Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 23:51

General

  • Target

    DiscordBotClient.exe

  • Size

    177.7MB

  • MD5

    de672272ecc20a5297d211f610bf89e9

  • SHA1

    fd3ca25eb4703a3ccd48f7fa7dd6bbb3cd8863f5

  • SHA256

    bdd2814e70c075ce41661cc6728bec2555fb2291269d32d5973e932231d25f17

  • SHA512

    35e3c0dfa9351943574ca4d1177fd5f4f00f7aba79e9826191a072e8e65d55a16b06e2684e11a58e92c244ec0833c8e833eb832d2987bd10dc44760c4a51f1b4

  • SSDEEP

    1572864:6exUbXH3qGPA3X2n04n0PgcCu5P3ds7Ical6BEu4ORlKIpDUs0u2hWozR9HLBwNf:ApjRCMx9

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DiscordBotClient.exe
    "C:\Users\Admin\AppData\Local\Temp\DiscordBotClient.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Users\Admin\AppData\Local\Temp\DiscordBotClient.exe
      "C:\Users\Admin\AppData\Local\Temp\DiscordBotClient.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Discord Bot Client" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1768,i,15703847703466629801,7345898183746154756,262144 --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1760 /prefetch:2
      2⤵
        PID:224
      • C:\Users\Admin\AppData\Local\Temp\DiscordBotClient.exe
        "C:\Users\Admin\AppData\Local\Temp\DiscordBotClient.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --ignore-certificate-errors --ignore-certificate-errors --user-data-dir="C:\Users\Admin\AppData\Roaming\Discord Bot Client" --field-trial-handle=2296,i,15703847703466629801,7345898183746154756,262144 --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2292 /prefetch:3
        2⤵
          PID:2460
        • C:\Users\Admin\AppData\Local\Temp\DiscordBotClient.exe
          "C:\Users\Admin\AppData\Local\Temp\DiscordBotClient.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Discord Bot Client" --app-user-model-id=DiscordBotClient --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app" --enable-sandbox --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=3248,i,15703847703466629801,7345898183746154756,262144 --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3244 /prefetch:1
          2⤵
          • Checks computer location settings
          PID:5012
        • C:\Users\Admin\AppData\Local\Temp\DiscordBotClient.exe
          "C:\Users\Admin\AppData\Local\Temp\DiscordBotClient.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --ignore-certificate-errors --ignore-certificate-errors --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\Admin\AppData\Roaming\Discord Bot Client" --field-trial-handle=2948,i,15703847703466629801,7345898183746154756,262144 --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3996 /prefetch:8
          2⤵
            PID:1780
          • C:\Users\Admin\AppData\Local\Temp\DiscordBotClient.exe
            "C:\Users\Admin\AppData\Local\Temp\DiscordBotClient.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --ignore-certificate-errors --ignore-certificate-errors --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\Admin\AppData\Roaming\Discord Bot Client" --field-trial-handle=4156,i,15703847703466629801,7345898183746154756,262144 --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:8
            2⤵
            • Modifies registry class
            PID:1732
          • C:\Users\Admin\AppData\Local\Temp\DiscordBotClient.exe
            "C:\Users\Admin\AppData\Local\Temp\DiscordBotClient.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Discord Bot Client" --gpu-preferences=UAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=3896,i,15703847703466629801,7345898183746154756,262144 --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2416 /prefetch:8
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3564
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x2e8 0x3e0
          1⤵
            PID:3552

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Discord Bot Client\Code Cache\js\index-dir\the-real-index

            Filesize

            432B

            MD5

            1c394fe7749054b82cfc091531133b57

            SHA1

            26975eeeb6c14dcc4c1a80fb5956e9fe60913ef3

            SHA256

            ce4cab6e5018cb42ee8feb5cf64df518b16150b376e27916acd82a35beb76624

            SHA512

            5cc175a933872733400716df4d63b004e774c51a53301da115872553999c9dd26ad61672ce29d7f0f6d4c30f4295470995e6e673177da62621041b352e59e57a

          • C:\Users\Admin\AppData\Roaming\Discord Bot Client\Code Cache\js\index-dir\the-real-index~RFe57fed2.TMP

            Filesize

            48B

            MD5

            a38ee8b6e1fe186d764870d18ee4edce

            SHA1

            c9cc782a3303507adb4a28d7ef6ee80bcd83a9a4

            SHA256

            b0a29a1ef93595a4cc74b475cf78aaf124298af3c44b6d89119ad3929d1d718f

            SHA512

            fa3d53e2631371c9d413c44e5929e4e4bf41f106b05008ab151328d0e0b7ab22efb63e2df6c95895598f4a09c324ac3950db8aa364fae8b7b243d2d933ad290e

          • C:\Users\Admin\AppData\Roaming\Discord Bot Client\Session Storage\CURRENT

            Filesize

            16B

            MD5

            46295cac801e5d4857d09837238a6394

            SHA1

            44e0fa1b517dbf802b18faf0785eeea6ac51594b

            SHA256

            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

            SHA512

            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

          • C:\Users\Admin\AppData\Roaming\Discord Bot Client\config.json

            Filesize

            33B

            MD5

            7f4b6cba2c41723f372e8c3e0482b1dc

            SHA1

            0ce18f6449e770ffd4312de4e6e0b104676596bf

            SHA256

            fc5ef82cc4b82501f0ed62204612860597aa91f3d79cc06e28349267a67760d8

            SHA512

            58c911b737c23e35d54f78bb23218473e1d70191d3e22fda2def15088e92dbdf59d5e32311eab8007d65ce7c7f511a845044dc215dd804767e5d32f8880a333e

          • C:\Users\Admin\AppData\Roaming\Discord Bot Client\config.json

            Filesize

            49B

            MD5

            5ec339f9aeb94f39a0411f49e321ec0f

            SHA1

            33f083b189782c901029ab4639235a437a1fde1c

            SHA256

            59afe04fd727b9db365d3ce837486c4adb89bb15819e31f5b758d154ccd0b064

            SHA512

            20ff2dc9f30dee81aa0ab8177ee461746eb109e9d4eb42b6278c6e06153ec94825e6f12b7e0cb614fbfc20519d77583014d08793e0555373da3aa9cef0b34703

          • C:\Users\Admin\AppData\Roaming\Discord Bot Client\config.json.tmp-49980465685ef11d

            Filesize

            81B

            MD5

            386a53b119c42527aef2e3b29ed062a8

            SHA1

            438bfc840d8f613ae6eecd5c1cbf2b57eeb19e15

            SHA256

            2eceb99a44ad80e56fb3b738e9ffa768449bc60803bb190053f1545c0f3f39ed

            SHA512

            fbb5ff29a73854a4d5c623785bd3590e30edf93f661ee37332b7aba566e6c43215af45efe4de1bfb9c75df8a0a028e131b0545badd83a87f83ddfc976751f1b6

          • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

            Filesize

            2B

            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

          • memory/3564-198-0x000001F28EC50000-0x000001F28EC51000-memory.dmp

            Filesize

            4KB

          • memory/3564-192-0x000001F28EC50000-0x000001F28EC51000-memory.dmp

            Filesize

            4KB

          • memory/3564-193-0x000001F28EC50000-0x000001F28EC51000-memory.dmp

            Filesize

            4KB

          • memory/3564-194-0x000001F28EC50000-0x000001F28EC51000-memory.dmp

            Filesize

            4KB

          • memory/3564-200-0x000001F28EC50000-0x000001F28EC51000-memory.dmp

            Filesize

            4KB

          • memory/3564-204-0x000001F28EC50000-0x000001F28EC51000-memory.dmp

            Filesize

            4KB

          • memory/3564-203-0x000001F28EC50000-0x000001F28EC51000-memory.dmp

            Filesize

            4KB

          • memory/3564-202-0x000001F28EC50000-0x000001F28EC51000-memory.dmp

            Filesize

            4KB

          • memory/3564-201-0x000001F28EC50000-0x000001F28EC51000-memory.dmp

            Filesize

            4KB

          • memory/3564-199-0x000001F28EC50000-0x000001F28EC51000-memory.dmp

            Filesize

            4KB

          • memory/5012-110-0x00007FFAA57C0000-0x00007FFAA57C1000-memory.dmp

            Filesize

            4KB

          • memory/5012-111-0x00007FFAA67F0000-0x00007FFAA67F1000-memory.dmp

            Filesize

            4KB