Overview

overview

3

Static

static

3

VencordInstaller.exe

windows10-1703-x64

1

VencordInstaller.exe

windows11-21h2-x64

1

Analysis

  • max time kernel
    80s
  • max time network
    80s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-08-2024 20:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VencordInstaller.exe

  • Size

    9.9MB

  • MD5

    1b8ee61ddcfd1d425821d76ea54ca829

  • SHA1

    f8daf2bea3d4a6bfc99455d69c3754054de3baa5

  • SHA256

    dc0826657a005009f43bdc3a0933d08352f8b22b2b9b961697a2db6e9913e871

  • SHA512

    75ba16ddc75564e84f5d248326908065942ad50631ec30d7952069caee15b8c5411a8802d25d38e9d80e042f1dde97a0326f4ab4f1c90f8e4b81396ca69c229a

  • SSDEEP

    98304:jmPUf5A91QP5oToUsbeRwcyHekFeSpc12EKw+KVktWHBLmpTN5huJd3kMerGpNTt:SqqQP5oKswpLi3gOW

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\VencordInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\VencordInstaller.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:920
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:164
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.0.714621098\1072880065" -parentBuildID 20221007134813 -prefsHandle 1720 -prefMapHandle 1712 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c4712e7-8712-4988-b841-a9f87ae3f2f6} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 1796 24f538f8158 gpu
        3⤵
          PID:3464
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.1.1909890117\1378799382" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bdf1ce0-e4f0-4a7b-be9c-7a05a3859ff0} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 2152 24f5380bd58 socket
          3⤵
          • Checks processor information in registry
          PID:3668
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.2.696474581\223950835" -childID 1 -isForBrowser -prefsHandle 2780 -prefMapHandle 2776 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b248a370-34df-46d1-83a5-796f508c5db9} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 2724 24f57997858 tab
          3⤵
            PID:3088
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.3.1613268840\1411487348" -childID 2 -isForBrowser -prefsHandle 2712 -prefMapHandle 3412 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {113abc53-a95d-4bac-abec-79779cd6c39b} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 3476 24f48763858 tab
            3⤵
              PID:2248
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.4.745906470\1656154645" -childID 3 -isForBrowser -prefsHandle 4156 -prefMapHandle 4148 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed25e2cf-b470-44cc-8bc1-e059afa61a6d} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4164 24f589c8158 tab
              3⤵
                PID:3732
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.5.1023546972\228568231" -childID 4 -isForBrowser -prefsHandle 4860 -prefMapHandle 4844 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82811e18-a1e2-4830-8376-0b9b22b3fbaf} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4832 24f57940558 tab
                3⤵
                  PID:3240
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.6.1128072292\411835131" -childID 5 -isForBrowser -prefsHandle 4940 -prefMapHandle 4944 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8107e421-b4b9-4bf8-bb06-334c37c9b9c9} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4932 24f57941758 tab
                  3⤵
                    PID:492
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.7.1942809981\232851173" -childID 6 -isForBrowser -prefsHandle 4908 -prefMapHandle 5124 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d82b9bb4-10d0-47fd-a803-e92b03cc2def} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 5116 24f57940b58 tab
                    3⤵
                      PID:3796
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.8.606018329\2062270636" -childID 7 -isForBrowser -prefsHandle 5588 -prefMapHandle 5596 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e0eccb8-704f-40b1-9ecb-6b4af891aa7c} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 5580 24f5be03558 tab
                      3⤵
                        PID:3004
                  • C:\Windows\system32\OpenWith.exe
                    C:\Windows\system32\OpenWith.exe -Embedding
                    1⤵
                    • Modifies registry class
                    • Suspicious use of SetWindowsHookEx
                    PID:656
                  • C:\Windows\System32\rundll32.exe
                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                    1⤵
                      PID:3084

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      57559501b1789298584a092699c5a747

                      SHA1

                      1fa40aa92c13e93d5150c76ead95a31d91ba0a59

                      SHA256

                      ef3043ba7eebf605ab46b5535e3cad0ecebc768c41a7ed756a42d65bbc476487

                      SHA512

                      2a0c5d3e0e872fb9aa3b757b99d167db829282ca819ad9c5c1f18e7b39bee2b1bd8319297fa8e4b69c923fa463a3f3d9ab446b8a838fb542157f02efae9589be

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\99e09c2a-3b0b-4396-970b-84a90a0a1d6a
                      Filesize

                      11KB

                      MD5

                      a8b4cf16b1d763641d76aa6b3a61cc69

                      SHA1

                      736ecbe3f9d1e404f930b7fd36d4867d64878088

                      SHA256

                      f31c774fc1d45b2dc4bdf7425c887ae71e1283f02036a23816f7d878af9aa11e

                      SHA512

                      a7800d772adc9ebb30d54cd91026ea591f2b717ddb08248139fbea8a846ae86b17e29b79d0789cc87007f650c9409fd56ca7bdeeb68f18f6d62b06c124f56729

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\f3cfe626-740e-47af-a764-2693285ae652
                      Filesize

                      746B

                      MD5

                      4a9c81b997c8d6f47af3a7bd56ec6fd6

                      SHA1

                      b631ecc1c0dfcb279186b03f9be737a441c31e49

                      SHA256

                      79f31d18d213a673959fff892e3da59448dd572a82d044e229bb3ec3d13f6e11

                      SHA512

                      41c9532de9a838fcf3c8ab70d151c2ac5a8e4263baa1bff1618784fd8fb732a8c6d19c4f3e123c5fb733ae4a372870606074f161c3005dec847d1478f8b11d30

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      9b0087eccf45986b364dd5e763042882

                      SHA1

                      a308b469052ff125fe598e638ce90e1b27f19f30

                      SHA256

                      dbbddbce15dfec4190a4ac173dec4ae8531985c7a33a8b80eb8de9ad58a3daa8

                      SHA512

                      b9fd61c41904a2420e11a9ffe745deb75ac02811821625d312895a20f38280c5932ad771e4b02b200934d13271a8a54c44324521bd9f9748de28e3d18fb6374a

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      479b4e9a77fe3735841f794bd41435e9

                      SHA1

                      03291f6f34dc5d0676f0ea26e85b0e19098d5db1

                      SHA256

                      6a9259846c3cfda3eb9698625686462b310a763305a934e722456224f96015a5

                      SHA512

                      a29d960d0d7a62bbf9bcfb508ec35d577bec21580b40965a94c68e2af0e8c0690cbba96d684de8c9e761157852eb179ed74101c04ec9d7a8b2d28dd1fc3f1b01

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      dda3d86dc14c39418f26da532298abcd

                      SHA1

                      863d1bbd0f332c9e5d6d2eb5b65bc60b9f607353

                      SHA256

                      19fb8a8fcd5923516aa1ecf61d22427ccdff3f86ee2777a52b15b743552f43b5

                      SHA512

                      ffa29ac9542f719122665c78fa98f3e1cb60736d7b24ebe159249f630b543c79a586844c4cac2465c805d3b6362636aaf772e462c18a8ab0e98df41793df1216

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json.tmp
                      Filesize

                      259B

                      MD5

                      c8dc58eff0c029d381a67f5dca34a913

                      SHA1

                      3576807e793473bcbd3cf7d664b83948e3ec8f2d

                      SHA256

                      4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

                      SHA512

                      b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      3KB

                      MD5

                      8f0ade1fd97b655ef466beec89e4a828

                      SHA1

                      1577803dc547e7375e0aa138968ee22bcb1636c0

                      SHA256

                      1501e0e9325a79eb6ceee06864262851f71b29840175e73002de08fe66174f7d

                      SHA512

                      c586d4f2b9b4575610a81762ef65502ffe2f926a68571fd0761650d3ce003bd8c67069305443db21bcf02c9734fbec4226b640f13820f60dc46c10531a0206db

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      4KB

                      MD5

                      49fa74aba36cbea53db395ae4eda403a

                      SHA1

                      508949506a4738803a38f506e1be20f0aae37c2b

                      SHA256

                      ee4a95658fdddde542b12a60bd29ca98284e2b4c0551da0ffa537f3e73704d71

                      SHA512

                      b2b437891f6307f9f4a3cf21c4d10c80a472c20daf0749125e2cd30ff185f265329b793689eddde5773a0367a5c93d8a0f116cdd2de5a595017a7a3c7c64b656

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4
                      Filesize

                      4KB

                      MD5

                      6b285f3c4c5d739c6e89cbda47329610

                      SHA1

                      cf68b089f78b42eff0f48424b7778935893af733

                      SHA256

                      57fc4407b1fc6316a9a222ef598fe4060c6bc0b4515ac44f5c1e27b006555210

                      SHA512

                      2bd725a22ddb3e9c1d59ce47709ecdb620fca51f28c12a1e595a9e3101fd3f67615b139e8e3d705fccc52f2e6139ba13c01ae0b300a8b5a50d4f2d10dc5c2298

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                      Filesize

                      184KB

                      MD5

                      7f868e557b098795d645df9ea302427f

                      SHA1

                      001f3306144559b4049a8ab139b4139f51e59c0e

                      SHA256

                      b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5

                      SHA512

                      56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

                      Download Submit

                    • memory/920-0-0x00007FF7B7E20000-0x00007FF7B9099000-memory.dmp

                      Filesize

                      18.5MB

                      Download