249bdaa4332b3e1a3a2148d4fd587a42bd48615af556d1c72da51c55bb2ca697

Analysis

max time kernel
40s
max time network
97s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
29/12/2023, 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BetterDiscord-Windows(1).exe
Size

75.1MB
MD5

43327119366e52928b9aed0c1e734389
SHA1

3777d8387fba8528b6e433a8e763df5dcd542a48
SHA256

249bdaa4332b3e1a3a2148d4fd587a42bd48615af556d1c72da51c55bb2ca697
SHA512

bda75994e6dcf5bc9e5b45d025894d62d0138a9d39c47255cd3b6b6e32f60de973da54bf85de57e8f0ca8a253bf414697c4b06e887d45dded90485ce6832e7f4
SSDEEP

1572864:DMKQ/QO4cQ0dPUnqZUPsziv5IANK+4ZYPDHdH/I1z/dHazC:DzXr50lUnqEneWlWYj21zaC

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3932	BetterDiscord.exe

Loads dropped DLL 4 IoCs

pid	Process
3140	BetterDiscord-Windows(1).exe
3140	BetterDiscord-Windows(1).exe
3140	BetterDiscord-Windows(1).exe
3932	BetterDiscord.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 3932	3140	BetterDiscord-Windows(1).exe	80
PID 3140 wrote to memory of 3932	3140	BetterDiscord-Windows(1).exe	80
PID 3140 wrote to memory of 3932	3140	BetterDiscord-Windows(1).exe	80

C:\Users\Admin\AppData\Local\Temp\BetterDiscord-Windows(1).exe
"C:\Users\Admin\AppData\Local\Temp\BetterDiscord-Windows(1).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
  C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3932
- - C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
    "C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe" --type=gpu-process --field-trial-handle=1540,8166922943141451111,6143444124436253511,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1552 /prefetch:2
    3⤵
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
    "C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,8166922943141451111,6143444124436253511,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:8
    3⤵
    PID:3784
- - C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
    "C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe" --type=renderer --field-trial-handle=1540,8166922943141451111,6143444124436253511,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:1
    3⤵
    PID:2428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
d14c8deb6d84efcaa52a960348a0b223

SHA1
9dd0dfeca8f03cdd4ed415daead241e340da299c

SHA256
f79946406315e8bd170c62fb9b37f1b127275b6a22059a2f70a5d67d39418bd3

SHA512
c53aacae72fdd7e6ac121a1fee73f233d59b0a4910461b547df409f7cf7be8b29c5cd5df8929f45c669d7f800d31ba4ca8beffcc4f5477deb84d15f4bf506f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe

Filesize
192KB

MD5
abde0bf1c44f00474bfb6fde5bb23580

SHA1
80780d5a96b127cbc231a8382a848e28f190f425

SHA256
a16c812a38b2ba0768da3de74e7c607e3385e095f65f0b96a705686e542c8bdf

SHA512
a40e5ba1b4192284d6af1a85114b25fe9d1be5f4c39c96693bd0cbbb484dbea99016f4f6441b4149929f07da20423d9e4281b9d1c4726290235b9096caeee5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\ffmpeg.dll

Filesize
832KB

MD5
d9227d6464b742c3d750c8d23d4926f9

SHA1
6e16a12821bc80d452690674f37def5c3b80d1fd

SHA256
61365c9dc63593cf160189ca8b5f20af5fda533e145f66f874ff83aa48687279

SHA512
5dfd3ee249d0041b77ec6b05374f51c0b4a33adb58eeeb6ada829007b35c97ca4e1c4c7170a6d2b95e72f69527835c1952a21fa0356582d9dacc3b7dccd59d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\ffmpeg.dll

Filesize
820KB

MD5
5b35db232655ae952159d430d31b0a3b

SHA1
69f1358ce3da63ec38dba6477c02fd2bffbff2b7

SHA256
1f7548fab2a28c1598c4a9f718691ad4006e6a635d370f137d9d0ea56f8f4fa7

SHA512
6f9e836b42354bb6f8e41f7ba5d80b84005689a2543db1cb908f390275432c3e868a36ae554048064b55d051eaefe3ca835d9fdbfb6e3fbfffafff0659cba1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\icudtl.dat

Filesize
222KB

MD5
be06083b68c653c83d3993f4d007bc5f

SHA1
a9db45658590331498d4be331514428c39058792

SHA256
4ecde995593bf516bd84286a35dc1830c1c0c92b934bd48752f92fb6a514de8e

SHA512
88543ef579daa90f99e59c1098faa3d90f804e031db4b99398f5950510995e108ef27acd1e258a9282095b670ecf100e60e7bbf432accf8a00745623ffdd0c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\resources\assets\images\canary.png

Filesize
2KB

MD5
a2636a83d1e5d412d1459b3134f0a3e0

SHA1
ad04552d42a12e0aad79995bba521d163f1c6af3

SHA256
dfd3446ba31a55a11b45e0196b4eb2800e0271749c99102660d0df59f2ad9b85

SHA512
c51cf43252083bd2c5a31510f8a1e34bc08b3c142484d40f04d4979bfd334c9c34456f4908ae881e90de355551bccefecf88de187383dc0a0d8e9d146917bb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\resources\assets\images\ptb.png

Filesize
1KB

MD5
d17d46244937c3705cccfe590b5a3d0b

SHA1
318949d0fd6d1638c7e0bb170e59b8d2f3662e34

SHA256
b5b0f8076b0ac106fcc8f172b5e81516b69387f4119ca54715bd00739861fa27

SHA512
930eee25bddfe72835f5ebf6d5bec2e05e2e3a8740a588264efb8b7bb1dd7b46d3ff402206124b5a9878ce317bc64cb53d7fe0611e2a20902e9fc129760dd861

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\v8_context_snapshot.bin

Filesize
161KB

MD5
d88d23551a4d7230f98fe0cbd363695b

SHA1
8e28eb4153e00aa5345bdb539b925a777588a26b

SHA256
72c3c123f10eb6e24c83ee40727a3a632cf7a8b062a3b7c7b41db4bfeda52ce4

SHA512
ea757e91c7cfc766b35da226263e82646f5b1153b8800c5cd69321d98b6d424413dcd7a02413a6a0e2f34905daf84bd21302b7ad58f2ebd814a7ac0a92b9d284

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspEA42.tmp\BgImage.dll

Filesize
7KB

MD5
487368e6fce9ab9c5ea053af0990c5ef

SHA1
b538e37c87d4b9a7645dcbbd9e93025a31849702

SHA256
e27efa5dfde875bd6b826fafb4c7698db6b6e30e68715a1c03eb018e3170fc04

SHA512
bb3ed4c0d17a11365b72653112b48c8c63ab10590dda3dfd90aa453f0d64203000e4571c73998063352240e1671d14da5ee394439899aaa31054fa2e9b722ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspEA42.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspEA42.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit