hxxps://cdn[.]discordapp[.]com/attachments/1238588297035644979/1238588390786465912/S3RVER_CL0NER[.]exe?ex=66407d94&is=663f2c14&hm=e3fd0a4afacb857595daba2e8a700ad305d290bc687d43f5348b5091d3e11e7a&

Analysis

max time kernel
49s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1238588297035644979/1238588390786465912/S3RVER_CL0NER.exe?ex=66407d94&is=663f2c14&hm=e3fd0a4afacb857595daba2e8a700ad305d290bc687d43f5348b5091d3e11e7a&

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 34 IoCs

pid	Process
1400	S3RVER_CL0NER.exe
1400	S3RVER_CL0NER.exe
1400	S3RVER_CL0NER.exe
1400	S3RVER_CL0NER.exe
1400	S3RVER_CL0NER.exe
1400	S3RVER_CL0NER.exe
1400	S3RVER_CL0NER.exe
1400	S3RVER_CL0NER.exe
1400	S3RVER_CL0NER.exe
1400	S3RVER_CL0NER.exe
1400	S3RVER_CL0NER.exe
1400	S3RVER_CL0NER.exe
1400	S3RVER_CL0NER.exe
1400	S3RVER_CL0NER.exe
1400	S3RVER_CL0NER.exe
1400	S3RVER_CL0NER.exe
1400	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe
2388	S3RVER_CL0NER.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4488	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1400	S3RVER_CL0NER.exe
Token: SeDebugPrivilege	2388	S3RVER_CL0NER.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe
4488	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1400	2116	S3RVER_CL0NER.exe	118
PID 2116 wrote to memory of 1400	2116	S3RVER_CL0NER.exe	118
PID 1400 wrote to memory of 4504	1400	S3RVER_CL0NER.exe	119
PID 1400 wrote to memory of 4504	1400	S3RVER_CL0NER.exe	119
PID 1400 wrote to memory of 5116	1400	S3RVER_CL0NER.exe	120
PID 1400 wrote to memory of 5116	1400	S3RVER_CL0NER.exe	120
PID 4928 wrote to memory of 2388	4928	S3RVER_CL0NER.exe	123
PID 4928 wrote to memory of 2388	4928	S3RVER_CL0NER.exe	123
PID 2388 wrote to memory of 384	2388	S3RVER_CL0NER.exe	125
PID 2388 wrote to memory of 384	2388	S3RVER_CL0NER.exe	125
PID 2388 wrote to memory of 4908	2388	S3RVER_CL0NER.exe	126
PID 2388 wrote to memory of 4908	2388	S3RVER_CL0NER.exe	126

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1238588297035644979/1238588390786465912/S3RVER_CL0NER.exe?ex=66407d94&is=663f2c14&hm=e3fd0a4afacb857595daba2e8a700ad305d290bc687d43f5348b5091d3e11e7a&
1⤵
PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4608 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:1
1⤵
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5100 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:1
1⤵
PID:1236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5828 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:32

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5128 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:4528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4688 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:1
1⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=6072 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:1
1⤵
PID:4000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3160

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6100 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:1
1⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6096 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:3860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5700 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:5048

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x49c
1⤵
PID:4380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6232 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=3612 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:4496

C:\Users\Admin\Downloads\S3RVER_CL0NER.exe
"C:\Users\Admin\Downloads\S3RVER_CL0NER.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\Downloads\S3RVER_CL0NER.exe
  "C:\Users\Admin\Downloads\S3RVER_CL0NER.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:4504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Made by shulio#9683
    3⤵
    PID:5116

C:\Users\Admin\Downloads\S3RVER_CL0NER.exe
"C:\Users\Admin\Downloads\S3RVER_CL0NER.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\Downloads\S3RVER_CL0NER.exe
  "C:\Users\Admin\Downloads\S3RVER_CL0NER.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Made by shulio#9683
    3⤵
    PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4652 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI21162\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21162\_asyncio.pyd

Filesize
59KB

MD5
483bfc095eb82f33f46aefbb21d97012

SHA1
def348a201c9d1434514ca9f5fc7385ca0bd2184

SHA256
5e25e2823ed0571cfdbae0b1d1347ae035293f2b0ac454fb8b0388f3600fd4b6

SHA512
fe38b3585fbfaf7465b31fbc124420cfbd1b719ea72a9ae9f24103d056c8fa9ae21c2a7dd3073810222405457beff89bbb688daeced3219351a30992a6721705

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21162\_bz2.pyd

Filesize
77KB

MD5
a1fbcfbd82de566a6c99d1a7ab2d8a69

SHA1
3e8ba4c925c07f17c7dffab8fbb7b8b8863cad76

SHA256
0897e209676f5835f62e5985d7793c884fd91b0cfdfaff893fc05176f2f82095

SHA512
55679427c041b2311cff4e97672102962f9d831e84f06f05600ecdc3826f6be5046aa541955f57f06e82ee72a4ee36f086da1f664f493fbe4cc0806e925afa04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21162\_ctypes.pyd

Filesize
116KB

MD5
92276f41ff9c856f4dbfa6508614e96c

SHA1
5bc8c3555e3407a3c78385ff2657de3dec55988e

SHA256
9ab1f8cbb50db3d9a00f74447a2275a89ec52d1139fc0a93010e59c412c2c850

SHA512
9df63ef04ea890dd0d38a26ac64a92392cf0a8d0ad77929727238e9e456450518404c1b6bb40844522fca27761c4e864550aacb96e825c4e4b367a59892a09e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21162\_lzma.pyd

Filesize
150KB

MD5
a6bee109071bbcf24e4d82498d376f82

SHA1
1babacdfaa60e39e21602908047219d111ed8657

SHA256
ce72d59a0e96077c9ea3f1fd7b011287248dc8d80fd3c16916a1d9040a9a941f

SHA512
8cb2dafd19f212e71fa32cb74dad303af68eaa77a63ccf6d3a6ae82e09ac988f71fe82f8f2858a9c616b06dc42023203fa9f7511fac32023be0bc8392272c336

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21162\_overlapped.pyd

Filesize
44KB

MD5
bf3e86152b52d3f0e73d0767cde63f9f

SHA1
3863c480a2d9a24288d63f83fa2586664ec813a2

SHA256
20c94846417ee3ca43daa5fae61595ad7e52645657fda5effe64800fe335ff0d

SHA512
8643f94ece38246769ff9ba87a249b8afde137cf193ff4d452937197ce576816c1ce044c4ad2951bc5535cc3acf1b27e9f2be043b8175c5a2ca2190b05dc0235

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21162\_socket.pyd

Filesize
73KB

MD5
c5378bac8c03d7ef46305ee8394560f5

SHA1
2aa7bc90c0ec4d21113b8aa6709569d59fadd329

SHA256
130de3506471878031aecc4c9d38355a4719edd3786f27262a724efc287a47b9

SHA512
1ecb88c62a9daad93ec85f137440e782dcc40d7f1598b5809ab41bf86a5c97224e2361c0e738c1387c6376f2f24d284583fd001c4e1324d72d6989d0b84bf856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21162\_ssl.pyd

Filesize
152KB

MD5
9d810454bc451ff440ec95de36088909

SHA1
8c890b934a2d84c548a09461ca1e783810f075be

SHA256
5a4c78adedf0bcb5fc422faac619b4c7b57e3d7ba4f2d47a98c1fb81a503b6b7

SHA512
0800666f848faec976366dbfd2c65e7b7e1d8375d5d9e7d019bf364a1f480216c271c3bcf994dbab19290d336cf691cd8235e636f3dbc4d2a77f4760871c19ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21162\base_library.zip

Filesize
812KB

MD5
c1763c2c61ee50a2e7f98f7e595cd9ec

SHA1
fa4e5afa2a4b97ffef9a4d45715e8bcf4cb8e58e

SHA256
1a9591e171b8e371894dadb3420ee8491cb607c151b84cd5455efe32fab18438

SHA512
fe9ab67a98a0f6e2f92bf6306472ba557978ceacf5538c71e6923fb29336378ea26ec5cf8fdf97a989e20305c9b0e5d2cc56be711cace848bd13e8a4af69c746

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21162\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21162\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21162\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21162\psutil\_psutil_windows.cp310-win_amd64.pyd

Filesize
64KB

MD5
7c46d46a2ffdf05793e83c9fabf472ff

SHA1
27d38da2cfd0b8fb35671d7fa3739d7446d0ac09

SHA256
a47da972f8440f6713328c5d9e5d805a0fb5d6325e45ed921f0f86c1ca662b59

SHA512
2ff79a51991cf5a6efbaf6135096c53b3614d1d772852892745c3e44f871caf52c374e4fd8d794c3f04c0a54dd77d1a0acf10cb9c43875409d9598980e79aff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21162\python3.DLL

Filesize
60KB

MD5
0812ee5d8abc0072957e9415ba6e62f2

SHA1
ea05c427e46c5d9470ba81d6b7cbca6838ee0dd5

SHA256
84a29c369560c5175d22ee764fe8ada882ab6b37b6b10c005404153518a344ec

SHA512
18ca5631f2ae957b9ec8eaa7aa87094d3a296548790ced970752625a0f271511e0ce0042a0ea5469a9c362a0d811c530ef6fe41b84c61b25c838466acc37f22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21162\python310.dll

Filesize
4.2MB

MD5
a1185bef38fdba5e3fe6a71f93a9d142

SHA1
e2b40f5e518ad000002b239a84c153fdc35df4eb

SHA256
8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e

SHA512
cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21162\select.pyd

Filesize
25KB

MD5
63ede3c60ee921074647ec0278e6aa45

SHA1
a02c42d3849ad8c03ce60f2fd1797b1901441f26

SHA256
cb643556c2dcdb957137b25c8a33855067e0d07547e547587c9886238253bfe5

SHA512
d0babc48b0e470abdafad6205cc0824eec66dbb5bff771cee6d99a0577373a2de2ffab93e86c42c7642e49999a03546f94e7630d3c58db2cff8f26debc67fcad

Download Submit