Overview
overview
7Static
static
3BetterDisc...ws.exe
windows7-x64
7BetterDisc...ws.exe
windows10-2004-x64
5$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...sh.bmp
windows7-x64
3$PLUGINSDI...sh.bmp
windows10-2004-x64
7LICENSE.electron.txt
windows7-x64
1LICENSE.electron.txt
windows10-2004-x64
1chrome_100...nt.pak
windows7-x64
3chrome_100...nt.pak
windows10-2004-x64
3chrome_200...nt.pak
windows7-x64
3chrome_200...nt.pak
windows10-2004-x64
3d3dcompiler_47.dll
windows10-2004-x64
3ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1icudtl.dat
windows7-x64
3icudtl.dat
windows10-2004-x64
3libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
3libGLESv2.dll
windows10-2004-x64
3locales/am.pak
windows7-x64
3locales/am.pak
windows10-2004-x64
3locales/ar.pak
windows7-x64
3locales/ar.pak
windows10-2004-x64
3locales/bg.pak
windows7-x64
3locales/bg.pak
windows10-2004-x64
3locales/bn.pak
windows7-x64
3locales/bn.pak
windows10-2004-x64
3locales/ca.pak
windows7-x64
3locales/ca.pak
windows10-2004-x64
3locales/cs.pak
windows7-x64
3Analysis
-
max time kernel
118s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 19:02
Static task
static1
Behavioral task
behavioral1
Sample
BetterDiscord-Windows.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
BetterDiscord-Windows.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/splash.bmp
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/splash.bmp
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
LICENSE.electron.txt
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
LICENSE.electron.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
chrome_100_percent.pak
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
chrome_100_percent.pak
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
chrome_200_percent.pak
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
chrome_200_percent.pak
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral14
Sample
ffmpeg.dll
Resource
win7-20240508-en
Behavioral task
behavioral15
Sample
ffmpeg.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
icudtl.dat
Resource
win7-20240611-en
Behavioral task
behavioral17
Sample
icudtl.dat
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
libEGL.dll
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
libEGL.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral20
Sample
libGLESv2.dll
Resource
win7-20240508-en
Behavioral task
behavioral21
Sample
libGLESv2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
locales/am.pak
Resource
win7-20240508-en
Behavioral task
behavioral23
Sample
locales/am.pak
Resource
win10v2004-20240611-en
Behavioral task
behavioral24
Sample
locales/ar.pak
Resource
win7-20240611-en
Behavioral task
behavioral25
Sample
locales/ar.pak
Resource
win10v2004-20240611-en
Behavioral task
behavioral26
Sample
locales/bg.pak
Resource
win7-20240220-en
Behavioral task
behavioral27
Sample
locales/bg.pak
Resource
win10v2004-20240508-en
Behavioral task
behavioral28
Sample
locales/bn.pak
Resource
win7-20240508-en
Behavioral task
behavioral29
Sample
locales/bn.pak
Resource
win10v2004-20240611-en
Behavioral task
behavioral30
Sample
locales/ca.pak
Resource
win7-20240508-en
Behavioral task
behavioral31
Sample
locales/ca.pak
Resource
win10v2004-20240611-en
Behavioral task
behavioral32
Sample
locales/cs.pak
Resource
win7-20240611-en
General
-
Target
locales/cs.pak
-
Size
107KB
-
MD5
0325d16a747cca73a3a2b0c94fac123d
-
SHA1
e5989627742ecee5f8996001002e97627bfbe10d
-
SHA256
c00829fc57c7e1e5419fe3202f114d394a590b8b32b1e55af42772c93755945d
-
SHA512
b824297df25c097251432fa72ae1258092e692ff3e4c527599897d7d3e71007cbd80e300de54b87146889f71d537c7d297c1b3cac04b6e08d7ce29132ec9e5dc
-
SSDEEP
1536:6G+wdXqt5qYSP7ymjLEwoVD33zSYoYlBw/dhRRkP+8QUQdbiE:JvXPjyfaYl6/P2+8QUQdbd
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.pak rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.pak\ = "pak_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2604 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2604 AcroRd32.exe 2604 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2188 wrote to memory of 2752 2188 cmd.exe rundll32.exe PID 2188 wrote to memory of 2752 2188 cmd.exe rundll32.exe PID 2188 wrote to memory of 2752 2188 cmd.exe rundll32.exe PID 2752 wrote to memory of 2604 2752 rundll32.exe AcroRd32.exe PID 2752 wrote to memory of 2604 2752 rundll32.exe AcroRd32.exe PID 2752 wrote to memory of 2604 2752 rundll32.exe AcroRd32.exe PID 2752 wrote to memory of 2604 2752 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\locales\cs.pak1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\cs.pak2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\cs.pak"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58458d0d3d093c014916ac8604a056855
SHA1f224bb39256b96c971dfc92100daa43b86445211
SHA256579eaf892faf600e12512a37b9bf7ca64ad2d4309c51d8e5ed61fcabbf2826ce
SHA51262adc8a5ac660132a9fa5e5e341ace6d9428e2670a4ab19f35cf87523fb54e9b53b88af91f42a1be0b549a896fb737965050b258feef06c22620acc6e706f8f8