Loads dropped DLL 1 IoCs

pid	Process
4656	Discord.AIO.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4656	Discord.AIO.exe

C:\Users\Admin\AppData\Local\Temp\Discord.AIO.exe
"C:\Users\Admin\AppData\Local\Temp\Discord.AIO.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x86\SciLexer.dll

Filesize
943KB

MD5
2ff7acfa80647ee46cc3c0e446327108

SHA1
c994820d03af722c244b046d1ee0967f1b5bc478

SHA256
08f0cbbc5162f236c37166772be2c9b8ffd465d32df17ea9d45626c4ed2c911d

SHA512
50a9e20c5851d3a50f69651bc770885672ff4f97de32dfda55bf7488abd39a11e990525ec9152d250072acaad0c12a484155c31083d751668eb01addea5570cd

Download Submit
memory/4656-133-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/4656-134-0x0000000000880000-0x0000000000EFA000-memory.dmp

Filesize
6.5MB

Download
memory/4656-135-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/4656-136-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/4656-137-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/4656-138-0x00000000057C0000-0x00000000057CA000-memory.dmp

Filesize
40KB

Download
memory/4656-139-0x0000000006F10000-0x0000000006F1A000-memory.dmp

Filesize
40KB

Download
memory/4656-144-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/4656-145-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/4656-146-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/4656-147-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download