Malware Analysis Report

2025-08-05 18:14

Sample ID 241117-sjjjesxjgk
Target Discord.rar
SHA256 e811decdc0c746351da7e841174ea7a644c287ae1ca177503f0f18930458e4f2
Tags
evasion execution persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e811decdc0c746351da7e841174ea7a644c287ae1ca177503f0f18930458e4f2

Threat Level: Likely malicious

The file Discord.rar was found to be: Likely malicious.

Malicious Activity Summary

evasion execution persistence privilege_escalation

Stops running service(s)

Modifies Windows Firewall

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Launches sc.exe

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Gathers network information

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 15:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-17 15:09

Reported

2024-11-17 15:14

Platform

win10ltsc2021-20241023-en

Max time kernel

154s

Max time network

284s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcrypto-3-x64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcrypto-3-x64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.74.47.205:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 15:09

Reported

2024-11-17 15:11

Platform

win10ltsc2021-20241023-en

Max time kernel

50s

Max time network

90s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Discord.rar"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Discord\Prv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 4920 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 4920 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 4920 wrote to memory of 4132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 4920 wrote to memory of 4132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2512 wrote to memory of 2572 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 2572 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2572 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2512 wrote to memory of 1280 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 1280 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 1812 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 1812 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 1812 wrote to memory of 1696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1812 wrote to memory of 1696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2512 wrote to memory of 60 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 60 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 1584 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 1584 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 1584 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1584 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2512 wrote to memory of 5072 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 5072 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 5072 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5072 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2512 wrote to memory of 1380 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 1380 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 1380 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1380 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2512 wrote to memory of 2828 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 2828 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2828 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2512 wrote to memory of 2564 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 2564 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2564 wrote to memory of 792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2564 wrote to memory of 792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2512 wrote to memory of 460 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 460 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 4612 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 4612 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 4612 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4612 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2512 wrote to memory of 4768 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 4768 N/A C:\Users\Admin\Desktop\Discord\Prv.exe C:\Windows\system32\cmd.exe
PID 4768 wrote to memory of 3784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4768 wrote to memory of 3784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Discord.rar"

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Discord\" -ad -an -ai#7zMap25000:72:7zEvent15712

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\Discord\Prv.exe

"C:\Users\Admin\Desktop\Discord\Prv.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Block IP"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name="Block IP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c MODE CON COLS=55 LINES=12

C:\Windows\system32\mode.com

MODE CON COLS=55 LINES=12

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /IM HTTPDebuggerSvc.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\Desktop\Discord\Prv.exe MD5 >> C:\ProgramData\hash.txt

C:\Windows\system32\certutil.exe

certutil -hashfile C:\Users\Admin\Desktop\Discord\Prv.exe MD5

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /IM HTTPDebuggerSvc.exe /F

C:\Users\Admin\Desktop\Discord\Prv.exe

"C:\Users\Admin\Desktop\Discord\Prv.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Block IP"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name="Block IP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c MODE CON COLS=55 LINES=12

C:\Windows\system32\mode.com

MODE CON COLS=55 LINES=12

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Discord\SecureEngineSDK64.dll

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /IM HTTPDebuggerSvc.exe /F

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /IM HTTPDebuggerSvc.exe /F

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\Desktop\Discord\Prv.exe MD5 >> C:\ProgramData\hash.txt

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\system32\certutil.exe

certutil -hashfile C:\Users\Admin\Desktop\Discord\Prv.exe MD5

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 51.140.244.186:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 186.244.140.51.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 57.72.67.172.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\Discord\Prv.exe

MD5 e66ed4613b57ea69f248d947c78aee5d
SHA1 fe22fd8f8d133d019d5a14737ebce8df93908b89
SHA256 df4f585a8338fb58d6d0d5a611faa30f1bf69ac792a5390e8ec322e6f96af040
SHA512 e9394f6d56b009e55dd7b1ee928641dc6422a201e50131e610a88b91556f2cf75fe1a366725625ce383e0c6d5899232390176c6cd2c6bf4f1cec793a88b8327f

C:\Users\Admin\Desktop\Discord\SecureEngineSDK64.dll

MD5 84d5311491c5174cc34406ec25fcb1f3
SHA1 c0c2ee8f6e515ef9f29c5de92a86fe7ec3063d7e
SHA256 6f33fd1a9bddc1eca5b73e2909bf63cea0ef96fb707fb6bc715e32b109f30772
SHA512 693bbb170e4a29d2ed3eb0293cf5cc67b2f223c3b365787f6be53f4194b450dd95c86ccb47dd87f72e19f3e3349e61f78ed79561d263e8df3e82714a7b3f02ba

C:\Users\Admin\Desktop\Discord\libcrypto-3-x64.dll

MD5 c8206fdc0701395880c71c7913d1aaf4
SHA1 dc0d885dee996da8cd74d1bee328ca5739af4c5a
SHA256 d7b9362e945a06d53b61d6525c8e87031969fce7156663d102b2b965d69a67cc
SHA512 79ada6f20a9ba11ba0f384322168036d1f842a971e7c6c054e804b6ed01d8f53db372a1da944222fa7dcdd5062a029f3d81a75ee4e5ae4051e029b739e553c57

C:\ProgramData\hash.txt

MD5 f55f1f1ae272d0c0f170a5c02f694301
SHA1 9ed3722a92fbc1a40be1a28642d2fa6804586a78
SHA256 d2532e4108591a92ea440d8c48c107c223981d287b129f728edff9e6d2ff256d
SHA512 388c0b9023e96cf3e71e30d10dd8e8c8d5e86e009dca3d609b0da17fd229ac1e24fb8ff704f59d20c5ccc03d7ae2efc6df457bab940937abe494ded47479938a

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 15:09

Reported

2024-11-17 15:14

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

281s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Prv.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion execution

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 116 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 116 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1040 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 4460 wrote to memory of 228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4460 wrote to memory of 228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1040 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 2480 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2480 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1040 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1364 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1364 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1040 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5112 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1040 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 4512 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4512 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1040 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 3084 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3084 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1040 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 736 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 736 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1040 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4476 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1040 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 2916 wrote to memory of 3816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2916 wrote to memory of 3816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1040 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 4076 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4076 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1040 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 2760 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2760 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1040 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4536 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1040 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 448 wrote to memory of 4872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 448 wrote to memory of 4872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1040 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\Prv.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Prv.exe

"C:\Users\Admin\AppData\Local\Temp\Prv.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Block IP"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name="Block IP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c MODE CON COLS=55 LINES=12

C:\Windows\system32\mode.com

MODE CON COLS=55 LINES=12

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /IM HTTPDebuggerSvc.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\AppData\Local\Temp\Prv.exe MD5 >> C:\ProgramData\hash.txt

C:\Windows\system32\certutil.exe

certutil -hashfile C:\Users\Admin\AppData\Local\Temp\Prv.exe MD5

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /IM HTTPDebuggerSvc.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /IM HTTPDebuggerSvc.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /IM HTTPDebuggerSvc.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /IM HTTPDebuggerSvc.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /IM HTTPDebuggerSvc.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c MODE CON COLS=55 LINES=12

C:\Windows\system32\mode.com

MODE CON COLS=55 LINES=12

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 57.72.67.172.in-addr.arpa udp
N/A 127.0.0.1:49795 tcp
N/A 127.0.0.1:49797 tcp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
N/A 127.0.0.1:49800 tcp
N/A 127.0.0.1:49802 tcp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
N/A 127.0.0.1:49808 tcp
N/A 127.0.0.1:49810 tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
N/A 127.0.0.1:49823 tcp
N/A 127.0.0.1:49825 tcp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.74.47.205:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
N/A 127.0.0.1:49830 tcp
N/A 127.0.0.1:49832 tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
N/A 127.0.0.1:49836 tcp
N/A 127.0.0.1:49838 tcp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp
N/A 127.0.0.1:49843 tcp
N/A 127.0.0.1:49845 tcp
US 162.159.138.232:443 discord.com tcp
N/A 127.0.0.1:49848 tcp
N/A 127.0.0.1:49850 tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
N/A 127.0.0.1:49853 tcp
N/A 127.0.0.1:49855 tcp
US 162.159.138.232:443 discord.com tcp
N/A 127.0.0.1:49858 tcp
N/A 127.0.0.1:49860 tcp
US 162.159.138.232:443 discord.com tcp
N/A 127.0.0.1:49863 tcp
N/A 127.0.0.1:49865 tcp

Files

C:\ProgramData\hash.txt

MD5 06ab8bc670c47033af118b08cdde61be
SHA1 feaa5e7133fa9613f5ab4a7b7e4e3933fae5b749
SHA256 a363e6c0aee24c22dd45ae626196407d4f66c9e5c305f94e706984668739ab10
SHA512 df952cd89af9bb7f8a0154a32324e188453484cfeec30541d8727ff4c9cd8390fbe1b8190ffdbefc0be96680e79fb70146242a639915e69738628a727a70fba7

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-17 15:09

Reported

2024-11-17 15:14

Platform

win10ltsc2021-20241023-en

Max time kernel

154s

Max time network

284s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecureEngineSDK64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecureEngineSDK64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.36.55:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A