4134b245f9ba38dc81310242f42f8f8fc9b42865714d47f71cd87d5990a5ebc0

Analysis

max time kernel
210s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoDiscorder.zip
Size

80.3MB
MD5

9a689a63966b1e055c2a44eed335a089
SHA1

70b63a3d1114de6a7dcfe3ce94c64a69aabc3b89
SHA256

4134b245f9ba38dc81310242f42f8f8fc9b42865714d47f71cd87d5990a5ebc0
SHA512

559c4e4333ff2262c0bdbbb96f42e7a639488e3ef22d4fa464f3a50b82a4ee5b639c8aabacc524dd202f6d6aa9bedd0557a91dba7cfe1a69de595cbd8efee3bb
SSDEEP

1572864:Piu0OEM74FBNx2Ib4fR55OIiMv+8XzBZCY5iwmNCWmnsygRa3d58E:Piu0OEM7kBNrbk5OTQZmyW+sy1/8E

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1880	AutoDiscorder.exe
1316	AutoDiscorder.exe
2652	AutoDiscorder.exe
2160	AutoDiscorder.exe
4832	AutoDiscorder.exe
3320	AutoDiscorder.exe

Loads dropped DLL 17 IoCs

pid	Process
2780	7zFM.exe
1880	AutoDiscorder.exe
1316	AutoDiscorder.exe
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
2160	AutoDiscorder.exe
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
3320	AutoDiscorder.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000020b3f-1275.dat	upx
behavioral1/memory/1316-1277-0x000007FEF6110000-0x000007FEF66F9000-memory.dmp	upx
behavioral1/files/0x000700000001c8d3-5189.dat	upx
behavioral1/files/0x000700000001c8d1-5188.dat	upx
behavioral1/files/0x000700000001c8ce-5187.dat	upx
behavioral1/files/0x000700000001c8cc-5186.dat	upx
behavioral1/files/0x00050000000209ae-6150.dat	upx
behavioral1/files/0x00050000000209eb-6162.dat	upx
behavioral1/files/0x00050000000209dc-6159.dat	upx
behavioral1/files/0x00050000000209da-6158.dat	upx
behavioral1/files/0x00050000000209d3-6156.dat	upx
behavioral1/files/0x0005000000020b43-6226.dat	upx

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4404	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2780	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2780	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2780	7zFM.exe
Token: 35	2780	7zFM.exe
Token: SeSecurityPrivilege	2780	7zFM.exe
Token: SeSecurityPrivilege	2780	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2780	7zFM.exe
2780	7zFM.exe
2780	7zFM.exe
1316	AutoDiscorder.exe
2780	7zFM.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 1880	2780	7zFM.exe	31
PID 2780 wrote to memory of 1880	2780	7zFM.exe	31
PID 2780 wrote to memory of 1880	2780	7zFM.exe	31
PID 1880 wrote to memory of 1316	1880	AutoDiscorder.exe	32
PID 1880 wrote to memory of 1316	1880	AutoDiscorder.exe	32
PID 1880 wrote to memory of 1316	1880	AutoDiscorder.exe	32
PID 2652 wrote to memory of 2160	2652	AutoDiscorder.exe	35
PID 2652 wrote to memory of 2160	2652	AutoDiscorder.exe	35
PID 2652 wrote to memory of 2160	2652	AutoDiscorder.exe	35
PID 4832 wrote to memory of 3320	4832	AutoDiscorder.exe	37
PID 4832 wrote to memory of 3320	4832	AutoDiscorder.exe	37
PID 4832 wrote to memory of 3320	4832	AutoDiscorder.exe	37

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AutoDiscorder.zip"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\7zOCDA8A488\AutoDiscorder.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCDA8A488\AutoDiscorder.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Users\Admin\AppData\Local\Temp\7zOCDA8A488\AutoDiscorder.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOCDA8A488\AutoDiscorder.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:1316

C:\Users\Admin\Desktop\AutoDiscorder.exe
"C:\Users\Admin\Desktop\AutoDiscorder.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\Desktop\AutoDiscorder.exe
  "C:\Users\Admin\Desktop\AutoDiscorder.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2160

C:\Users\Admin\Desktop\AutoDiscorder.exe
"C:\Users\Admin\Desktop\AutoDiscorder.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\Desktop\AutoDiscorder.exe
  "C:\Users\Admin\Desktop\AutoDiscorder.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3320

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\UnprotectRead.ttf
1⤵
PID:4384

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Troubleshooting.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI18802\python311.dll

Filesize
1.6MB

MD5
546cc5fe76abc35fdbf92f682124e23d

SHA1
5c1030752d32aa067b49125194befee7b3ee985a

SHA256
43bff2416ddd123dfb15d23dc3e99585646e8df95633333c56d85545029d1e76

SHA512
cb75334f2f36812f3a5efd500b2ad97c21033a7a7054220e58550e95c3408db122997fee70a319aef8db6189781a9f2c00a9c19713a89356038b87b036456720

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26522\cryptography-43.0.3.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\SDL2.dll

Filesize
635KB

MD5
ec3c1d17b379968a4890be9eaab73548

SHA1
7dbc6acee3b9860b46c0290a9b94a344d1927578

SHA256
aaa11e97c3621ed680ff2388b91acb394173b96a6e8ffbf3b656079cd00a0b9f

SHA512
06a7880ec80174b48156acd6614ab42fb4422cd89c62d11a7723a3c872f213bfc6c1006df8bdc918bb79009943d2b65c6a5c5e89ad824d1a940ddd41b88a1edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\SDL2_image.dll

Filesize
58KB

MD5
25e2a737dcda9b99666da75e945227ea

SHA1
d38e086a6a0bacbce095db79411c50739f3acea4

SHA256
22b27380d4f1f217f0e5d5c767e5c244256386cd9d87f8ddf303baaf9239fc4c

SHA512
63de988387047c17fd028a894465286fd8f6f8bd3a1321b104c0ceb5473e3e0b923153b4999143efbdd28684329a33a5b468e43f25214037f6cddd4d1884adb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\SDL2_mixer.dll

Filesize
124KB

MD5
b7b45f61e3bb00ccd4ca92b2a003e3a3

SHA1
5018a7c95dc6d01ba6e3a7e77dd26c2c74fd69bc

SHA256
1327f84e3509f3ccefeef1c12578faf04e9921c145233687710253bf903ba095

SHA512
d3449019824124f3edbda57b3b578713e9c9915e173d31566cd8e4d18f307ac0f710250fe6a906dd53e748db14bfa76ec1b58a6aef7d074c913679a47c5fdbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\SDL2_ttf.dll

Filesize
601KB

MD5
eb0ce62f775f8bd6209bde245a8d0b93

SHA1
5a5d039e0c2a9d763bb65082e09f64c8f3696a71

SHA256
74591aab94bb87fc9a2c45264930439bbc0d1525bf2571025cd9804e5a1cd11a

SHA512
34993240f14a89179ac95c461353b102ea74e4180f52c206250bb42c4c8427a019ea804b09a6903674ac00ab2a3c4c686a86334e483110e79733696aa17f4eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_tcl_data\encoding\euc-cn.enc

Filesize
84KB

MD5
c5aa0d11439e0f7682dae39445f5dab4

SHA1
73a6d55b894e89a7d4cb1cd3ccff82665c303d5c

SHA256
1700af47dc012a48cec89cf1dfae6d1d0d2f40ed731eff6ca55296a055a11c00

SHA512
eee6058bd214c59bcc11e6de7265da2721c119cc9261cfd755a98e270ff74d2d73e3e711aa01a0e3414c46d82e291ef0df2ad6c65ca477c888426d5a1d2a3bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\freetype.dll

Filesize
292KB

MD5
04a9825dc286549ee3fa29e2b06ca944

SHA1
5bed779bf591752bb7aa9428189ec7f3c1137461

SHA256
50249f68b4faf85e7cd8d1220b7626a86bc507af9ae400d08c8e365f9ab97cde

SHA512
0e937e4de6cbc9d40035b94c289c2798c77c44fc1dc7097201f9fab97c7ff9e56113c06c51693f09908283eda92945b36de67351f893d4e3162e67c078cff4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\libjpeg-9.dll

Filesize
108KB

MD5
c22b781bb21bffbea478b76ad6ed1a28

SHA1
66cc6495ba5e531b0fe22731875250c720262db1

SHA256
1eed2385030348c84bbdb75d41d64891be910c27fab8d20fc9e85485fcb569dd

SHA512
9b42cad4a715680a27cd79f466fd2913649b80657ff042528cba2946631387ed9fb027014d215e1baf05839509ca5915d533b91aa958ae0525dea6e2a869b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\libogg-0.dll

Filesize
16KB

MD5
0d65168162287df89af79bb9be79f65b

SHA1
3e5af700b8c3e1a558105284ecd21b73b765a6dc

SHA256
2ec2322aec756b795c2e614dab467ef02c3d67d527ad117f905b3ab0968ccf24

SHA512
69af81fd2293c31f456b3c78588bb6a372fe4a449244d74bfe5bfaa3134a0709a685725fa05055cfd261c51a96df4b7ebd8b9e143f0e9312c374e54392f8a2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\libopus-0.dll

Filesize
181KB

MD5
3fb9d9e8daa2326aad43a5fc5ddab689

SHA1
55523c665414233863356d14452146a760747165

SHA256
fd8de9169ccf53c5968eec0c90e9ff3a66fb451a5bf063868f3e82007106b491

SHA512
f263ea6e0fab84a65fe3a9b6c0fe860919eee828c84b888a5aa52dea540434248d1e810a883a2aff273cd9f22c607db966dd8776e965be6d2cfe1b50a1af1f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\libpng16-16.dll

Filesize
98KB

MD5
55009dd953f500022c102cfb3f6a8a6c

SHA1
07af9f4d456ddf86a51da1e4e4c5b54b0cf06ddb

SHA256
20391787cba331cfbe32fbf22f328a0fd48924e944e80de20ba32886bf4b6fd2

SHA512
4423d3ec8fef29782f3d4a21feeac9ba24c9c765d770b2920d47b4fb847a96ff5c793b20373833b4ff8bc3d8fa422159c64beffb78ce5768ed22742740a8c6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\pygame\zlib1.dll

Filesize
52KB

MD5
ee06185c239216ad4c70f74e7c011aa6

SHA1
40e66b92ff38c9b1216511d5b1119fe9da6c2703

SHA256
0391066f3e6385a9c0fe7218c38f7bd0b3e0da0f15a98ebb07f1ac38d6175466

SHA512
baae562a53d491e19dbf7ee2cff4c13d42de6833036bfdaed9ed441bcbf004b68e4088bd453b7413d60faaf1b334aee71241ba468437d49050b8ccfa9232425d

Download Submit
memory/1316-1277-0x000007FEF6110000-0x000007FEF66F9000-memory.dmp

Filesize
5.9MB

Download