Malware analysis Attacker.exe Malicious activity | ANY.RUN

Add for printing

File name:	Attacker.exe
Full analysis:	https://app.any.run/tasks/1a5dc30d-5f09-4b05-ad8f-e4e80d690ad8
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 04, 2024, 01:20:31
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	github evasion stealer pyinstaller python susp-powershell discordgrabber generic upx discord
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	F6015E69336A2B4D5EAD4F00668437AE
SHA1:	EE66C70E8ED39EB0F1542178360F2077415B3528
SHA256:	12B6F4D50A0D43248255D5710208EB19F5490E35621A8D8F2BB0BC72A15471F8
SSDEEP:	196608:qtSVUAanf7D/V1ppXxRjxRcWMI9UzNYbY:qts0fvjxRcW5UzNY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Attacker.exe (PID: 6440)
  - Attacker.exe (PID: 6460)
- Create files in the Startup directory
  - Attacker.exe (PID: 6460)
- Windows Defender preferences modified via 'Set-MpPreference'
  - cmd.exe (PID: 6944)
- Adds path to the Windows Defender exclusion list
  - cmd.exe (PID: 6944)
- Adds extension to the Windows Defender exclusion list
  - Attacker.exe (PID: 6460)
  - cmd.exe (PID: 6944)
- DISCORDGRABBER has been detected (YARA)
  - Attacker.exe (PID: 6460)
- Actions looks like stealing of personal data
  - Attacker.exe (PID: 6460)
SUSPICIOUS
- Process drops python dynamic module
  - Attacker.exe (PID: 6440)
- Executable content was dropped or overwritten
  - Attacker.exe (PID: 6440)
  - Attacker.exe (PID: 6460)
- Process drops legitimate windows executable
  - Attacker.exe (PID: 6440)
- Application launched itself
  - Attacker.exe (PID: 6440)
- Loads Python modules
  - Attacker.exe (PID: 6460)
- The process drops C-runtime libraries
  - Attacker.exe (PID: 6440)
- Uses WMIC.EXE to obtain Windows Installer data
  - cmd.exe (PID: 6556)
  - cmd.exe (PID: 7124)
- Starts CMD.EXE for commands execution
  - Attacker.exe (PID: 6460)
- Accesses product unique identifier via WMI (SCRIPT)
  - WMIC.exe (PID: 6620)
  - WMIC.exe (PID: 6924)
- Uses NETSH.EXE to obtain data on the network
  - cmd.exe (PID: 6692)
- Script disables Windows Defender's real-time protection
  - cmd.exe (PID: 6944)
- Checks for external IP
  - Attacker.exe (PID: 6460)
- Script disables Windows Defender's IPS
  - cmd.exe (PID: 6944)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 6944)
- Script adds exclusion path to Windows Defender
  - cmd.exe (PID: 6944)
- The process hide an interactive prompt from the user
  - cmd.exe (PID: 6944)
- There is functionality for taking screenshot (YARA)
  - Attacker.exe (PID: 6460)
- Uses WMIC.EXE to obtain operating system information
  - cmd.exe (PID: 6964)
- Uses WMIC.EXE to obtain CPU information
  - Attacker.exe (PID: 6460)
- Accesses operating system name via WMI (SCRIPT)
  - WMIC.exe (PID: 6268)
- Accesses video controller name via WMI (SCRIPT)
  - WMIC.exe (PID: 7068)
- Uses WMIC.EXE to obtain a list of video controllers
  - cmd.exe (PID: 7132)
- Uses WMIC.EXE to obtain computer system information
  - cmd.exe (PID: 6344)
- Script adds exclusion extension to Windows Defender
  - cmd.exe (PID: 6944)
INFO
- Reads the computer name
  - Attacker.exe (PID: 6440)
  - Attacker.exe (PID: 6460)
- Checks supported languages
  - Attacker.exe (PID: 6440)
  - Attacker.exe (PID: 6460)
- Create files in a temporary directory
  - Attacker.exe (PID: 6440)
  - Attacker.exe (PID: 6460)
- Checks proxy server information
  - Attacker.exe (PID: 6460)
- Reads security settings of Internet Explorer
  - WMIC.exe (PID: 6620)
  - WMIC.exe (PID: 6320)
  - WMIC.exe (PID: 7068)
  - WMIC.exe (PID: 6844)
  - WMIC.exe (PID: 6268)
  - WMIC.exe (PID: 6924)
- Creates files or folders in the user directory
  - Attacker.exe (PID: 6460)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 7020)
  - powershell.exe (PID: 6048)
  - powershell.exe (PID: 6184)
  - powershell.exe (PID: 6292)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 7020)
  - powershell.exe (PID: 6292)
- Found Base64 encoded access to Windows Defender via PowerShell (YARA)
  - Attacker.exe (PID: 6460)
- PyInstaller has been detected (YARA)
  - Attacker.exe (PID: 6440)
  - Attacker.exe (PID: 6460)
- UPX packer has been detected
  - Attacker.exe (PID: 6460)
- Attempting to use instant messaging service
  - Attacker.exe (PID: 6460)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:08:03 19:32:46+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.4
CodeSize:	168960
InitializedDataSize:	92160
UninitializedDataSize:	-
EntryPoint:	0xc0d0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

161

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

4236

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4276

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4644

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6048

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\admin\AppData"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll

6184

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\admin\Local"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

6268

wmic os get Caption

C:\Windows\System32\wbem\WMIC.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

WMI Commandline Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll

6292

powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

6320

wmic cpu get Name

C:\Windows\System32\wbem\WMIC.exe

—

Attacker.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

WMI Commandline Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll

6344

C:\WINDOWS\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\cmd.exe

—

Attacker.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

6440

"C:\Users\admin\Desktop\Attacker.exe"

C:\Users\admin\Desktop\Attacker.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\attacker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

Add for printing

Total events

26 526

Read events

26 526

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6440	Attacker.exe	C:\Users\admin\AppData\Local\Temp\_MEI64402\Cryptodome\Cipher\_pkcs1_decode.pyd		executable
		MD5:5A600939BEA7972085FCD1FB8C5AFC4B	SHA256:656D8C5869F87D20385CEF4B8C43E5B49A259E57405B7DC3C92037C2E09BB311
6440	Attacker.exe	C:\Users\admin\AppData\Local\Temp\_MEI64402\Cryptodome\Cipher\_raw_arc2.pyd		executable
		MD5:B58DB42A88C8990F7A8B4AA53BE1B36B	SHA256:6C4A39EA9A9E7FA31AE5493D93FB9DAA5CCD55FAB8425FE8B9847330F2AA708B
6440	Attacker.exe	C:\Users\admin\AppData\Local\Temp\_MEI64402\Cryptodome\Cipher\_chacha20.pyd		executable
		MD5:B373B105751E4EB54D7BED60ABF38772	SHA256:7E1066DEFB01B427EBA03C04159FBBA281BB2440AB622FECC408F9725E0FFC70
6440	Attacker.exe	C:\Users\admin\AppData\Local\Temp\_MEI64402\Cryptodome\Cipher\_raw_cfb.pyd		executable
		MD5:4D651469EFF9F0A3F904FCAC9B1A41D2	SHA256:1B835A8C05DCC24C77FCF21AE0091CE34ACA3B6B3D153415E3F0CF0142C53F9B
6440	Attacker.exe	C:\Users\admin\AppData\Local\Temp\_MEI64402\Cryptodome\Cipher\_Salsa20.pyd		executable
		MD5:067672B26A276933CA266A4905411177	SHA256:D0A372A717C35ED589FE00A93A182DE8C60F4284EA1174F80EEDFA61F073387E
6440	Attacker.exe	C:\Users\admin\AppData\Local\Temp\_MEI64402\Cryptodome\Cipher\_raw_cast.pyd		executable
		MD5:D0B0D6D172EE41D70B0F2CAE5BC5D872	SHA256:300563C4557D1833B97470BB4A25AA1B502617BC75B9D96A99A9467806F11F8C
6440	Attacker.exe	C:\Users\admin\AppData\Local\Temp\_MEI64402\Cryptodome\Cipher\_raw_des3.pyd		executable
		MD5:7CEFBE1123ED3489A630A7111127D42B	SHA256:4D61A89B941D29F9162812F3500D13BCE99C452ABF224E2F720204AD2A7A8F62
6440	Attacker.exe	C:\Users\admin\AppData\Local\Temp\_MEI64402\Cryptodome\Cipher\_raw_blowfish.pyd		executable
		MD5:0DE940D103A8B74532698F86EE910C29	SHA256:E85AAE1EE31572630A15370C9412228360BCEAC685D3CEAF96A18F9BC583F1D1
6440	Attacker.exe	C:\Users\admin\AppData\Local\Temp\_MEI64402\Cryptodome\Cipher\_raw_cbc.pyd		executable
		MD5:F2BF3F3CDCE0E6A8A29BD7FAD094736B	SHA256:D8A9EDFF4C8CBBD02CC89541CD1A9F8B1BA8381F000A86F910B4D6831BB9A034
6440	Attacker.exe	C:\Users\admin\AppData\Local\Temp\_MEI64402\Cryptodome\Cipher\_raw_ctr.pyd		executable
		MD5:0A47AE20F5C45144EAA5C6AF1BA33757	SHA256:77D5D375FA405F83FBA90FF51BDA86C2233146A3AA768367F8EF582ABA453AAB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
3900	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6588	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5032	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
2340	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
3068	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6460	Attacker.exe	104.26.12.205:443	api.ipify.org	CLOUDFLARENET	US	unknown
6460	Attacker.exe	185.199.108.133:443	raw.githubusercontent.com	FASTLY	US	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
2340	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5336	SearchApp.exe	150.171.28.10:443	www.bing.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59 40.127.240.158	whitelisted
google.com	142.250.186.174	whitelisted
api.ipify.org	104.26.12.205 104.26.13.205 172.67.74.152	shared
raw.githubusercontent.com	185.199.108.133 185.199.111.133 185.199.109.133 185.199.110.133	shared
www.bing.com	150.171.28.10 150.171.27.10	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
login.live.com	40.126.32.138 40.126.32.76 20.190.160.17 40.126.32.68 40.126.32.133 20.190.160.20 20.190.160.22 40.126.32.134	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
th.bing.com	2.23.209.187 2.23.209.130	whitelisted
fd.api.iris.microsoft.com	20.199.58.43	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
6460	Attacker.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2256	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
2256	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6460	Attacker.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
6460	Attacker.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
6460	Attacker.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
6460	Attacker.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)

Add for printing

No debug info

General Info

Attacker.exe

F6015E69336A2B4D5EAD4F00668437AE

EE66C70E8ED39EB0F1542178360F2077415B3528

12B6F4D50A0D43248255D5710208EB19F5490E35621A8D8F2BB0BC72A15471F8

196608:qtSVUAanf7D/V1ppXxRjxRcWMI9UzNYbY:qts0fvjxRcW5UzNY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Create files in the Startup directory

Windows Defender preferences modified via 'Set-MpPreference'

Adds path to the Windows Defender exclusion list

Adds extension to the Windows Defender exclusion list

DISCORDGRABBER has been detected (YARA)

Actions looks like stealing of personal data

SUSPICIOUS

Process drops python dynamic module

Executable content was dropped or overwritten

Process drops legitimate windows executable

Application launched itself

Loads Python modules

The process drops C-runtime libraries

Uses WMIC.EXE to obtain Windows Installer data

Starts CMD.EXE for commands execution

Accesses product unique identifier via WMI (SCRIPT)

Uses NETSH.EXE to obtain data on the network

Script disables Windows Defender's real-time protection

Checks for external IP

Script disables Windows Defender's IPS

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

The process hide an interactive prompt from the user

There is functionality for taking screenshot (YARA)

Uses WMIC.EXE to obtain operating system information

Uses WMIC.EXE to obtain CPU information

Accesses operating system name via WMI (SCRIPT)

Accesses video controller name via WMI (SCRIPT)

Uses WMIC.EXE to obtain a list of video controllers

Uses WMIC.EXE to obtain computer system information

Script adds exclusion extension to Windows Defender

INFO

Reads the computer name

Checks supported languages

Create files in a temporary directory

Checks proxy server information

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Found Base64 encoded access to Windows Defender via PowerShell (YARA)

PyInstaller has been detected (YARA)

UPX packer has been detected

Attempting to use instant messaging service

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information