Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2024, 18:19

General

  • Target

    DiscordSetup.exe

  • Size

    94.6MB

  • MD5

    c08f6fd1027cf7216bf6a4bb94a7e54a

  • SHA1

    83f3d43ddcbe887144ad804bec9527bc36b56b49

  • SHA256

    ccd1b73aa774e3deefb7672629099eec167b130521b9036b553af6e46ffdbe3f

  • SHA512

    2f9f6b61750bdc95df74efcd735cf4696a23dab40b1fb0c799a0ba5fc02a08610c0925c3710cd70a99bf9a0a09e69fb934a80c3dd5e773d50ae9598d169fb06b

  • SSDEEP

    1572864:hYLmKqR1jtc9bcgQxZYuxsQZonARqnz2a/XmC+fpjPkkyuJzI886/GJ+5lGoHGw:hYLmKYc9beZFh8z7/2xPW6+c7G2Gw

Malware Config

Signatures

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 11 IoCs
  • Modifies registry key 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4416
      • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe" --squirrel-install 1.0.9039
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2476
        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
          C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9039 --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=28.2.7 --initial-client-data=0x528,0x52c,0x530,0x524,0x534,0x827800c,0x8278018,0x8278024
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2096
        • C:\Users\Admin\AppData\Local\Discord\Update.exe
          C:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico
          4⤵
          • Executes dropped EXE
          PID:3736
        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
          "C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1948 --field-trial-handle=1952,i,15242475349511559386,10096802058289808418,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:4424
        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
          "C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --mojo-platform-channel-handle=2184 --field-trial-handle=1952,i,15242475349511559386,10096802058289808418,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2732
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f
          4⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:1492
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
          4⤵
          • Modifies registry class
          • Modifies registry key
          PID:1552
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
          4⤵
          • Modifies registry class
          • Modifies registry key
          PID:1668
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe\",-1" /f
          4⤵
          • Modifies registry class
          • Modifies registry key
          PID:756
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe\" --url -- \"%1\"" /f
          4⤵
          • Modifies registry class
          • Modifies registry key
          PID:3612

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe

          Filesize

          134.5MB

          MD5

          8da0897af3eb019033f585bd8e64b296

          SHA1

          287de02175312f99f536ee2b26a152903eaae2e4

          SHA256

          0ee2942b11493f4947a2b1e244c34acd4f1f00b0677c91f9a07557ac84cb0774

          SHA512

          1caac9456db6796164531cf1f031162e280a24612cde57b16bd715d8308ddfb45e715cc4605da216a032f98abebc59058d813ec5869fe9a39bc5677ab9fb9a07

        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\app.ico

          Filesize

          278KB

          MD5

          084f9bc0136f779f82bea88b5c38a358

          SHA1

          64f210b7888e5474c3aabcb602d895d58929b451

          SHA256

          dfcea1bea8a924252d507d0316d8cf38efc61cf1314e47dca3eb723f47d5fe43

          SHA512

          65bccb3e1d4849b61c68716831578300b20dcaf1cbc155512edbc6d73dccbaf6e5495d4f95d089ee496f8e080057b7097a628cc104fa8eaad8da866891d9e3eb

        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\chrome_100_percent.pak

          Filesize

          163KB

          MD5

          4fc6564b727baa5fecf6bf3f6116cc64

          SHA1

          6ced7b16dc1abe862820dfe25f4fe7ead1d3f518

          SHA256

          b7805392bfce11118165e3a4e747ac0ca515e4e0ceadab356d685575f6aa45fb

          SHA512

          fa7eab7c9b67208bd076b2cbda575b5cc16a81f59cc9bba9512a0e85af97e2f3adebc543d0d847d348d513b9c7e8bef375ab2fef662387d87c82b296d76dffa2

        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\chrome_200_percent.pak

          Filesize

          222KB

          MD5

          47668ac5038e68a565e0a9243df3c9e5

          SHA1

          38408f73501162d96757a72c63e41e78541c8e8e

          SHA256

          fac820a98b746a04ce14ec40c7268d6a58819133972b538f9720a5363c862e32

          SHA512

          5412041c923057ff320aba09674b309b7fd71ede7e467f47df54f92b7c124e3040914d6b8083272ef9f985eef1626eaf4606b17a3cae97cfe507fb74bc6f0f89

        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\d3dcompiler_47.dll

          Filesize

          3.9MB

          MD5

          08ac37f455e0640c0250936090fe91b6

          SHA1

          7a91992d739448bc89e9f37a6b7efeb736efc43d

          SHA256

          2438b520ac961e38c5852779103734be373ee2b6d1e5a7a5d49248b52acc7c4d

          SHA512

          35a118f62b21160b0e7a92c7b9305da708c5cbd3491a724da330e3fc147dde2ca494387866c4e835f8e729b89ee0903fd1b479fcc75b9e516df8b86a2f1364c8

        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\ffmpeg.dll

          Filesize

          3.2MB

          MD5

          55edcca632b1a22e36d348932765600b

          SHA1

          8570a38b48b90bfff3a0bce4771d80a1668dbc75

          SHA256

          7c1749d47f64a46b2f1e658b99083b5444f1f405da6125f10fe335059de7a10a

          SHA512

          f30d3b9a05ebece5c2997c5b9f055ccf3fa30f929b2039af5d8c72f15b11a996acb669f51800d9ffd3409d7705caf807ddba374f72735e010bb57d6023b285f6

        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\icudtl.dat

          Filesize

          10.2MB

          MD5

          e0f1ad85c0933ecce2e003a2c59ae726

          SHA1

          a8539fc5a233558edfa264a34f7af6187c3f0d4f

          SHA256

          f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb

          SHA512

          714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\libEGL.dll

          Filesize

          376KB

          MD5

          42c5ffe970aa12c10e5a45f837a033d9

          SHA1

          0b0d82cebe169768c892c7bbfcc0346db47da4a7

          SHA256

          3eafdd2a558f1110606e4c95b5f2efac0536bb0005d5bd9f68957d3e866771c6

          SHA512

          83de7c9638ac8e6ac2d34c87917dfc8aa309dfbec54e56b327384a47d959ce53207c2c214a2a42f44a6f9c524448f0cb405cbdcf9319f70a616da332dcaac0f5

        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\libglesv2.dll

          Filesize

          6.4MB

          MD5

          5dbf4a2b443fbe52d9b80511ea0b94cc

          SHA1

          a4a3d31f9d2902c455e9e5e1fab931fd6108272e

          SHA256

          53cd9f341abe29b5b53c58a9060087551685385cc18bf5c8c25b54cf8773d499

          SHA512

          e30aaaaeaf42250b45d8a867352af6aec33dd81bbd7eeb72fae17f6a8050cf7aeacba9ab08c3a5ea489a030738474909d97210f56f0222165b8c9a645540514a

        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\locales\en-US.pak

          Filesize

          428KB

          MD5

          809b600d2ee9e32b0b9b586a74683e39

          SHA1

          99d670c66d1f4d17a636f6d4edc54ad82f551e53

          SHA256

          0db4f65e527553b9e7bee395f774cc9447971bf0b86d1728856b6c15b88207bb

          SHA512

          9dfbe9fe0cfa3fcb5ce215ad8ab98e042760f4c1ff6247a6a32b18dd12617fc033a3bbf0a4667321a46a372fc26090e4d67581eaab615bf73cc96cb90e194431

        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\resources.pak

          Filesize

          5.1MB

          MD5

          e9056386a2b4edac9f0ffa829bc0cfa0

          SHA1

          f8d4b8289ebb088c9997a1fde1c2f12aedd6c82e

          SHA256

          546456d9a1328836a99876824f3beb7279f38403cd001515f5d9eb204939e57c

          SHA512

          c49e832e5c16a1846ea882395e83f9cbe9f4f6b44be9f0c7276d0a4495b88091bd95593c5e167dba853834058d7ca823db60d2fac73434ed952b7064b2daf6da

        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\resources\app.asar

          Filesize

          6.3MB

          MD5

          a3fae9e385d9b80ea269c68bbdb97e41

          SHA1

          e5ab851e94104edcf4751b1c1b4312dbcfbf8214

          SHA256

          3674c0eb2a447e6449ba819e04d493a1f4284c587739f0611a19bb4ab236ba65

          SHA512

          a5cf45bae5c9ebd397504ccac18d3187a6034c1022b62bd7780f070460f8fb6d44aee08e1af964bd4cbcfab3c6263d8348740274a81f16483b6a4d76b2c73a2b

        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\resources\build_info.json

          Filesize

          83B

          MD5

          2975d2275891f5984e461bdf7c5ac170

          SHA1

          c324f18d726e6591e56b2117703b2d23e1d335df

          SHA256

          415f673c0b3933f8bd08e30421b85f0d75f2f2339bd3e4a29f85fc5c7c98f457

          SHA512

          31f50d242ab3cd59fea7ebc22368f6b42574602ee5abd2905ecc3722cf40fad590c30028e6aa2c2b2be64d5954c09086bdb89900e8d47e3f60ab5dcd1e2a1e28

        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\v8_context_snapshot.bin

          Filesize

          631KB

          MD5

          5e59b98c444e66f981b8605636e88efd

          SHA1

          78ce5d12ef8d76e5de09873eec59657a5b3964ee

          SHA256

          457167b96cf7cb9d80bf5f74976314b465439adb0563ed820be15d848f3daf66

          SHA512

          9401047fb86cd7d9b9aeea72bc3b7981b834e914d7ecc19ef2f787ccf946548a95241b89d508372caad6a7cc157e2be6fa931d952f836404b7c0c5abe4ca614b

        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\vk_swiftshader.dll

          Filesize

          4.4MB

          MD5

          d045ce8fac358f6ca98e61ea86787f67

          SHA1

          71ce4486853720deaa43df67c1768e93e76f57c0

          SHA256

          0c75f2949da407561083ab79a3122152f69aa1ceb6d4df919fc2a277ba56c33b

          SHA512

          273308a6e0b094171aaa1cf445ef88c0449b54be69529532fcbe91d6742cac28ff5145f482130f9e7f2f528899bd4844d05e9c51b70e2334ed420e2e31d19fee

        • C:\Users\Admin\AppData\Local\SquirrelTemp\Discord-1.0.9039-full.nupkg

          Filesize

          93.7MB

          MD5

          f6d21fe975682d7d6b33dda9c7006892

          SHA1

          3f219786844dcfe32c239d21ca36d38c6d6672c6

          SHA256

          41f3d369df1e1412dc5b6eabd03a0912fc94628f3c78346d4f31950925ed7b2c

          SHA512

          1d3c603c9f6d9896b01457a97f3455d8abd3bf6d9523c880508d9f984bf4d1b9f7139da03cbe74dbf7264f9e5ecfe1467875209613dc7c32b1e08fed6a17c1d1

        • C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

          Filesize

          80B

          MD5

          08cb640b720c5d7b6fce3da10cff52df

          SHA1

          27eaf8eef5d4b0a0d7231fefb0117f5ef05b6b84

          SHA256

          a5597ddbea7f4a6719f343e223520fe4b5385e3a9da12de043c48d7e6353c93a

          SHA512

          6dcfaa05a0e9377b01541117e70246cd35d9029b219f7bdecdb5b7db61818b1ffb24dd4345067f89a1630f5efbffe58e8be31821ae09418d0af4850c9e3d8b3d

        • C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

          Filesize

          1.5MB

          MD5

          f41538e41528534513d514dab4766ef1

          SHA1

          c12f27a11dc965097768760ca89521f18b6f88bb

          SHA256

          efc81c7e0c2df31b7f7d79910aa2129703d6d19771e74d0978eecd84a0f4c8ef

          SHA512

          b23319ec5fbcaa07a67d7bf5697653d867e56c9d83ed9134c7403ed4f26637ecf0c72024c26898926d88581b02c89a6877f012a7940202e82e9b9fd0ee01a6f0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

          Filesize

          2B

          MD5

          f3b25701fe362ec84616a93a45ce9998

          SHA1

          d62636d8caec13f04e28442a0a6fa1afeb024bbb

          SHA256

          b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

          SHA512

          98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        • memory/3736-220-0x0000000005A50000-0x0000000005A60000-memory.dmp

          Filesize

          64KB

        • memory/3736-219-0x00000000744A0000-0x0000000074C50000-memory.dmp

          Filesize

          7.7MB

        • memory/3736-223-0x0000000005970000-0x0000000005990000-memory.dmp

          Filesize

          128KB

        • memory/3736-293-0x00000000744A0000-0x0000000074C50000-memory.dmp

          Filesize

          7.7MB

        • memory/4416-207-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

          Filesize

          64KB

        • memory/4416-10-0x00000000744A0000-0x0000000074C50000-memory.dmp

          Filesize

          7.7MB

        • memory/4416-199-0x0000000010330000-0x0000000010368000-memory.dmp

          Filesize

          224KB

        • memory/4416-200-0x0000000005350000-0x000000000535E000-memory.dmp

          Filesize

          56KB

        • memory/4416-198-0x000000000FAB0000-0x000000000FAB8000-memory.dmp

          Filesize

          32KB

        • memory/4416-9-0x0000000000120000-0x0000000000296000-memory.dmp

          Filesize

          1.5MB

        • memory/4416-11-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

          Filesize

          64KB

        • memory/4416-317-0x00000000744A0000-0x0000000074C50000-memory.dmp

          Filesize

          7.7MB

        • memory/4416-318-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

          Filesize

          64KB

        • memory/4416-319-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

          Filesize

          64KB