93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791

General

Target

93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791N.exe
Size

65KB
MD5

ed689865c39b6ef12d27909bad36afe0
SHA1

f6e672c9a38ff700a8eda0ec996db345a1b2cb69
SHA256

93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791
SHA512

c1438eef5909e753f332129ca5ca66f12f91e14e82ae41482b987e6cfc3355861815fb59571afb629293b1c7327c44ca8034716bd74c4db0251f933dc6c287d8
SSDEEP

1536:zWnyCIUoN36tXQviFw1IssUBnvAQIfLteF3nLrB9z3nQaF9bES9vM:zWnyCIUoN36tXQviFCbRBnNIfWl9zAa0

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791N.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.url	discord.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.exe	discord.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.exe	discord.exe

Executes dropped EXE 1 IoCs

pid	Process
3568	discord.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\discord.exe\" .."	discord.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\discord.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\discord.exe\" .."	discord.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	pastebin.com
17	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 3568	1928	93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791N.exe	86
PID 1928 wrote to memory of 3568	1928	93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791N.exe	86
PID 1928 wrote to memory of 3568	1928	93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791N.exe	86
PID 1928 wrote to memory of 2864	1928	93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791N.exe	87
PID 1928 wrote to memory of 2864	1928	93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791N.exe	87
PID 1928 wrote to memory of 2864	1928	93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791N.exe	87
PID 2864 wrote to memory of 628	2864	cmd.exe	89
PID 2864 wrote to memory of 628	2864	cmd.exe	89
PID 2864 wrote to memory of 628	2864	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791N.exe
"C:\Users\Admin\AppData\Local\Temp\93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\discord.exe
  "C:\Users\Admin\AppData\Local\Temp\discord.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\discord.exe

Filesize
65KB

MD5
ed689865c39b6ef12d27909bad36afe0

SHA1
f6e672c9a38ff700a8eda0ec996db345a1b2cb69

SHA256
93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791

SHA512
c1438eef5909e753f332129ca5ca66f12f91e14e82ae41482b987e6cfc3355861815fb59571afb629293b1c7327c44ca8034716bd74c4db0251f933dc6c287d8

Download Submit
memory/1928-0-0x0000000075432000-0x0000000075433000-memory.dmp

Filesize
4KB

Download
memory/1928-1-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/1928-2-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/1928-13-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3568-11-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3568-14-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3568-18-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads