9fe2bbc019db8543d35a9871df964a8c47345a19426d106894b8ef4f07f1e27e

General

Target

9fe2bbc019db8543d35a9871df964a8c47345a19426d106894b8ef4f07f1e27e.exe
Size

65KB
MD5

91a3beadd3ccb440e41ee4ee7e8ed9bc
SHA1

4d477640c72e12103c54900c793601c67c520c6f
SHA256

9fe2bbc019db8543d35a9871df964a8c47345a19426d106894b8ef4f07f1e27e
SHA512

f78c26e3598b08f79151e5605ea1b9be23154729c1c4d871d41c65450001e512474fcc294f934eee6d68e82ebc70ad14ed25b5f8c087d21d37892501f17b2f3a
SSDEEP

1536:zWnyCIUoN36tXQviFw1IssUBnvAQIfLteF3nLrB9z3nQaF9bES9vMO:zWnyCIUoN36tXQviFCbRBnNIfWl9zAaB

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	9fe2bbc019db8543d35a9871df964a8c47345a19426d106894b8ef4f07f1e27e.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.exe	discord.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.exe	discord.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.url	discord.exe

Executes dropped EXE 1 IoCs

pid	Process
2452	discord.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\discord.exe\" .."	discord.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\discord.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\discord.exe\" .."	discord.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	pastebin.com
17	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fe2bbc019db8543d35a9871df964a8c47345a19426d106894b8ef4f07f1e27e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	discord.exe
Token: 33	2452	discord.exe
Token: SeIncBasePriorityPrivilege	2452	discord.exe
Token: 33	2452	discord.exe
Token: SeIncBasePriorityPrivilege	2452	discord.exe
Token: 33	2452	discord.exe
Token: SeIncBasePriorityPrivilege	2452	discord.exe
Token: 33	2452	discord.exe
Token: SeIncBasePriorityPrivilege	2452	discord.exe
Token: 33	2452	discord.exe
Token: SeIncBasePriorityPrivilege	2452	discord.exe
Token: 33	2452	discord.exe
Token: SeIncBasePriorityPrivilege	2452	discord.exe
Token: 33	2452	discord.exe
Token: SeIncBasePriorityPrivilege	2452	discord.exe
Token: 33	2452	discord.exe
Token: SeIncBasePriorityPrivilege	2452	discord.exe
Token: 33	2452	discord.exe
Token: SeIncBasePriorityPrivilege	2452	discord.exe
Token: 33	2452	discord.exe
Token: SeIncBasePriorityPrivilege	2452	discord.exe
Token: 33	2452	discord.exe
Token: SeIncBasePriorityPrivilege	2452	discord.exe
Token: 33	2452	discord.exe
Token: SeIncBasePriorityPrivilege	2452	discord.exe
Token: 33	2452	discord.exe
Token: SeIncBasePriorityPrivilege	2452	discord.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2452	3056	9fe2bbc019db8543d35a9871df964a8c47345a19426d106894b8ef4f07f1e27e.exe	89
PID 3056 wrote to memory of 2452	3056	9fe2bbc019db8543d35a9871df964a8c47345a19426d106894b8ef4f07f1e27e.exe	89
PID 3056 wrote to memory of 2452	3056	9fe2bbc019db8543d35a9871df964a8c47345a19426d106894b8ef4f07f1e27e.exe	89
PID 3056 wrote to memory of 2076	3056	9fe2bbc019db8543d35a9871df964a8c47345a19426d106894b8ef4f07f1e27e.exe	90
PID 3056 wrote to memory of 2076	3056	9fe2bbc019db8543d35a9871df964a8c47345a19426d106894b8ef4f07f1e27e.exe	90
PID 3056 wrote to memory of 2076	3056	9fe2bbc019db8543d35a9871df964a8c47345a19426d106894b8ef4f07f1e27e.exe	90
PID 2076 wrote to memory of 1744	2076	cmd.exe	92
PID 2076 wrote to memory of 1744	2076	cmd.exe	92
PID 2076 wrote to memory of 1744	2076	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\9fe2bbc019db8543d35a9871df964a8c47345a19426d106894b8ef4f07f1e27e.exe
"C:\Users\Admin\AppData\Local\Temp\9fe2bbc019db8543d35a9871df964a8c47345a19426d106894b8ef4f07f1e27e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\discord.exe
  "C:\Users\Admin\AppData\Local\Temp\discord.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\9fe2bbc019db8543d35a9871df964a8c47345a19426d106894b8ef4f07f1e27e.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\discord.exe

Filesize
65KB

MD5
91a3beadd3ccb440e41ee4ee7e8ed9bc

SHA1
4d477640c72e12103c54900c793601c67c520c6f

SHA256
9fe2bbc019db8543d35a9871df964a8c47345a19426d106894b8ef4f07f1e27e

SHA512
f78c26e3598b08f79151e5605ea1b9be23154729c1c4d871d41c65450001e512474fcc294f934eee6d68e82ebc70ad14ed25b5f8c087d21d37892501f17b2f3a

Download Submit
memory/2452-11-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/2452-13-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/2452-18-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/2452-19-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3056-0-0x0000000075302000-0x0000000075303000-memory.dmp

Filesize
4KB

Download
memory/3056-1-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3056-2-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3056-14-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads