Analysis
-
max time kernel
121s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 18:19
Static task
static1
Behavioral task
behavioral1
Sample
DiscordSetup.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DiscordSetup.exe
Resource
win10v2004-20240226-en
General
-
Target
DiscordSetup.exe
-
Size
94.6MB
-
MD5
c08f6fd1027cf7216bf6a4bb94a7e54a
-
SHA1
83f3d43ddcbe887144ad804bec9527bc36b56b49
-
SHA256
ccd1b73aa774e3deefb7672629099eec167b130521b9036b553af6e46ffdbe3f
-
SHA512
2f9f6b61750bdc95df74efcd735cf4696a23dab40b1fb0c799a0ba5fc02a08610c0925c3710cd70a99bf9a0a09e69fb934a80c3dd5e773d50ae9598d169fb06b
-
SSDEEP
1572864:hYLmKqR1jtc9bcgQxZYuxsQZonARqnz2a/XmC+fpjPkkyuJzI886/GJ+5lGoHGw:hYLmKYc9beZFh8z7/2xPW6+c7G2Gw
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Executes dropped EXE 3 IoCs
pid Process 2600 Update.exe 1792 Discord.exe 2968 Discord.exe -
Loads dropped DLL 6 IoCs
pid Process 2920 DiscordSetup.exe 2600 Update.exe 2600 Update.exe 2600 Update.exe 1792 Discord.exe 2968 Discord.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2600 Update.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2600 Update.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2920 wrote to memory of 2600 2920 DiscordSetup.exe 28 PID 2920 wrote to memory of 2600 2920 DiscordSetup.exe 28 PID 2920 wrote to memory of 2600 2920 DiscordSetup.exe 28 PID 2920 wrote to memory of 2600 2920 DiscordSetup.exe 28 PID 2920 wrote to memory of 2600 2920 DiscordSetup.exe 28 PID 2920 wrote to memory of 2600 2920 DiscordSetup.exe 28 PID 2920 wrote to memory of 2600 2920 DiscordSetup.exe 28 PID 2600 wrote to memory of 1792 2600 Update.exe 31 PID 2600 wrote to memory of 1792 2600 Update.exe 31 PID 2600 wrote to memory of 1792 2600 Update.exe 31 PID 2600 wrote to memory of 1792 2600 Update.exe 31 PID 2600 wrote to memory of 2968 2600 Update.exe 32 PID 2600 wrote to memory of 2968 2600 Update.exe 32 PID 2600 wrote to memory of 2968 2600 Update.exe 32 PID 2600 wrote to memory of 2968 2600 Update.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe"C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe" --squirrel-install 1.0.90393⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe" --squirrel-firstrun3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD555edcca632b1a22e36d348932765600b
SHA18570a38b48b90bfff3a0bce4771d80a1668dbc75
SHA2567c1749d47f64a46b2f1e658b99083b5444f1f405da6125f10fe335059de7a10a
SHA512f30d3b9a05ebece5c2997c5b9f055ccf3fa30f929b2039af5d8c72f15b11a996acb669f51800d9ffd3409d7705caf807ddba374f72735e010bb57d6023b285f6
-
Filesize
93.7MB
MD5f6d21fe975682d7d6b33dda9c7006892
SHA13f219786844dcfe32c239d21ca36d38c6d6672c6
SHA25641f3d369df1e1412dc5b6eabd03a0912fc94628f3c78346d4f31950925ed7b2c
SHA5121d3c603c9f6d9896b01457a97f3455d8abd3bf6d9523c880508d9f984bf4d1b9f7139da03cbe74dbf7264f9e5ecfe1467875209613dc7c32b1e08fed6a17c1d1
-
Filesize
80B
MD508cb640b720c5d7b6fce3da10cff52df
SHA127eaf8eef5d4b0a0d7231fefb0117f5ef05b6b84
SHA256a5597ddbea7f4a6719f343e223520fe4b5385e3a9da12de043c48d7e6353c93a
SHA5126dcfaa05a0e9377b01541117e70246cd35d9029b219f7bdecdb5b7db61818b1ffb24dd4345067f89a1630f5efbffe58e8be31821ae09418d0af4850c9e3d8b3d
-
Filesize
134.5MB
MD58da0897af3eb019033f585bd8e64b296
SHA1287de02175312f99f536ee2b26a152903eaae2e4
SHA2560ee2942b11493f4947a2b1e244c34acd4f1f00b0677c91f9a07557ac84cb0774
SHA5121caac9456db6796164531cf1f031162e280a24612cde57b16bd715d8308ddfb45e715cc4605da216a032f98abebc59058d813ec5869fe9a39bc5677ab9fb9a07
-
Filesize
1.5MB
MD5f41538e41528534513d514dab4766ef1
SHA1c12f27a11dc965097768760ca89521f18b6f88bb
SHA256efc81c7e0c2df31b7f7d79910aa2129703d6d19771e74d0978eecd84a0f4c8ef
SHA512b23319ec5fbcaa07a67d7bf5697653d867e56c9d83ed9134c7403ed4f26637ecf0c72024c26898926d88581b02c89a6877f012a7940202e82e9b9fd0ee01a6f0