Malware Analysis Report

2025-03-15 01:11

Sample ID 250220-3artjsxphk
Target config.exe
SHA256 d8977b1135e6261bc2d80bf5cd5c11dcb6573b071675288444da47462eb8f799
Tags
silverrat defense_evasion execution persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d8977b1135e6261bc2d80bf5cd5c11dcb6573b071675288444da47462eb8f799

Threat Level: Known bad

The file config.exe was found to be: Known bad.

Malicious Activity Summary

silverrat defense_evasion execution persistence trojan

Silverrat family

SilverRat

Sets file to hidden

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Command and Scripting Interpreter: PowerShell

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Opens file in notepad (likely ransom note)

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-20 23:18

Signatures

Silverrat family

silverrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-20 23:18

Reported

2025-02-20 23:20

Platform

win7-20240903-en

Max time kernel

53s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\config.exe"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\discord\$77discord.exe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\discord\\$77discord.exe.exe\"" C:\Users\Admin\AppData\Local\Temp\config.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\discord\$77discord.exe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\discord\$77discord.exe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 2728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 2728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 2728 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 2728 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 2728 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 2728 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\system32\cmd.exe
PID 528 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 528 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 528 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 528 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\discord\$77discord.exe.exe
PID 528 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\discord\$77discord.exe.exe
PID 528 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\discord\$77discord.exe.exe
PID 864 wrote to memory of 2120 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 864 wrote to memory of 2120 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 864 wrote to memory of 2120 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 864 wrote to memory of 2248 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\schtasks.exe
PID 864 wrote to memory of 2248 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\schtasks.exe
PID 864 wrote to memory of 2248 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\config.exe

"C:\Users\Admin\AppData\Local\Temp\config.exe"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\discord"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\discord\$77discord.exe.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBDA4.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\discord\$77discord.exe.exe

"C:\Users\Admin\discord\$77discord.exe.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "discord.exe_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 AK4-53145.portmap.host udp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp

Files

memory/2728-0-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

memory/2728-1-0x000000013F550000-0x000000013F55E000-memory.dmp

memory/2728-2-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

memory/2728-3-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

memory/2728-4-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBDA4.tmp.bat

MD5 db404829663550224d6f01767d7d730c
SHA1 c407135c41ef14208e01c8b892d6589ad8fa85e5
SHA256 fd3ee5096613881d4cdc2ac49614e72654c2e232019b075061aba19d259768ec
SHA512 74be548b4b74a77abc03d47f5c42b4bd59e450afd56597742d54a28b9261f700701e0e9c031d9ba7ce6aaccb258a70a2c3cb4c7e8d1d617c420021762530e3d0

memory/2728-14-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

\Users\Admin\discord\$77discord.exe.exe

MD5 f04fdc29810e2b16364d85fdd50aa425
SHA1 eb097566fec9bd89079240fba838c4f64bbcc757
SHA256 d8977b1135e6261bc2d80bf5cd5c11dcb6573b071675288444da47462eb8f799
SHA512 296de0e37e184e0d77df2d868d1dba7725013244f12e437b1d75d3427ea128ab0c5b300ef416006692ec9642f3fde9084d46744890fd595f64b8fba0c43c4b8b

memory/864-19-0x000000013F440000-0x000000013F44E000-memory.dmp

memory/2120-24-0x000000001B590000-0x000000001B872000-memory.dmp

memory/2120-25-0x0000000002790000-0x0000000002798000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-20 23:18

Reported

2025-02-20 23:20

Platform

win10v2004-20250217-en

Max time kernel

57s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\config.exe"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\config.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\discord\$77discord.exe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\discord\$77discord.exe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\discord\\$77discord.exe.exe\"" C:\Users\Admin\AppData\Local\Temp\config.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\taskmgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\taskmgr.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\taskmgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\taskmgr.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\taskmgr.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\discord\$77discord.exe.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\discord\$77discord.exe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\discord\$77discord.exe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 1704 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 1704 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 1704 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 1704 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\system32\cmd.exe
PID 1704 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 3984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1208 wrote to memory of 3984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1208 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\discord\$77discord.exe.exe
PID 1208 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\discord\$77discord.exe.exe
PID 3560 wrote to memory of 4404 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3560 wrote to memory of 4404 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3560 wrote to memory of 540 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\schtasks.exe
PID 3560 wrote to memory of 540 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\config.exe

"C:\Users\Admin\AppData\Local\Temp\config.exe"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\discord"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\discord\$77discord.exe.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2778.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\discord\$77discord.exe.exe

"C:\Users\Admin\discord\$77discord.exe.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "discord.exe_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 AK4-53145.portmap.host udp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp

Files

memory/1704-0-0x00007FF974523000-0x00007FF974525000-memory.dmp

memory/1704-1-0x0000000000840000-0x000000000084E000-memory.dmp

memory/1704-2-0x00007FF974520000-0x00007FF974FE1000-memory.dmp

memory/4916-3-0x0000025BB9A80000-0x0000025BB9A81000-memory.dmp

memory/4916-4-0x0000025BB9A80000-0x0000025BB9A81000-memory.dmp

memory/4916-5-0x0000025BB9A80000-0x0000025BB9A81000-memory.dmp

memory/4916-13-0x0000025BB9A80000-0x0000025BB9A81000-memory.dmp

memory/4916-15-0x0000025BB9A80000-0x0000025BB9A81000-memory.dmp

memory/4916-14-0x0000025BB9A80000-0x0000025BB9A81000-memory.dmp

memory/4916-12-0x0000025BB9A80000-0x0000025BB9A81000-memory.dmp

memory/4916-10-0x0000025BB9A80000-0x0000025BB9A81000-memory.dmp

memory/4916-11-0x0000025BB9A80000-0x0000025BB9A81000-memory.dmp

memory/4916-9-0x0000025BB9A80000-0x0000025BB9A81000-memory.dmp

memory/1704-16-0x00007FF974523000-0x00007FF974525000-memory.dmp

memory/1704-17-0x00007FF974520000-0x00007FF974FE1000-memory.dmp

memory/1704-22-0x00007FF974520000-0x00007FF974FE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2778.tmp.bat

MD5 a2053b81337e5ee8d01886b2556f2565
SHA1 f535e37eb0060f4fbfe3a4359b0fd6200bbb7885
SHA256 8babc46964bed797b15dccbc067f038812d333fb1cf4a35bcd350434baa00334
SHA512 54ba781dc7c9839b139ebf6c43aec361bfc876c79d9adf6d5e97c3f9b44720f142ae9a38092846e1c96a4a209180353c16ed598e0978b31c73b23fbe7eb8d959

C:\Users\Admin\discord\$77discord.exe.exe

MD5 f04fdc29810e2b16364d85fdd50aa425
SHA1 eb097566fec9bd89079240fba838c4f64bbcc757
SHA256 d8977b1135e6261bc2d80bf5cd5c11dcb6573b071675288444da47462eb8f799
SHA512 296de0e37e184e0d77df2d868d1dba7725013244f12e437b1d75d3427ea128ab0c5b300ef416006692ec9642f3fde9084d46744890fd595f64b8fba0c43c4b8b

memory/4404-31-0x00000169A2760000-0x00000169A2782000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5qqkrxbw.23t.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82