Analysis
-
max time kernel
1367s -
max time network
1160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
13-08-2024 21:10
General
-
Target
DiscordSetup.exe
-
Size
109.1MB
-
MD5
f25b0f68070257601e6990578a6e25cb
-
SHA1
20278a55eefa246b28d11a4b7ce394ce934ddf33
-
SHA256
c361746fbc8c4020d7220c70845a92b03db82d3dc13289ff81a3c1720d1b6082
-
SHA512
d49753bf89c814a83d2314d825c7d0d72f5b66b9429b51e42c8f3102e8a1877ff8bd9a7892877d6eabfe97a00533c934ebefd2b8058a7e5ba745e3c821fce40e
-
SSDEEP
3145728:9NEmmQbWysG0fCU9j41MOR7t6LF88gkXBQI/4lWM:9qvQb1eKUduMcRuC8g4QIAlJ
Malware Config
Signatures
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 11 IoCs
-
Modifies registry key 1 TTPs 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe"C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9157\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9157\Discord.exe" --squirrel-install 1.0.91573⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9157\Discord.exeC:\Users\Admin\AppData\Local\Discord\app-1.0.9157\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9157 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=30.2.0 --initial-client-data=0x4f8,0x4f0,0x4fc,0x454,0x500,0x7ff61c0df218,0x7ff61c0df224,0x7ff61c0df2304⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\Update.exeC:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9157\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9157\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,3491076214600269102,6575096187898944942,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1904 /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9157\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9157\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=2096,i,3491076214600269102,6575096187898944942,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1992 /prefetch:34⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f4⤵
- Adds Run key to start application
- Modifies registry key
-
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f4⤵
- Modifies registry class
- Modifies registry key
-
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f4⤵
- Modifies registry class
- Modifies registry key
-
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9157\Discord.exe\",-1" /f4⤵
- Modifies registry class
- Modifies registry key
-
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9157\Discord.exe\" --url -- \"%1\"" /f4⤵
- Modifies registry class
- Modifies registry key
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
278KB
MD5084f9bc0136f779f82bea88b5c38a358
SHA164f210b7888e5474c3aabcb602d895d58929b451
SHA256dfcea1bea8a924252d507d0316d8cf38efc61cf1314e47dca3eb723f47d5fe43
SHA51265bccb3e1d4849b61c68716831578300b20dcaf1cbc155512edbc6d73dccbaf6e5495d4f95d089ee496f8e080057b7097a628cc104fa8eaad8da866891d9e3eb
-
Filesize
146KB
MD56c2827fe702f454c8452a72ea0faf53c
SHA1881f297efcbabfa52dd4cfe5bd2433a5568cc564
SHA2562fb9826a1b43c84c08f26c4b4556c6520f8f5eef8ab1c83011031eb2d83d6663
SHA5125619ad3fca8ea51b24ea759f42685c8dc7769dd3b8774d8be1917e0a25fa17e8a544f6882617b4faa63c6c4f29844b515d07db965c8ea50d5d491cdda7281fc5
-
Filesize
220KB
MD577088f98a0f7ea522795baec5c930d03
SHA19b272f152e19c478fcbd7eacf7356c3d601350ed
SHA25683d9243037b2f7e62d0fdfce19ca72e488c18e9691961e2d191e84fb3f2f7a5d
SHA5125b19115422d3133e81f17eedbacee4c8e140970120419d6bbfe0e99cf5528d513eea6583548fa8a6259b260d73fab77758ad95137b61fe9056101dd5772e8f4a
-
Filesize
4.7MB
MD5a7b7470c347f84365ffe1b2072b4f95c
SHA157a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA51283391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d
-
Filesize
3.9MB
MD544de96df53c719a4b2250694f5141426
SHA167050562d8e84dd3056e7d0054af0929c55cc41e
SHA25687ef415d9df32b752ee7e1c16c62780e69ae97bcf0d36dfb14601143be5ba2bd
SHA512d68326fe025e066dfa258015cbc59d0ced3eba8be4ecd0aa044461552f415570ce591a9e14908afe231fc130b1239f85fbf01fdd6175236f79345920adae8cf9
-
Filesize
10.2MB
MD574bded81ce10a426df54da39cfa132ff
SHA1eb26bcc7d24be42bd8cfbded53bd62d605989bbf
SHA2567bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9
SHA512bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a
-
Filesize
486KB
MD5369cf2ef5d1563af3feb190dedfcac5b
SHA1ac077542bf8546221fdc0c76dfb869335a570d0d
SHA256b71d18a7ad02984f59698130585661b28fe658f79ac7aebb6a03652a682a51f6
SHA51295c9968575ef0d0322696de7ee6c71051e6e4ffa325346a8a9647d7d9101d106de49b79867114470ef6fe672f3b1b8549bba40bae074acc31769a07cd951a09b
-
Filesize
7.6MB
MD5ccc445502b10f867c83601470619715a
SHA1ee71701717332bacdea3095ae176be7f9f200aab
SHA256d4a6a2e21b71635400601a57eac78f41fb7fbbf6b5c89998b16eb257e7c2622d
SHA512fa107c35cbfa113ba05c17c88b6abe847dd019770b791dcbfc76456f5180b6e3f8e9b5c9c5ecb71547e120e81ea39bef27a3ec2ceacfd72b2eff62c17704525a
-
Filesize
443KB
MD588bbc725e7eedf18ef1e54e98f86f696
SHA1831d6402443fc366758f478e55647a9baa0aa42f
SHA25695fd54494d992d46e72dad420ceee86e170527b94d77bfaaa2bfc01f83902795
SHA51292a5c6cfc2d88272bb5144e7ee5c48337f2c42083bc9777506b738e3bcb8f5a2c34af00c4ccc63b24fb158c79f69e7205b398c9e22634dae554410450978a2c4
-
Filesize
5.1MB
MD5db3fa7a7f7af66bbb73c1c0a46187572
SHA15c6f2b5c01a20f204bb67f28a907dec4cd98bce8
SHA2560e114f6464cecae87988c1dd65ea1bc939681fee6415d343e947a5889717165f
SHA512e639e96c36fa67dfdc7098c7d6863ee421a2de9fa49630038e8abf4f152b03e0bbb80eee0d40a68cac5a48bfa75f0cc3542c1170dd65ab1bf5626450f803d410
-
Filesize
7.6MB
MD55858be90a23a3bb63426ce1a5a7d9066
SHA18c6b4f37a9a04cfee54d7ad2dcee5f42d678d572
SHA25678880e2db0ca22d389f31e1f0983a5979fec82ec5af28462fb84b584ec7a339c
SHA51251eceaa5e529453e50b800d14790ce7ffc8edf192720c20ba49a27f9384a88bb2a8e00c335b5a6efe223518136338a314f0c20aa093791093a3e23e56a42115f
-
Filesize
83B
MD5891aa771e4b86a91d55ddfa3f7fe3179
SHA12944cc39dda21b3d252aff1e374b2ad25e5f640f
SHA2567ed20645779ebb988eed062e413a78210f6d0e3b241d0541f36fa991a5c5f239
SHA512163cadda8e0781707fc9007441206b3419d8c196665646ed4368af5b114d4a772e85f3533c44cfbf543ae2de8e082f13759e4a57ffc75577ace2e8ecef0b0563
-
Filesize
641KB
MD5b1b09c057d365720ad26151066bf160c
SHA17bbf976150e9b63acd4aea4223085818445f7dfc
SHA2560b239cf5ab92a27cfa087b49e6dc943e0c674b62cea643cff2130e1c2f8db31c
SHA512ad4cbce2e8f367cff9b8b8ca56d1b6b833c3293dd55c1279732abda493b3a366efbefa67d75ab0ba6b93ca0a7545475728f9dc09bda9460ecf13f53f137a9b77
-
Filesize
5.1MB
MD57fa2ee4edf4bea629ae219b10937f8dc
SHA10deee13a48c073f72cb08f5229d02c13d000b33d
SHA2563b5548129f3c9c718b7a68e9ddf25c061c59a2d1472a82454784d18c21f94525
SHA51296be66bfa8d58476616496a2b191d15863bd90e84933fd9dda6f9ee8425e694e9744f700a4c69f6f3d85b5757830b905adb355e0fc80d816b42ca8c84914e4c9
-
Filesize
81B
MD58d44003b02db9bda4e1f00de9bf71ba7
SHA1691b0b98827479e94a8f7b16e241109d60116b48
SHA25647bb9a33e245d4765b810deb9361bc54f01e154249df4e055a31f2a92776de86
SHA512e5d1723d160e8382c2d17f2816684755f633876b9bbbbd8b19870ae2169845174a208fc5b651402b7091224b4ce2143a474a744d0706d792c35c4c7410796a5c
-
Filesize
1.5MB
MD5011dd99c8cd0d951d04717ad0e6c348a
SHA1e5a940e10ef9dfad61f2a9bb1f0b5fef1f38b8f2
SHA256614887bc0da1d85f576127553191906f2f43c4f20df76b3a35dc1e3fad86ec83
SHA512a998ff407a137d30d7a8ab7b2932e41631b86020d69a8081132461c9a9c8f3a52404e1de9f7ddb92f338f0a4e7ad22ac815f1d18cd16d68036094f6db4c55b67
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
56KB
-
Filesize
224KB
-
Filesize
32KB
-
Filesize
1.5MB
-
Filesize
128KB