Analysis
-
max time kernel
0s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/12/2023, 16:08
Static task
static1
Behavioral task
behavioral1
Sample
e2b22c7e6a61834361d49697274d8cb3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
e2b22c7e6a61834361d49697274d8cb3.exe
Resource
win10v2004-20231215-en
General
-
Target
e2b22c7e6a61834361d49697274d8cb3.exe
-
Size
3.6MB
-
MD5
e2b22c7e6a61834361d49697274d8cb3
-
SHA1
756cc64ff7b028542d41e747d55d0e540c61ae46
-
SHA256
c151884ac7e723b223f637c64a4e352b7439f0d37099327e800959dd062d14e0
-
SHA512
3e567dea239a1fc93bf70926cb3a74da785af4d8725fbdd553dc8d58ebb7980ebd9812b1c3b78da8eeedbb5a0c78bcf721383c93a029e0aa674f56386e977932
-
SSDEEP
98304:LKFiM/xFnow/acBwC8oIBxnUl/nhJ/MJMiWq1M2xCSBcDE:LKF5ZmwC4iNUlv+JW4Me0
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2752 discordgrabberdataalert.exe 2700 DiscordGrabber.exe -
Loads dropped DLL 2 IoCs
pid Process 2344 cmd.exe 2136 cmd.exe -
resource yara_rule behavioral1/files/0x000d00000001225c-8.dat vmprotect behavioral1/files/0x000d00000001225c-7.dat vmprotect behavioral1/files/0x000d00000001225c-2.dat vmprotect behavioral1/memory/2700-13-0x0000000000270000-0x0000000000A6A000-memory.dmp vmprotect -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2284 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2284 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2108 wrote to memory of 3052 2108 e2b22c7e6a61834361d49697274d8cb3.exe 20 PID 2108 wrote to memory of 3052 2108 e2b22c7e6a61834361d49697274d8cb3.exe 20 PID 2108 wrote to memory of 3052 2108 e2b22c7e6a61834361d49697274d8cb3.exe 20 PID 2108 wrote to memory of 3052 2108 e2b22c7e6a61834361d49697274d8cb3.exe 20 PID 2108 wrote to memory of 2344 2108 e2b22c7e6a61834361d49697274d8cb3.exe 29 PID 2108 wrote to memory of 2344 2108 e2b22c7e6a61834361d49697274d8cb3.exe 29 PID 2108 wrote to memory of 2344 2108 e2b22c7e6a61834361d49697274d8cb3.exe 29 PID 2108 wrote to memory of 2344 2108 e2b22c7e6a61834361d49697274d8cb3.exe 29 PID 2108 wrote to memory of 2136 2108 e2b22c7e6a61834361d49697274d8cb3.exe 28 PID 2108 wrote to memory of 2136 2108 e2b22c7e6a61834361d49697274d8cb3.exe 28 PID 2108 wrote to memory of 2136 2108 e2b22c7e6a61834361d49697274d8cb3.exe 28 PID 2108 wrote to memory of 2136 2108 e2b22c7e6a61834361d49697274d8cb3.exe 28 PID 3052 wrote to memory of 2284 3052 cmd.exe 25 PID 3052 wrote to memory of 2284 3052 cmd.exe 25 PID 3052 wrote to memory of 2284 3052 cmd.exe 25 PID 3052 wrote to memory of 2284 3052 cmd.exe 25 PID 2344 wrote to memory of 2700 2344 cmd.exe 24 PID 2344 wrote to memory of 2700 2344 cmd.exe 24 PID 2344 wrote to memory of 2700 2344 cmd.exe 24 PID 2344 wrote to memory of 2700 2344 cmd.exe 24 PID 2136 wrote to memory of 2752 2136 cmd.exe 23 PID 2136 wrote to memory of 2752 2136 cmd.exe 23 PID 2136 wrote to memory of 2752 2136 cmd.exe 23 PID 2136 wrote to memory of 2752 2136 cmd.exe 23
Processes
-
C:\Windows\SysWOW64\cmd.execmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit1⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"2⤵PID:2548
-
-
C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe"C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\cmd.execmd /c start C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136
-
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exeC:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe1⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcyqigq.vbs"2⤵PID:1088
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\3⤵PID:1740
-
-
-
C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exeC:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe1⤵
- Executes dropped EXE
PID:2700
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5a8a8813ccae5fadcfd5ceb54bd73d487
SHA15db2d1806db9e8225d8a43cf6ddf0dd6f86ee508
SHA256954990088ae0a2f592afaabe9be890ecc79eb21eb11a68e5e851fd9a1a91f60a
SHA5120fddda23d652db74b6da169eb1386d689ab52bcd3ac3af633866c16e3ccb13c354d0b2ba881c975a9f3f1df68b909d19750d81397b198f7b705fa6c915fddf37
-
Filesize
121KB
MD526a633c80363cc69fd56c9cb21043468
SHA124031612c3bdec8211f62d290293cf19e6dfd1cc
SHA2566b79ceb99a3830de885f53d488b092e8aaac9128ff7110d0aeb814ca15e46d1b
SHA512ee660762dd3e0d4f67d74b152e5b4e26f249f6132ac4708bae17abe0ba4a4477986f0fe9acc125c7e87d6e8e0781f4c9bd96e78da30a40543e29a84c59546352
-
Filesize
92B
MD54b13abd262e6f452b680b7c404285a32
SHA1a5b55774c48678a82ab377a7d23a00ec6a174dea
SHA256e09b4b2ffbca61fbfaa017d9a6c7c60ec4242bfc468bf2f58887e79c97966eff
SHA5128dc590452e549d1dbb582e6552e5cfe960adeb43987435b67d6d1f18d3ff44e7be01f638a7f62f7f47da561303fdc5203ca4412639662f170b6e0022e3ae6bc8
-
Filesize
45KB
MD5388cdcfca24309c6293ba05e77a877b5
SHA142cd6023dc7e3e6dd535a8ba702d1e4500d6bcdf
SHA2560fc048c8ad65106ca2b8ad5fb0c10479a2868b8b542721d0d18c15d94dcb28f5
SHA512e5f424e79ff399707ff3d15b17d2342e1962a8c8787e74f2111b898db416822e30d955b6cb206f388ec5a9059341e7765dfd3d351b05cfbd7692879c5012c978
-
Filesize
30KB
MD5efeee1149ce5321d3965c3a710709f9f
SHA1cf4c97ecb3b3023dec8c8da90d9d1860a6ceebca
SHA256caed1021c3210591debe5947652c6327c4455009c2f03fba89331ce0dc6bac4d
SHA51228ccde2b4964be07a522be9507592baec3e0be5e5dc456ae24c23e00781b71c064601e3703910d007c83aaf3a638f9c6085fc527f64b02df24474070099853e2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8JXWZNLMOJ7NJUPBU1Y5.temp
Filesize7KB
MD507daa5888db7344322eb2d93048a79e8
SHA1a034a143075e904235ebc87b23b134f20c3d54b9
SHA256a1b8dcdcf8767c4ddeb38a3bd338a1139b3ea14f4bbb0f2994b05e108bf0e765
SHA51292432753284c2ad48b910e272f71350bea8c344a938239e6a659b724715a36de114a8890efb32598bad629746cc6ab9c64611d6115cca1ebf915bf044f04e8c8
-
Filesize
81KB
MD5c553eee0b01c283e89aeaba14f0b7396
SHA1659d7598adee8fc0349941771df0fb6179672a20
SHA256900f6dd1d7085c960667c35790384eae95e3e610875f098c14c23ba1f98a6054
SHA512cb8482fd5c19a639b12ef558d28db4ec58ecaf5857f83fe41af9b86aa6b100f89f7f4b3bb07ccc8fbc7609d1ca835bade64d2dda31631a5bce2cb3fecdecc73b
-
Filesize
154KB
MD561d896ca84ea2de3a978c3489b16fc48
SHA1daa2b2bc89a6064f2980ea55bba0c4b5cc88ebe9
SHA25605649a9858017745b88822c3aaabe887bfda83fb0c8a692701e728c019c1ed9b
SHA51228076868772376c93cc8cbebcdf0a04617dcada0530cb8397c5063af1feb5b2d05611b920314e79e22d8adf9d1bcd73784e83e00ab6a420b0cd06e979a8fea47