Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2023, 16:08
Static task
static1
Behavioral task
behavioral1
Sample
e2b22c7e6a61834361d49697274d8cb3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
e2b22c7e6a61834361d49697274d8cb3.exe
Resource
win10v2004-20231215-en
General
-
Target
e2b22c7e6a61834361d49697274d8cb3.exe
-
Size
3.6MB
-
MD5
e2b22c7e6a61834361d49697274d8cb3
-
SHA1
756cc64ff7b028542d41e747d55d0e540c61ae46
-
SHA256
c151884ac7e723b223f637c64a4e352b7439f0d37099327e800959dd062d14e0
-
SHA512
3e567dea239a1fc93bf70926cb3a74da785af4d8725fbdd553dc8d58ebb7980ebd9812b1c3b78da8eeedbb5a0c78bcf721383c93a029e0aa674f56386e977932
-
SSDEEP
98304:LKFiM/xFnow/acBwC8oIBxnUl/nhJ/MJMiWq1M2xCSBcDE:LKF5ZmwC4iNUlv+JW4Me0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation discordgrabberdataalert.exe Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discordgrabberdataalert.vbs discordgrabberdataalert.exe -
Executes dropped EXE 2 IoCs
pid Process 2040 discordgrabberdataalert.exe 4700 DiscordGrabber.exe -
resource yara_rule behavioral2/files/0x000400000001e96f-7.dat vmprotect behavioral2/files/0x000400000001e96f-8.dat vmprotect behavioral2/memory/4700-10-0x000002D3F4CB0000-0x000002D3F54AA000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discordgrabberdataalert = "\"C:\\Users\\Admin\\AppData\\Roaming\\discordgrabberdataalert.exe\"" discordgrabberdataalert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings discordgrabberdataalert.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4448 powershell.exe 4448 powershell.exe 468 powershell.exe 468 powershell.exe 3040 powershell.exe 3040 powershell.exe 3040 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4448 powershell.exe Token: SeDebugPrivilege 468 powershell.exe Token: SeDebugPrivilege 2040 discordgrabberdataalert.exe Token: SeDebugPrivilege 3040 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4744 wrote to memory of 3580 4744 e2b22c7e6a61834361d49697274d8cb3.exe 23 PID 4744 wrote to memory of 3580 4744 e2b22c7e6a61834361d49697274d8cb3.exe 23 PID 4744 wrote to memory of 3580 4744 e2b22c7e6a61834361d49697274d8cb3.exe 23 PID 4744 wrote to memory of 556 4744 e2b22c7e6a61834361d49697274d8cb3.exe 35 PID 4744 wrote to memory of 556 4744 e2b22c7e6a61834361d49697274d8cb3.exe 35 PID 4744 wrote to memory of 556 4744 e2b22c7e6a61834361d49697274d8cb3.exe 35 PID 4744 wrote to memory of 3476 4744 e2b22c7e6a61834361d49697274d8cb3.exe 29 PID 4744 wrote to memory of 3476 4744 e2b22c7e6a61834361d49697274d8cb3.exe 29 PID 4744 wrote to memory of 3476 4744 e2b22c7e6a61834361d49697274d8cb3.exe 29 PID 3476 wrote to memory of 2040 3476 cmd.exe 33 PID 3476 wrote to memory of 2040 3476 cmd.exe 33 PID 3580 wrote to memory of 4448 3580 cmd.exe 32 PID 3580 wrote to memory of 4448 3580 cmd.exe 32 PID 3580 wrote to memory of 4448 3580 cmd.exe 32 PID 556 wrote to memory of 4700 556 cmd.exe 31 PID 556 wrote to memory of 4700 556 cmd.exe 31 PID 3580 wrote to memory of 468 3580 cmd.exe 72 PID 3580 wrote to memory of 468 3580 cmd.exe 72 PID 3580 wrote to memory of 468 3580 cmd.exe 72 PID 2040 wrote to memory of 4460 2040 discordgrabberdataalert.exe 108 PID 2040 wrote to memory of 4460 2040 discordgrabberdataalert.exe 108 PID 4460 wrote to memory of 3040 4460 WScript.exe 107 PID 4460 wrote to memory of 3040 4460 WScript.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe"C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\cmd.execmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exeC:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tfcfd.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4460
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe2⤵
- Suspicious use of WriteProcessMemory
PID:556
-
-
C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exeC:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe1⤵
- Executes dropped EXE
PID:4700
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD547339868d6b1e248b7b203c63af7f686
SHA1c6a428fad02bf4856683d7314f5bf5e692809f69
SHA256a18504c585b1fa84f3c4f7f40d6b77101c59f135efb350368da8fdd3d3879739
SHA512c7e499aecfd42a7548c9b596b5f37c1c5dae06d398645abed463831d439d6189e6b76303741a065007ccf453a5614cbf28b3e2219b85bb7e608ebef3a2a6416a
-
Filesize
12KB
MD5a72fd299e59ad4aafcf8fe177901630d
SHA1bdbde2a69c1ac8ebd0a83fbd99ec0c40aafd147a
SHA256d9da98a8e8aba6179d86d3f518b31a022241684d407830ce544652a1ea22096a
SHA51250437ab68f0674c0e5ff221dda40437102cdc10912aea2232e40d39ee8ae664db749b5809752817221a5f211dd4b3c0a45782ca71ae0d564d5e05c5fdea0c462
-
Filesize
86KB
MD53918a913e66245ecd633914cf6bf8787
SHA1308781490cb78254e141dfeb8fbbf200034d130f
SHA25685fb4aedcdc160f7b678b5a25e37509bc04c6f85842a424aa329ef069c58922b
SHA512b3a1a0f1efe70955699b638a707bc02d618b3981f5c10a2e372b810b0cbc0474ef4ce171df49f62321402e0f7193a43f240b830e3867092561e8a17b2fed9a19
-
Filesize
148KB
MD540f103c0b1ae2a324c9603952e402d39
SHA170ee62e1b444534d379670db3a1729f4bdee5b98
SHA256fe1334213e9e0fa8d2d0c8c28ff587e5cde8233e30e7175cb41cd7e33fb03369
SHA512a798854ec4c54102a593b09a7c6ee6dd205ea10cb1733d2dc36e336e7f4c21a9fe8f472a0c6e9738f4c00a973eafef962d2ea0d18637a35aa67837e8a20dc81e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
154KB
MD571f5dc81a150a7e645e3e7ab4b84fc20
SHA1f1d1d7f83c310d24d7f00454fab118b1cb4e6507
SHA2560a4c57c281745b1bbec33b17cf481124e34c7c960dc1e867f5390b3edb273963
SHA51227a4af11b865c8b8f39e4dfea32b864cf672938d99499da18fcff12ea647d475abe4cf4c03e3e3a95e9ae7b964ae372754c83aebf654db40b9a20984f40eba82
-
Filesize
266KB
MD5c4552a772dc60787a049c358a68d3eb8
SHA1a321d3b31646b2d622e494211db30ef2f0d074e3
SHA256710564d854f80216ea45de04154c7dfdecd981e56e92c87ba2a245739eadb5a6
SHA5127393214bba04dc9027144148b84f41c9bf0221e06c325ed9b9e2235f691d3391abb7c7482bc6d3b09d04629f96a9ecf2b6e5ae81ca7f449fd455efc4942bd284
-
Filesize
92B
MD54b13abd262e6f452b680b7c404285a32
SHA1a5b55774c48678a82ab377a7d23a00ec6a174dea
SHA256e09b4b2ffbca61fbfaa017d9a6c7c60ec4242bfc468bf2f58887e79c97966eff
SHA5128dc590452e549d1dbb582e6552e5cfe960adeb43987435b67d6d1f18d3ff44e7be01f638a7f62f7f47da561303fdc5203ca4412639662f170b6e0022e3ae6bc8