Overview
overview
5Static
static
3BetterDisc...ws.exe
windows10-1703-x64
5$PLUGINSDI...ge.dll
windows10-1703-x64
3$PLUGINSDI...ls.dll
windows10-1703-x64
3$PLUGINSDI...em.dll
windows10-1703-x64
3BetterDiscord.exe
windows10-1703-x64
5LICENSES.c...m.html
windows10-1703-x64
4d3dcompiler_47.dll
windows10-1703-x64
3ffmpeg.dll
windows10-1703-x64
3libEGL.dll
windows10-1703-x64
3libGLESv2.dll
windows10-1703-x64
3resources/app.js
windows10-1703-x64
3swiftshade...GL.dll
windows10-1703-x64
3swiftshade...v2.dll
windows10-1703-x64
3vk_swiftshader.dll
windows10-1703-x64
3vulkan-1.dll
windows10-1703-x64
3Analysis
-
max time kernel
121s -
max time network
144s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
04-08-2024 07:28
Static task
static1
Behavioral task
behavioral1
Sample
BetterDiscord-Windows.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/BgImage.dll
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
BetterDiscord.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
LICENSES.chromium.html
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
d3dcompiler_47.dll
Resource
win10-20240611-en
Behavioral task
behavioral8
Sample
ffmpeg.dll
Resource
win10-20240404-en
Behavioral task
behavioral9
Sample
libEGL.dll
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
libGLESv2.dll
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
resources/app.js
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
swiftshader/libEGL.dll
Resource
win10-20240404-en
Behavioral task
behavioral13
Sample
swiftshader/libGLESv2.dll
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
vk_swiftshader.dll
Resource
win10-20240404-en
Behavioral task
behavioral15
Sample
vulkan-1.dll
Resource
win10-20240611-en
General
-
Target
BetterDiscord.exe
-
Size
112.3MB
-
MD5
673c5e8265f3f9c40e2fc8a4b56744e4
-
SHA1
5d0b271b850f0cd8e01229b1a72a2c1215bc7956
-
SHA256
43894debcd60fed8d64c1a724e60eb860a9d5453b3fc0529ecf9efdbc10a8128
-
SHA512
920c25220fe7d0b6b0079f9856d3931c3dcf93c8c6cf74f1ca1b3946a327093b24c03eb726b4344445b4d386847fc67e9dcf8550c20617a79df75b5d9c3e7483
-
SSDEEP
1572864:AzeRomoaC09nEiziYtpg0Ymr7owq3Ddn35FZevY4v034WZZB0HDh996O/fJaCJpw:geRomF3o3V/ZevY/CHHd+Iq
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
BetterDiscord.exeBetterDiscord.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation BetterDiscord.exe Key value queried \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation BetterDiscord.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
BetterDiscord.exeBetterDiscord.exeBetterDiscord.exeBetterDiscord.exeBetterDiscord.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BetterDiscord.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BetterDiscord.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BetterDiscord.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BetterDiscord.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BetterDiscord.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
BetterDiscord.exeBetterDiscord.exeBetterDiscord.exepid process 4720 BetterDiscord.exe 4720 BetterDiscord.exe 2968 BetterDiscord.exe 2968 BetterDiscord.exe 4424 BetterDiscord.exe 4424 BetterDiscord.exe 4424 BetterDiscord.exe 4424 BetterDiscord.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
BetterDiscord.exedescription pid process target process PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4036 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4720 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4720 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4720 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 2968 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 2968 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 2968 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4424 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4424 3900 BetterDiscord.exe BetterDiscord.exe PID 3900 wrote to memory of 4424 3900 BetterDiscord.exe BetterDiscord.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe"C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe"C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe" --type=gpu-process --field-trial-handle=1492,6583353491956700264,17237722042847672969,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1512 /prefetch:22⤵
- System Location Discovery: System Language Discovery
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe"C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1492,6583353491956700264,17237722042847672969,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 /prefetch:82⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe"C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe" --type=renderer --field-trial-handle=1492,6583353491956700264,17237722042847672969,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2216 /prefetch:12⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe"C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe" --type=gpu-process --field-trial-handle=1492,6583353491956700264,17237722042847672969,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2616 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175B
MD52b7e4377653e6e07536efe7fc1bd78a7
SHA1cdd9c03b91e368bc14c4ac0ff7204ee698fa285d
SHA256bd367325bb3c469e1aa6dcff50b6296b9b8d5bf5bed538f01f36c29b0603511a
SHA5125dae5ba1af5ae6e52a39092bc5b4ebb454906c919735ab5b7f7a4c84a487e26376f68aee9c86265142e03c0f163cc0623094fa4f2936bff17504c2059ba112dc
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b