Analysis

  • max time kernel
    1484s
  • max time network
    1495s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-06-2024 21:29

General

  • Target

    Discord Tools beta/Discord Tools/SETUP.bat

  • Size

    2KB

  • MD5

    3cadc3d1f11546fcf91c76e7d90ac0d5

  • SHA1

    900e24b48ce1a086b33871afb32c2c12fd03717d

  • SHA256

    4786443e83e0f945a0a20a18bd770c7d2ae2896665752846e5fc996a26fcb82b

  • SHA512

    5fc5a254c97890e00c206cb72a9efd7ff4909d0b12245a4498c560e5404c8666cd02a83d078af58184ff4da898fa3748b585ae9df6dc9b1b14502ba7e3ba151a

Score
7/10

Malware Config

Signatures

  • Use of msiexec (install) with remote resource 3 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Discord Tools beta\Discord Tools\SETUP.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\system32\msiexec.exe
      msiexec /i https://www.python.org/ftp/python/3.8.12/python-3.8.12-amd64.exe /qn
      2⤵
      • Use of msiexec (install) with remote resource
      • Suspicious use of AdjustPrivilegeToken
      PID:4588
    • C:\Windows\system32\msiexec.exe
      msiexec /i https://www.python.org/ftp/python/3.9.12/python-3.9.12-amd64.exe /qn
      2⤵
      • Use of msiexec (install) with remote resource
      • Suspicious use of AdjustPrivilegeToken
      PID:3100
    • C:\Windows\system32\curl.exe
      curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
      2⤵
        PID:4672
      • C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
        python get-pip.py
        2⤵
          PID:4660
        • C:\Windows\system32\msiexec.exe
          msiexec /i https://www.python.org/ftp/python/3.10.2/python-3.10.2-amd64.exe /qn
          2⤵
          • Use of msiexec (install) with remote resource
          PID:4888
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Blocklisted process makes network request
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:3728

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads