Analysis
-
max time kernel
14s -
max time network
2s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:21
Static task
static1
Behavioral task
behavioral1
Sample
DiscordCanarySetup.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DiscordCanarySetup.exe
Resource
win10v2004-20241007-en
General
-
Target
DiscordCanarySetup.exe
-
Size
103.7MB
-
MD5
c6655f47c729a566381d757f4ccfca22
-
SHA1
9a206d7bc2e999bc9549e283102957fdb7e1d6ac
-
SHA256
7221d924450be7f8d162c813d7ab0fc7e5941e2481aea27e25183b518fa97f95
-
SHA512
087965de9d95b8dff862bdb7fc691fc640c4d7df89735d3cf60a8799e8ae58477d5ccf7d887050d02a6a6f64f513805824589bbfea02e85d50329d5b4b4bf3d7
-
SSDEEP
1572864:UnHD3RJgJ7HOVN8SWqQii3bOhjBd8DhKUpjCHgUasCac0agJc7wlrkubg2:CHD3AlHu2SDQybMK0uaHac0aJ7wlrk6B
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2160 Update.exe 2268 DiscordCanary.exe 2116 DiscordCanary.exe -
Loads dropped DLL 3 IoCs
pid Process 2528 DiscordCanarySetup.exe 2160 Update.exe 2160 Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DiscordCanarySetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1140 NOTEPAD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2160 Update.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2160 2528 DiscordCanarySetup.exe 31 PID 2528 wrote to memory of 2160 2528 DiscordCanarySetup.exe 31 PID 2528 wrote to memory of 2160 2528 DiscordCanarySetup.exe 31 PID 2528 wrote to memory of 2160 2528 DiscordCanarySetup.exe 31 PID 2528 wrote to memory of 2160 2528 DiscordCanarySetup.exe 31 PID 2528 wrote to memory of 2160 2528 DiscordCanarySetup.exe 31 PID 2528 wrote to memory of 2160 2528 DiscordCanarySetup.exe 31 PID 2528 wrote to memory of 1140 2528 DiscordCanarySetup.exe 34 PID 2528 wrote to memory of 1140 2528 DiscordCanarySetup.exe 34 PID 2528 wrote to memory of 1140 2528 DiscordCanarySetup.exe 34 PID 2528 wrote to memory of 1140 2528 DiscordCanarySetup.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe"C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2160 -
C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe"C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe" --squirrel-install 1.0.3283⤵
- Executes dropped EXE
PID:2268
-
-
C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe"C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe" --squirrel-firstrun3⤵
- Executes dropped EXE
PID:2116
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\SquirrelTemp\SquirrelSetup.log2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86B
MD562ff6ef904f14f87221598ce63893e77
SHA17ce130c46f34c31ef97d7296a272ed3148326de1
SHA2560577e637242b42488abe9cec3a5014bd4c89707dc085e527100f760f53938b78
SHA5123ad201fa706012ff376d4672cca5e4e14e128eaec1ca573505ee7130647a76cabe9aa86703bf0453b8a24c8a8a50bdf7ca5509c38a46e3aa615d449e4fbf84d7
-
Filesize
11KB
MD50fee031d6963022315f0e8effe1e2036
SHA1206ee2acb8f9dfdc7890a651027ee4dbb65e81fd
SHA256cdf305d77b8feaa34b063fb12bd1bb1a8798632b9412c44e0b0146234b3e47e3
SHA512b740f1cc8b3fed3f469bfa03988af32d61da03264f66c36403fc369484be0ade08a8adfd21e09624385b1f8308566a9f0041d77e2cb0107d546332e9e94a6c81
-
Filesize
1.5MB
MD5f6a4d597916c5f4bdaec6553f8e0f8a4
SHA1cfe432ced144a6901fc421753d3b739be4c6a4e6
SHA256b6ed43277d7b382ca1d841b3cbcd910e5405d962807cb33477b4db0a90b92b66
SHA512a1de2f639c2f40a196723a827aaa1deeb1c0cbcc61b6afca35b01794ad546565d394c6010aec3179d187e2bbf8f707b74cefd9d152584eb9edf91061ad30028b