hxxps://cdn[.]discordapp[.]com/attachments/1235304162724417576/1238879646544560208/loader[.]exe?ex=6640e415&is=663f9295&hm=06bce89284f10681e2e7cabdfd29fecc5f1976fc1ed6ad107404afa327127957&

Analysis

max time kernel
480s
max time network
485s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
11/05/2024, 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1235304162724417576/1238879646544560208/loader.exe?ex=6640e415&is=663f9295&hm=06bce89284f10681e2e7cabdfd29fecc5f1976fc1ed6ad107404afa327127957&

Score

8^/10

pyinstaller

Malware Config

Signatures

Downloads MZ/PE file

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000200000002a9c7-28.dat	pyinstaller

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 474958.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4716	msedge.exe
4716	msedge.exe
4788	msedge.exe
4788	msedge.exe
3504	msedge.exe
3504	msedge.exe
1548	identity_helper.exe
1548	identity_helper.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 764	4788	msedge.exe	79
PID 4788 wrote to memory of 764	4788	msedge.exe	79
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4632	4788	msedge.exe	81
PID 4788 wrote to memory of 4716	4788	msedge.exe	82
PID 4788 wrote to memory of 4716	4788	msedge.exe	82
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83
PID 4788 wrote to memory of 5116	4788	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1235304162724417576/1238879646544560208/loader.exe?ex=6640e415&is=663f9295&hm=06bce89284f10681e2e7cabdfd29fecc5f1976fc1ed6ad107404afa327127957&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9c24d3cb8,0x7ff9c24d3cc8,0x7ff9c24d3cd8
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,420442171752014181,6254522902881422827,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,420442171752014181,6254522902881422827,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,420442171752014181,6254522902881422827,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,420442171752014181,6254522902881422827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,420442171752014181,6254522902881422827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,420442171752014181,6254522902881422827,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,420442171752014181,6254522902881422827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,420442171752014181,6254522902881422827,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,420442171752014181,6254522902881422827,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,420442171752014181,6254522902881422827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,420442171752014181,6254522902881422827,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,420442171752014181,6254522902881422827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,420442171752014181,6254522902881422827,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,420442171752014181,6254522902881422827,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5580 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d56e8f308a28ac4183257a7950ab5c89

SHA1
044969c58cef041a073c2d132fa66ccc1ee553fe

SHA256
0bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae

SHA512
fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f2eb94e31cadfb6eb07e6bbe61ef7ae

SHA1
3f42b0d5a90408689e7f7941f8db72a67d5a2eab

SHA256
d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de

SHA512
9f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cdd87cbe958b888a9c95fdd82eaa6a00

SHA1
c9ca8a1eb57687ed78ea518fe21cfff9430e4fad

SHA256
0c46bb3a9a9b36cf80c054aae5dc39d7f0225d5ac2beab82b01b2af17ad79e15

SHA512
91c303864e05e3b62878c91ac7610f6c5fbfe4f4426ee6b7d96be5a5677b5869d5b24a6a8bc9dc8cc976a4e170cf377dc677e93eb972f8db426d7262478fb0f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
46a8a768e73f92d2d093f1ceec74d50e

SHA1
6668616a2f456d5efc6a963841fc11ccaee62b26

SHA256
aa66cc5586103f89e85dc55e7c8028cc8332629360b1ca5d6867eb6c0d7720d1

SHA512
49c1720ee88734c47f83a64e3950b7bbc2a1958728f9351594b4744072ea14c338e616335ed1dfa061f9ab05cf899bbd4c7ab5e82afb8fb58aad53a462dc7e48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0fb1a83d4e09fb64366c5573942565ea

SHA1
4788ee2f4f75cf5f16fdbc831eaf5a8d3e7a46be

SHA256
e94310054b332a9d30942912d225fa3f03380b8167cd1f43538a7a5472a3cb5e

SHA512
4ecd54f7bb758f448630090d235447784546c8d3374d6c9ad9b7933e5162a7f5a00b11d1cad259600ecd921106d15d5cb6186c015b2ddb7a3c1d10bced4b0eeb

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 474958.crdownload

Filesize
496KB

MD5
ee41464dc33704232a15e15dd5d1fe90

SHA1
1e70a05fdfb359c5d119dd98c656f9a267dc2d9f

SHA256
6e0e001c261576f7ef457a98dbed22fbd1b852d5d7fa722a3d372f0af85bedf9

SHA512
bd4b6b25afb8549221681d6802fa2326ef08c82786a3e6a0ce7f9dddd2b9516385d85454a0d0ab70773bb3cc9c792121fe88e2a52e01f1f47c784ddc1ec0f5aa

Download Submit