Malware Analysis Report

2025-01-22 13:54

Sample ID 240311-j6nxzsfe9w
Target Discord Raider.exe
SHA256 9144901df089a81d94af27a422d3b0c7a96db08c07879ef0d6a0d1676abc4fd9
Tags
evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9144901df089a81d94af27a422d3b0c7a96db08c07879ef0d6a0d1676abc4fd9

Threat Level: Likely malicious

The file Discord Raider.exe was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence

Modifies Windows Firewall

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 08:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 08:17

Reported

2024-03-11 08:17

Platform

win10v2004-20240226-en

Max time kernel

25s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Raider.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Discord Raider.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmpEA21.tmpofbjckz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmpEDAD.tmprrkftp.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\58efebd3ce105b5c9044da8374568e93.exe C:\Users\Admin\AppData\Local\Temp\tmpFC04.tmpqplfrtebn.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\58efebd3ce105b5c9044da8374568e93.exe C:\Users\Admin\AppData\Local\Temp\tmpFC04.tmpqplfrtebn.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\tmpF915.tmpfrjccfzywjpy.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\58efebd3ce105b5c9044da8374568e93 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpFC04.tmpqplfrtebn.exe\" .." C:\Users\Admin\AppData\Local\Temp\tmpFC04.tmpqplfrtebn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\58efebd3ce105b5c9044da8374568e93 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpFC04.tmpqplfrtebn.exe\" .." C:\Users\Admin\AppData\Local\Temp\tmpFC04.tmpqplfrtebn.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpFC04.tmpqplfrtebn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\tmpFC04.tmpqplfrtebn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpFC04.tmpqplfrtebn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1112 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Discord Raider.exe C:\Users\Admin\AppData\Local\Temp\tmpEA21.tmpofbjckz.exe
PID 1112 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Discord Raider.exe C:\Users\Admin\AppData\Local\Temp\tmpEA21.tmpofbjckz.exe
PID 1112 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\Discord Raider.exe C:\Users\Admin\AppData\Local\Temp\tmpEDAD.tmprrkftp.exe
PID 1112 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\Discord Raider.exe C:\Users\Admin\AppData\Local\Temp\tmpEDAD.tmprrkftp.exe
PID 876 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\tmpEA21.tmpofbjckz.exe C:\Users\Admin\AppData\Local\Temp\tmpF915.tmpfrjccfzywjpy.exe
PID 876 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\tmpEA21.tmpofbjckz.exe C:\Users\Admin\AppData\Local\Temp\tmpF915.tmpfrjccfzywjpy.exe
PID 876 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\tmpEA21.tmpofbjckz.exe C:\Users\Admin\AppData\Local\Temp\tmpF915.tmpfrjccfzywjpy.exe
PID 316 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\tmpEDAD.tmprrkftp.exe C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe
PID 316 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\tmpEDAD.tmprrkftp.exe C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe
PID 316 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\tmpEDAD.tmprrkftp.exe C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe
PID 876 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\tmpEA21.tmpofbjckz.exe C:\Users\Admin\AppData\Local\Temp\tmpFC04.tmpqplfrtebn.exe
PID 876 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\tmpEA21.tmpofbjckz.exe C:\Users\Admin\AppData\Local\Temp\tmpFC04.tmpqplfrtebn.exe
PID 316 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\tmpEDAD.tmprrkftp.exe C:\Users\Admin\AppData\Local\Temp\tmpFC05.tmpeomvsxi.exe
PID 316 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\tmpEDAD.tmprrkftp.exe C:\Users\Admin\AppData\Local\Temp\tmpFC05.tmpeomvsxi.exe
PID 3352 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\tmpFC04.tmpqplfrtebn.exe C:\Windows\SYSTEM32\netsh.exe
PID 3352 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\tmpFC04.tmpqplfrtebn.exe C:\Windows\SYSTEM32\netsh.exe
PID 4772 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe C:\Windows\SysWOW64\attrib.exe
PID 4772 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe C:\Windows\SysWOW64\attrib.exe
PID 4772 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe C:\Windows\SysWOW64\attrib.exe
PID 4772 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe C:\Windows\SysWOW64\attrib.exe
PID 4772 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe C:\Windows\SysWOW64\attrib.exe
PID 4772 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Raider.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Raider.exe"

C:\Users\Admin\AppData\Local\Temp\tmpEA21.tmpofbjckz.exe

"C:\Users\Admin\AppData\Local\Temp\tmpEA21.tmpofbjckz.exe"

C:\Users\Admin\AppData\Local\Temp\tmpEDAD.tmprrkftp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpEDAD.tmprrkftp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpF915.tmpfrjccfzywjpy.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF915.tmpfrjccfzywjpy.exe"

C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe"

C:\Users\Admin\AppData\Local\Temp\tmpFC04.tmpqplfrtebn.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFC04.tmpqplfrtebn.exe"

C:\Users\Admin\AppData\Local\Temp\tmpFC05.tmpeomvsxi.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFC05.tmpeomvsxi.exe"

C:\Windows\SYSTEM32\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\tmpFC04.tmpqplfrtebn.exe" "tmpFC04.tmpqplfrtebn.exe" ENABLE

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 198.54.133.75:54893 tcp
US 198.54.133.75:54893 tcp

Files

memory/1112-0-0x00007FFC4E4A0000-0x00007FFC4EE41000-memory.dmp

memory/1112-1-0x00007FFC4E4A0000-0x00007FFC4EE41000-memory.dmp

memory/1112-2-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/1112-3-0x000000001BCE0000-0x000000001BD86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEA21.tmpofbjckz.exe

MD5 d3ce4f579b52ad9aa8f2b2fa0f1342da
SHA1 3836d754cb302ebf6206432356552fa44103a168
SHA256 74359d71a757f8c54f21269740e6962a4c8786088404536a590e4cb1f48a02e6
SHA512 88af0166522e0096d702dc86c8d9a02c6e146f3203eb56b231158018cc9594a8b010edb81e22745c5c9b8ff3e729b5cc91a9d9ffa1e482fd3c163f888781dcce

C:\Users\Admin\AppData\Local\Temp\tmpEDAD.tmprrkftp.exe

MD5 b5a5dcb32f0b1cd7c9e817bfe6913fcb
SHA1 7244fe4c3f028a74de42be39f18351b6025962b4
SHA256 06696c6572f8852a707599ba770f310fa607b60a70b2760f61ada721fcfdfa83
SHA512 3676ffbc7da4f99cc14b437008fb6cdcfe95c7f0b51bcf4850873d863a97cabe3f82119f74a888b2d7e230665d89fa3cddb9d4a47d0c5d081deeb3e3919cc29a

memory/876-19-0x00007FFC4E4A0000-0x00007FFC4EE41000-memory.dmp

memory/876-20-0x0000000001080000-0x0000000001090000-memory.dmp

memory/876-21-0x00007FFC4E4A0000-0x00007FFC4EE41000-memory.dmp

memory/316-24-0x00007FFC4E4A0000-0x00007FFC4EE41000-memory.dmp

memory/316-25-0x0000000000D30000-0x0000000000D40000-memory.dmp

memory/1112-28-0x00007FFC4E4A0000-0x00007FFC4EE41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF915.tmpfrjccfzywjpy.exe

MD5 c830dbb09e4134c0e67b79c5e1b0f786
SHA1 a3683af768da0bcd37fd0fce54e45baf523bb0fb
SHA256 9a318d9edbf58c75686f5f7221a2ab3af86462fc63ad103ad7d39b5f9fab09c2
SHA512 b6e9ebfb8a397758557251222c26599325e1f11d0b27651b86a403f50367fafd2b0eccddd76d419aa46451f31428c1b425c1f8caa5a0418cc8b308fdb01d891e

C:\Users\Admin\AppData\Local\Temp\tmpF925.tmpfyzsva.exe

MD5 e681396f4d6ef3eb07a6537b9310f4cd
SHA1 6efcef9aff3d26fc3d313a52ed20033da7e73e24
SHA256 005fc0813cec64331bcec06a177491807eb5bdf944044509629e6afd57056029
SHA512 76878905d4e99e93dc98d56864f6207d1d2522b592a881d37d314b59a95e481d0a1af0ee47ca686e861d721c51a554467a28a5d04f39c242d4dca2094edf74b0

C:\Users\Admin\AppData\Local\Temp\tmpFC04.tmpqplfrtebn.exe

MD5 bb6e9339dc04ededac3afc17edc069b5
SHA1 05409fd5a0241cd5540d8d6d4bcf9dda76fceea3
SHA256 3bbee18647382092646bb62348b507dd5cce8c16bdfe6bd9afb7a0195a3891a4
SHA512 161dba34006df886464f2ff571213c8f5d5491d17c96ac30f361c1478a272d86e68d844f48e0585e3c475fa30271bb9097de17bba050bfe9aa50719ce8391608

C:\Users\Admin\AppData\Local\Temp\tmpFC05.tmpeomvsxi.exe

MD5 bdc610c91ca515b6c048a202ef98841d
SHA1 104fc68e245db50303564c941243893cc752b815
SHA256 3832c4f8d3aec6470e406dd7cd76417b0ef0d0a4100b4cb449d7b0c82bc294af
SHA512 ffd81ff27a06a5330b5e175b9cef33d9663dff16ea2304577b736b4cff63e72259b8ac238ce8c778b330a2bccb1bbed288088e1095efe4d97e317a5ca4b2e07c

memory/876-66-0x00007FFC4E4A0000-0x00007FFC4EE41000-memory.dmp

memory/316-68-0x00007FFC4E4A0000-0x00007FFC4EE41000-memory.dmp

memory/3352-70-0x00007FFC4E4A0000-0x00007FFC4EE41000-memory.dmp

memory/3352-62-0x00007FFC4E4A0000-0x00007FFC4EE41000-memory.dmp

memory/1900-71-0x00007FFC4E4A0000-0x00007FFC4EE41000-memory.dmp

memory/4772-72-0x0000000074D70000-0x0000000075321000-memory.dmp

memory/1900-73-0x00007FFC4E4A0000-0x00007FFC4EE41000-memory.dmp

memory/4092-74-0x0000000074D70000-0x0000000075321000-memory.dmp

memory/4772-75-0x0000000074D70000-0x0000000075321000-memory.dmp

memory/3352-77-0x0000000001130000-0x000000000113E000-memory.dmp

memory/4772-79-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

memory/1900-78-0x0000000001660000-0x000000000166E000-memory.dmp

memory/4092-76-0x0000000001160000-0x0000000001170000-memory.dmp

memory/1900-80-0x000000001CA60000-0x000000001CF2E000-memory.dmp

memory/4092-81-0x0000000074D70000-0x0000000075321000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 0b633d2de4ad538bde739f85f18b2ae2
SHA1 223ce374368ee774e2f51f203c77a3e7bcf659c8
SHA256 a440a2c4a021020efac85703115a1a5e43c74b1d67bbf505b6b35e320cfe5958
SHA512 2671eb8a2011f35c8bdd2e3092db777b45bc77d9d31e5ccc51c4e10cd1b3aa0a745553a76961140e904fcd5198a855ca698dd40c3e8e2a7e9c8ab330f439f0cc

memory/1900-88-0x00007FFC4E4A0000-0x00007FFC4EE41000-memory.dmp

memory/3352-91-0x000000001CCB0000-0x000000001CD4C000-memory.dmp

memory/3352-92-0x0000000001180000-0x0000000001188000-memory.dmp

memory/3352-93-0x0000000001310000-0x0000000001320000-memory.dmp

memory/4092-97-0x0000000074D70000-0x0000000075321000-memory.dmp