Analysis

  • max time kernel
    0s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    20/12/2023, 16:08

General

  • Target

    e2b22c7e6a61834361d49697274d8cb3.exe

  • Size

    3.6MB

  • MD5

    e2b22c7e6a61834361d49697274d8cb3

  • SHA1

    756cc64ff7b028542d41e747d55d0e540c61ae46

  • SHA256

    c151884ac7e723b223f637c64a4e352b7439f0d37099327e800959dd062d14e0

  • SHA512

    3e567dea239a1fc93bf70926cb3a74da785af4d8725fbdd553dc8d58ebb7980ebd9812b1c3b78da8eeedbb5a0c78bcf721383c93a029e0aa674f56386e977932

  • SSDEEP

    98304:LKFiM/xFnow/acBwC8oIBxnUl/nhJ/MJMiWq1M2xCSBcDE:LKF5ZmwC4iNUlv+JW4Me0

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2284
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      2⤵
        PID:2548
    • C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe
      "C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c start C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2136
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c start C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2344
    • C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe
      C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe
      1⤵
      • Executes dropped EXE
      PID:2752
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcyqigq.vbs"
        2⤵
          PID:1088
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\
            3⤵
              PID:1740
        • C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe
          C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe
          1⤵
          • Executes dropped EXE
          PID:2700

        Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe

                Filesize

                72KB

                MD5

                a8a8813ccae5fadcfd5ceb54bd73d487

                SHA1

                5db2d1806db9e8225d8a43cf6ddf0dd6f86ee508

                SHA256

                954990088ae0a2f592afaabe9be890ecc79eb21eb11a68e5e851fd9a1a91f60a

                SHA512

                0fddda23d652db74b6da169eb1386d689ab52bcd3ac3af633866c16e3ccb13c354d0b2ba881c975a9f3f1df68b909d19750d81397b198f7b705fa6c915fddf37

              • C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe

                Filesize

                121KB

                MD5

                26a633c80363cc69fd56c9cb21043468

                SHA1

                24031612c3bdec8211f62d290293cf19e6dfd1cc

                SHA256

                6b79ceb99a3830de885f53d488b092e8aaac9128ff7110d0aeb814ca15e46d1b

                SHA512

                ee660762dd3e0d4f67d74b152e5b4e26f249f6132ac4708bae17abe0ba4a4477986f0fe9acc125c7e87d6e8e0781f4c9bd96e78da30a40543e29a84c59546352

              • C:\Users\Admin\AppData\Local\Temp\dcyqigq.vbs

                Filesize

                92B

                MD5

                4b13abd262e6f452b680b7c404285a32

                SHA1

                a5b55774c48678a82ab377a7d23a00ec6a174dea

                SHA256

                e09b4b2ffbca61fbfaa017d9a6c7c60ec4242bfc468bf2f58887e79c97966eff

                SHA512

                8dc590452e549d1dbb582e6552e5cfe960adeb43987435b67d6d1f18d3ff44e7be01f638a7f62f7f47da561303fdc5203ca4412639662f170b6e0022e3ae6bc8

              • C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe

                Filesize

                45KB

                MD5

                388cdcfca24309c6293ba05e77a877b5

                SHA1

                42cd6023dc7e3e6dd535a8ba702d1e4500d6bcdf

                SHA256

                0fc048c8ad65106ca2b8ad5fb0c10479a2868b8b542721d0d18c15d94dcb28f5

                SHA512

                e5f424e79ff399707ff3d15b17d2342e1962a8c8787e74f2111b898db416822e30d955b6cb206f388ec5a9059341e7765dfd3d351b05cfbd7692879c5012c978

              • C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe

                Filesize

                30KB

                MD5

                efeee1149ce5321d3965c3a710709f9f

                SHA1

                cf4c97ecb3b3023dec8c8da90d9d1860a6ceebca

                SHA256

                caed1021c3210591debe5947652c6327c4455009c2f03fba89331ce0dc6bac4d

                SHA512

                28ccde2b4964be07a522be9507592baec3e0be5e5dc456ae24c23e00781b71c064601e3703910d007c83aaf3a638f9c6085fc527f64b02df24474070099853e2

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8JXWZNLMOJ7NJUPBU1Y5.temp

                Filesize

                7KB

                MD5

                07daa5888db7344322eb2d93048a79e8

                SHA1

                a034a143075e904235ebc87b23b134f20c3d54b9

                SHA256

                a1b8dcdcf8767c4ddeb38a3bd338a1139b3ea14f4bbb0f2994b05e108bf0e765

                SHA512

                92432753284c2ad48b910e272f71350bea8c344a938239e6a659b724715a36de114a8890efb32598bad629746cc6ab9c64611d6115cca1ebf915bf044f04e8c8

              • \Users\Admin\AppData\Local\Temp\DiscordGrabber.exe

                Filesize

                81KB

                MD5

                c553eee0b01c283e89aeaba14f0b7396

                SHA1

                659d7598adee8fc0349941771df0fb6179672a20

                SHA256

                900f6dd1d7085c960667c35790384eae95e3e610875f098c14c23ba1f98a6054

                SHA512

                cb8482fd5c19a639b12ef558d28db4ec58ecaf5857f83fe41af9b86aa6b100f89f7f4b3bb07ccc8fbc7609d1ca835bade64d2dda31631a5bce2cb3fecdecc73b

              • \Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe

                Filesize

                154KB

                MD5

                61d896ca84ea2de3a978c3489b16fc48

                SHA1

                daa2b2bc89a6064f2980ea55bba0c4b5cc88ebe9

                SHA256

                05649a9858017745b88822c3aaabe887bfda83fb0c8a692701e728c019c1ed9b

                SHA512

                28076868772376c93cc8cbebcdf0a04617dcada0530cb8397c5063af1feb5b2d05611b920314e79e22d8adf9d1bcd73784e83e00ab6a420b0cd06e979a8fea47

              • memory/1740-503-0x0000000002C80000-0x0000000002D00000-memory.dmp

                Filesize

                512KB

              • memory/1740-504-0x0000000002C80000-0x0000000002D00000-memory.dmp

                Filesize

                512KB

              • memory/1740-498-0x00000000004F0000-0x00000000004F8000-memory.dmp

                Filesize

                32KB

              • memory/1740-499-0x000007FEED1D0000-0x000007FEEDB6D000-memory.dmp

                Filesize

                9.6MB

              • memory/1740-501-0x000007FEED1D0000-0x000007FEEDB6D000-memory.dmp

                Filesize

                9.6MB

              • memory/1740-500-0x0000000002C80000-0x0000000002D00000-memory.dmp

                Filesize

                512KB

              • memory/1740-505-0x000007FEED1D0000-0x000007FEEDB6D000-memory.dmp

                Filesize

                9.6MB

              • memory/1740-502-0x0000000002C80000-0x0000000002D00000-memory.dmp

                Filesize

                512KB

              • memory/1740-497-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

                Filesize

                2.9MB

              • memory/2284-19-0x00000000739F0000-0x0000000073F9B000-memory.dmp

                Filesize

                5.7MB

              • memory/2284-18-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

                Filesize

                256KB

              • memory/2284-21-0x00000000739F0000-0x0000000073F9B000-memory.dmp

                Filesize

                5.7MB

              • memory/2284-20-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

                Filesize

                256KB

              • memory/2284-17-0x00000000739F0000-0x0000000073F9B000-memory.dmp

                Filesize

                5.7MB

              • memory/2284-16-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

                Filesize

                256KB

              • memory/2548-29-0x00000000739B0000-0x0000000073F5B000-memory.dmp

                Filesize

                5.7MB

              • memory/2548-31-0x0000000002960000-0x00000000029A0000-memory.dmp

                Filesize

                256KB

              • memory/2548-30-0x0000000002960000-0x00000000029A0000-memory.dmp

                Filesize

                256KB

              • memory/2548-27-0x00000000739B0000-0x0000000073F5B000-memory.dmp

                Filesize

                5.7MB

              • memory/2548-34-0x00000000739B0000-0x0000000073F5B000-memory.dmp

                Filesize

                5.7MB

              • memory/2548-28-0x0000000002960000-0x00000000029A0000-memory.dmp

                Filesize

                256KB

              • memory/2700-37-0x000000001BB10000-0x000000001BB90000-memory.dmp

                Filesize

                512KB

              • memory/2700-39-0x000000001BB10000-0x000000001BB90000-memory.dmp

                Filesize

                512KB

              • memory/2700-41-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

                Filesize

                9.9MB

              • memory/2700-510-0x000000001BB10000-0x000000001BB90000-memory.dmp

                Filesize

                512KB

              • memory/2700-507-0x0000000002960000-0x00000000029A0000-memory.dmp

                Filesize

                256KB

              • memory/2700-508-0x0000000002960000-0x00000000029A0000-memory.dmp

                Filesize

                256KB

              • memory/2700-506-0x0000000002960000-0x00000000029A0000-memory.dmp

                Filesize

                256KB

              • memory/2700-40-0x000000001BB10000-0x000000001BB90000-memory.dmp

                Filesize

                512KB

              • memory/2700-33-0x0000000002960000-0x00000000029A0000-memory.dmp

                Filesize

                256KB

              • memory/2700-35-0x0000000002960000-0x00000000029A0000-memory.dmp

                Filesize

                256KB

              • memory/2700-38-0x000000001BDF0000-0x000000001C058000-memory.dmp

                Filesize

                2.4MB

              • memory/2700-36-0x0000000002960000-0x00000000029A0000-memory.dmp

                Filesize

                256KB

              • memory/2700-32-0x0000000002960000-0x00000000029A0000-memory.dmp

                Filesize

                256KB

              • memory/2700-512-0x000000001BB10000-0x000000001BB90000-memory.dmp

                Filesize

                512KB

              • memory/2700-511-0x000000001BB10000-0x000000001BB90000-memory.dmp

                Filesize

                512KB

              • memory/2700-14-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

                Filesize

                9.9MB

              • memory/2700-13-0x0000000000270000-0x0000000000A6A000-memory.dmp

                Filesize

                8.0MB

              • memory/2752-94-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-88-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-86-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-84-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-82-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-80-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-76-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-74-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-70-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-68-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-66-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-64-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-62-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-60-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-58-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-56-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-54-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-50-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-48-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-46-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-45-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-43-0x000000001BA70000-0x000000001BAF0000-memory.dmp

                Filesize

                512KB

              • memory/2752-485-0x000000001ADB0000-0x000000001AE04000-memory.dmp

                Filesize

                336KB

              • memory/2752-486-0x000000001AE00000-0x000000001AE4C000-memory.dmp

                Filesize

                304KB

              • memory/2752-484-0x0000000000760000-0x000000000076C000-memory.dmp

                Filesize

                48KB

              • memory/2752-483-0x00000000024E0000-0x0000000002532000-memory.dmp

                Filesize

                328KB

              • memory/2752-90-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-92-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-96-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-98-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-102-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-104-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-106-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-108-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-100-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-78-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-72-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-52-0x0000000002250000-0x00000000022D5000-memory.dmp

                Filesize

                532KB

              • memory/2752-44-0x0000000002250000-0x00000000022DA000-memory.dmp

                Filesize

                552KB

              • memory/2752-42-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

                Filesize

                9.9MB

              • memory/2752-15-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

                Filesize

                9.9MB

              • memory/2752-10-0x000000013FA90000-0x000000013FB0A000-memory.dmp

                Filesize

                488KB

              • memory/2752-513-0x000000001BA70000-0x000000001BAF0000-memory.dmp

                Filesize

                512KB