Analysis
-
max time kernel
17s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
12-06-2024 06:29
Behavioral task
behavioral1
Sample
DiscordRaider.exe
Resource
win10-20240404-en
General
-
Target
DiscordRaider.exe
-
Size
3.8MB
-
MD5
05719a9ad94b721f9aa024cdb7671dae
-
SHA1
75821d8a850962529e56916eaf3efb3f3411db3c
-
SHA256
ffc5f19ed31c714e3dd4e5f77044b55b5540699a3e66e18bbf8e0e411b2450e6
-
SHA512
e67a3af46556003a4d4143cfd6e25d414f3a59db1afe156f5a65b579eaa9286f26865108dcc1e3c5891e20077b4bc4a0f0752c4ae2f51f475f74b5166c0103bd
-
SSDEEP
24576:qaKB4VuLVL44444VvqMI9rRE1Gkut6K2Uq//xw0ap+HhjM1R3s9rkTM6EcF7bXY5:qaOmGrWUq60vG0YJEigqLdp
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4912-0-0x0000000000400000-0x00000000007CE000-memory.dmp modiloader_stage2 -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
taskmgr.exepid process 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 420 taskmgr.exe Token: SeSystemProfilePrivilege 420 taskmgr.exe Token: SeCreateGlobalPrivilege 420 taskmgr.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
Processes:
taskmgr.exepid process 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe -
Suspicious use of SendNotifyMessage 22 IoCs
Processes:
taskmgr.exepid process 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DiscordRaider.exe"C:\Users\Admin\AppData\Local\Temp\DiscordRaider.exe"1⤵PID:4912
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4912-0-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB