Overview

overview

10

Static

static

3

imtp.zip

windows7-x64

1

imtp.zip

windows10-2004-x64

1

setups.lol...up.exe

windows7-x64

4

setups.lol...up.exe

windows10-2004-x64

7

setups.lol...or.exe

windows7-x64

1

setups.lol...or.exe

windows10-2004-x64

1

setups.lol...1).exe

windows7-x64

3

setups.lol...1).exe

windows10-2004-x64

10

setups.lol...1).exe

windows7-x64

8

setups.lol...1).exe

windows10-2004-x64

8

setups.lol...in.exe

windows7-x64

4

setups.lol...in.exe

windows10-2004-x64

4

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

$R0/Uninst...st.exe

windows7-x64

4

$R0/Uninst...st.exe

windows10-2004-x64

4

setups.lol...43.zip

windows7-x64

1

setups.lol...43.zip

windows10-2004-x64

1

VBCABLE_Co...el.exe

windows7-x64

3

VBCABLE_Co...el.exe

windows10-2004-x64

3

VBCABLE_Setup.exe

windows7-x64

3

VBCABLE_Setup.exe

windows10-2004-x64

3

VBCABLE_Setup_x64.exe

windows7-x64

1

VBCABLE_Setup_x64.exe

windows10-2004-x64

1

vbaudio_ca...03.sys

windows7-x64

1

vbaudio_ca...03.sys

windows10-2004-x64

1

vbaudio_ca...ta.sys

windows7-x64

1

vbaudio_ca...ta.sys

windows10-2004-x64

1

Analysis

  • max time kernel
    90s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-08-2024 00:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setups.lol/DiscordSetup.exe

  • Size

    108.8MB

  • MD5

    8a74c6f5d610cb136aa24415ba837541

  • SHA1

    ae8b152d75129630cabceda73abfe961a479cc07

  • SHA256

    12a56a6df3f57af96c0f2cb95fa26fbed515b5e98e36c6ab266c16928c1744ef

  • SHA512

    263d5ef9cc4ea20b1414927af6c841a66640ec5c5aee9b42a24149162eb41019e99dbeaf878a942855366b7df6243704f5ac84f8f306ff0edd3f9cff96a8d23b

  • SSDEEP

    3145728:3nxcd7Su2b+gvdzdbZhcHxBXE8/ObjfC/KDkl:3i7iqqxw4VJAl

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 11 IoCs
  • Modifies registry key 1 TTPs 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setups.lol\DiscordSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\setups.lol\DiscordSetup.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1816
      • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\Discord.exe
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\Discord.exe" --squirrel-install 1.0.9153
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\Discord.exe
          C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9153 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=30.1.0 --initial-client-data=0x4f0,0x4f4,0x4f8,0x4e0,0x4fc,0x7ff6c20b9218,0x7ff6c20b9224,0x7ff6c20b9230
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2280
        • C:\Users\Admin\AppData\Local\Discord\Update.exe
          C:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2572
        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\Discord.exe
          "C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,14181922413011199479,17959513143923436748,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1872 /prefetch:2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:4580
        • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\Discord.exe
          "C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=2376,i,14181922413011199479,17959513143923436748,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2244 /prefetch:3
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:5012
        • C:\Windows\System32\reg.exe
          C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f
          4⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:800
        • C:\Windows\System32\reg.exe
          C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
          4⤵
          • Modifies registry class
          • Modifies registry key
          PID:3044
        • C:\Windows\System32\reg.exe
          C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
          4⤵
          • Modifies registry class
          • Modifies registry key
          PID:4952
        • C:\Windows\System32\reg.exe
          C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\Discord.exe\",-1" /f
          4⤵
          • Modifies registry class
          • Modifies registry key
          PID:1320
        • C:\Windows\System32\reg.exe
          C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\Discord.exe\" --url -- \"%1\"" /f
          4⤵
          • Modifies registry class
          • Modifies registry key
          PID:3652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\app.ico
    Filesize

    278KB

    MD5

    084f9bc0136f779f82bea88b5c38a358

    SHA1

    64f210b7888e5474c3aabcb602d895d58929b451

    SHA256

    dfcea1bea8a924252d507d0316d8cf38efc61cf1314e47dca3eb723f47d5fe43

    SHA512

    65bccb3e1d4849b61c68716831578300b20dcaf1cbc155512edbc6d73dccbaf6e5495d4f95d089ee496f8e080057b7097a628cc104fa8eaad8da866891d9e3eb

    Download Submit

  • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\chrome_100_percent.pak
    Filesize

    146KB

    MD5

    6c2827fe702f454c8452a72ea0faf53c

    SHA1

    881f297efcbabfa52dd4cfe5bd2433a5568cc564

    SHA256

    2fb9826a1b43c84c08f26c4b4556c6520f8f5eef8ab1c83011031eb2d83d6663

    SHA512

    5619ad3fca8ea51b24ea759f42685c8dc7769dd3b8774d8be1917e0a25fa17e8a544f6882617b4faa63c6c4f29844b515d07db965c8ea50d5d491cdda7281fc5

    Download Submit

  • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\chrome_200_percent.pak
    Filesize

    220KB

    MD5

    77088f98a0f7ea522795baec5c930d03

    SHA1

    9b272f152e19c478fcbd7eacf7356c3d601350ed

    SHA256

    83d9243037b2f7e62d0fdfce19ca72e488c18e9691961e2d191e84fb3f2f7a5d

    SHA512

    5b19115422d3133e81f17eedbacee4c8e140970120419d6bbfe0e99cf5528d513eea6583548fa8a6259b260d73fab77758ad95137b61fe9056101dd5772e8f4a

    Download Submit

  • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\d3dcompiler_47.dll
    Filesize

    4.7MB

    MD5

    a7b7470c347f84365ffe1b2072b4f95c

    SHA1

    57a96f6fb326ba65b7f7016242132b3f9464c7a3

    SHA256

    af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

    SHA512

    83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

    Download Submit

  • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\ffmpeg.dll
    Filesize

    3.9MB

    MD5

    3cb549134a46775ac4fbea5982f5eb9e

    SHA1

    ea22c9e6fefb36a3d6553250a233fc24f67cb8f0

    SHA256

    76fc95aad662d9c6b1bc89c0a2d8b85868a77b8c3409598d445b1fd8b367691c

    SHA512

    4bd8858db44caa3781047742013378aa3b6b6bdd9d4a95bf6c0708f5edd29dd1f33abfaaf80aa1bb1a9f6fee15c02f0b7b56e204b17c1fd5731069f8ef1bc22f

    Download Submit

  • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\icudtl.dat
    Filesize

    10.2MB

    MD5

    74bded81ce10a426df54da39cfa132ff

    SHA1

    eb26bcc7d24be42bd8cfbded53bd62d605989bbf

    SHA256

    7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

    SHA512

    bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

    Download Submit

  • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\libEGL.dll
    Filesize

    486KB

    MD5

    00a55d53a5f92871aed81f403708c90f

    SHA1

    909568d8969a31a29c69bd7dc0c3d65e29bbd5f7

    SHA256

    bfeb656a0a32f32cf52fb5b52a4ce16b5758fdb6e5bdc3ca8e068f4573fcdf11

    SHA512

    8bfa3ed07239af687842846b388d2675c2099d8623c42ab7e04e33f7248346f4eaa93e7b0b2067731075083a870ebe10488a4a2667189f05f8a74043261e4dc8

    Download Submit

  • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\libGLESv2.dll
    Filesize

    7.6MB

    MD5

    1522fb6a6270fe3a65a94a1ff53c7896

    SHA1

    7753cbba31e0ed4f88a462229501b7c21654fed3

    SHA256

    95c74ace42d2e251f994ac489dc5cef713596b8befc2273300934e2672caf2d4

    SHA512

    448bffa2b3a0968f9bb8e2fbefefb96b171269d25f52e628af4a28c117f934f129b243f89454dfe68fd52daf9cba89e340adcf488427999fda585b144ac57b8f

    Download Submit

  • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\locales\en-US.pak
    Filesize

    443KB

    MD5

    88bbc725e7eedf18ef1e54e98f86f696

    SHA1

    831d6402443fc366758f478e55647a9baa0aa42f

    SHA256

    95fd54494d992d46e72dad420ceee86e170527b94d77bfaaa2bfc01f83902795

    SHA512

    92a5c6cfc2d88272bb5144e7ee5c48337f2c42083bc9777506b738e3bcb8f5a2c34af00c4ccc63b24fb158c79f69e7205b398c9e22634dae554410450978a2c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\resources.pak
    Filesize

    5.1MB

    MD5

    db3fa7a7f7af66bbb73c1c0a46187572

    SHA1

    5c6f2b5c01a20f204bb67f28a907dec4cd98bce8

    SHA256

    0e114f6464cecae87988c1dd65ea1bc939681fee6415d343e947a5889717165f

    SHA512

    e639e96c36fa67dfdc7098c7d6863ee421a2de9fa49630038e8abf4f152b03e0bbb80eee0d40a68cac5a48bfa75f0cc3542c1170dd65ab1bf5626450f803d410

    Download Submit

  • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\resources\app.asar
    Filesize

    6.3MB

    MD5

    636ea6336893f6eb2573df46a7fd66e5

    SHA1

    98c8b968e1ebc8123cf6911fe1f9896662d0daa5

    SHA256

    5c34c67237049ea0e0e7aa7c515000e06fb3103dc487c99592ce19111253fad2

    SHA512

    5710474132f7fa130b8a90947369af4dca14c6379a3edc51865b3ce8a8195265c402f6985755e0ca46a7a6f251c0fb969bae43eab1214a47978ea7213be2be01

    Download Submit

  • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\resources\build_info.json
    Filesize

    83B

    MD5

    a7f101bc1e2ad9be5d9fc5f896c0fb13

    SHA1

    2ea7dc7d699d9f2ad4feef9d8afbd4841a4e4dfc

    SHA256

    b25bd24bb71428075815d16e7cb1cec538eff1aeb1197290d66ba523be8ea62d

    SHA512

    76fa61c211d2ba8bf47f1ade0440040a8d656a912a90340f1df713536bf29eb0f0c521c248668f504129247b23104def17acc72380207e603332783996683dc8

    Download Submit

  • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\v8_context_snapshot.bin
    Filesize

    641KB

    MD5

    228cb75c5b14fb790ec913a34c12b4d6

    SHA1

    aa6dbfb6cd403be3110f85c2a3ae72ab575645fb

    SHA256

    bb9c5a66316280c3d90ad63e20e34a7311972632bfd927f9d192407c13714444

    SHA512

    ab6b94de633b71a99b58f3924b0b8a351e0899ccff0fdab35e06938ad22ed62548a331b0b296a886f67941a642fd32d00ec2297b0d687139c0e57d2919739c19

    Download Submit

  • C:\Users\Admin\AppData\Local\Discord\app-1.0.9153\vk_swiftshader.dll
    Filesize

    5.1MB

    MD5

    cb1b502e70ba37e12936f0a3913e4063

    SHA1

    e3e44dbc98b38d00887ddce59f7c5cc028b0f950

    SHA256

    b1e450a0ea89e9acd99d82a1462d931624f6ed551eeb594fafef9e050b14d007

    SHA512

    df59924d3e6fa0112e4b40bb081ab6cd9dfd67c2ea21f83a259f0962bac6df6325fb1624f4c20fe011f6a857590fc9e88238f4537d6048fb2ed0425df77844ca

    Download Submit

  • C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES
    Filesize

    81B

    MD5

    095bf4bbc25e9a362088dabe1a22b0c8

    SHA1

    75b817c3689845aba89c5a97215d13551ac8f44a

    SHA256

    d3f18c5ba4c47d46fd74eac5f159e8f012d2913902ceff513920dd2019e5940b

    SHA512

    fc6805fa5f859d31f1a54ba73f2e4b02cbdd96251f2ef6421d3982d44a43524c35b67660e90221c7f451daebb8f410d876ad350d15f15c4253cf88302a602747

    Download Submit

  • C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    Filesize

    1.5MB

    MD5

    a2df8e9998f295b64f8ee4fd4917b7d4

    SHA1

    e9025abc70ff01d748a05afe9aac66728f5282ed

    SHA256

    8e2b07bfe042629cadcc8a8d91234652e2efd6c92e732594d62fa856db8acedf

    SHA512

    1a56b1cf54439d9e067f6d836b69a6ef77f1449ffaf187ef3113145ac1a383af6d8cedc2728afffe83fdf31191a64d4c192660dc53823c5ef5edf0f037ce11e7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • \??\pipe\crashpad_1680_ZZHLEWTBDWRGJIOT
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • memory/1816-198-0x0000000006AB0000-0x0000000006AE8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1816-199-0x0000000006A90000-0x0000000006A9E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1816-191-0x00000000128E0000-0x00000000128E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1816-9-0x0000000000C90000-0x0000000000E06000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2572-236-0x0000000005950000-0x0000000005970000-memory.dmp

    Filesize

    128KB

    Download