File name:

ultimate_discord_nuke.exe

Full analysis: https://app.any.run/tasks/1b21cc1e-0a13-4bb2-a4f2-b52f74ceb8ac
Verdict: Malicious activity
Analysis date: May 20, 2022, 17:58:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

A86BC9C2F2C363E6A86AFB3078C33C68

SHA1:

5D416D8945AEAAC22C9B58E890114048D85F7F1B

SHA256:

A1EA0D96D6EBB8587C2E9A3AF50B9B95893229E66DC9038271C19C465E1E4432

SSDEEP:

196608:pWIIJi5fmzONYXz5neX38DXDQ9xtbYPvbJQlHHO2SvWssYupK8CKwIwPuHxKTrbf:qJ3p0MDTQ9xkJQlnVMLPuHEz8Ati

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • ultimate_discord_nuke.exe (PID: 3040)

    • Drops executable file immediately after starts

      • ultimate_discord_nuke.exe (PID: 3996)

  • SUSPICIOUS

    • Checks supported languages

      • ultimate_discord_nuke.exe (PID: 3996)
      • ultimate_discord_nuke.exe (PID: 3040)

    • Reads the computer name

      • ultimate_discord_nuke.exe (PID: 3996)

    • Application launched itself

      • ultimate_discord_nuke.exe (PID: 3996)

    • Loads Python modules

      • ultimate_discord_nuke.exe (PID: 3040)

    • Drops a file with a compile date too recent

      • ultimate_discord_nuke.exe (PID: 3996)

    • Executable content was dropped or overwritten

      • ultimate_discord_nuke.exe (PID: 3996)

  • INFO

    • Checks supported languages

      • NOTEPAD.EXE (PID: 4036)

    • Manual execution by user

      • NOTEPAD.EXE (PID: 4036)

    • Dropped object may contain Bitcoin addresses

      • ultimate_discord_nuke.exe (PID: 3996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

Subsystem: Windows command line
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x7a6a
UninitializedDataSize: -
InitializedDataSize: 382976
CodeSize: 128512
LinkerVersion: 14
PEType: PE32
TimeStamp: 2020:01:05 13:16:15+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 05-Jan-2020 12:16:15

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 05-Jan-2020 12:16:15
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001F4D4
0x0001F600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.6643
.rdata
0x00021000
0x0000B19E
0x0000B200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.11204
.data
0x0002D000
0x0000E680
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.93811
.gfids
0x0003C000
0x000000B8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.86299
.rsrc
0x0003D000
0x00050054
0x00050200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.06351
.reloc
0x0008E000
0x000017D4
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.65456

Resources

Title
Entropy
Size
Codepage
Language
Type
0
1.67095
20
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON
1
5.30727
1044
Latin 1 / Western European
UNKNOWN
RT_MANIFEST
2
6.05629
2216
Latin 1 / Western European
UNKNOWN
RT_ICON
3
5.5741
1384
Latin 1 / Western European
UNKNOWN
RT_ICON
4
7.95079
37019
Latin 1 / Western European
UNKNOWN
RT_ICON
5
5.29119
9640
Latin 1 / Western European
UNKNOWN
RT_ICON
6
5.43869
4264
Latin 1 / Western European
UNKNOWN
RT_ICON
7
5.89356
1128
Latin 1 / Western European
UNKNOWN
RT_ICON
101
2.71858
104
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON

Imports

ADVAPI32.dll
KERNEL32.dll
WS2_32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ultimate_discord_nuke.exe ultimate_discord_nuke.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3040"C:\Users\admin\AppData\Local\Temp\ultimate_discord_nuke.exe" C:\Users\admin\AppData\Local\Temp\ultimate_discord_nuke.exeultimate_discord_nuke.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ultimate_discord_nuke.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
3996"C:\Users\admin\AppData\Local\Temp\ultimate_discord_nuke.exe" C:\Users\admin\AppData\Local\Temp\ultimate_discord_nuke.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ultimate_discord_nuke.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
4036"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\New Text Document.txtC:\Windows\system32\NOTEPAD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
675
Read events
675
Write events
0
Delete events
0

Modification events

No data
Executable files
34
Suspicious files
3
Text files
927
Unknown types
2

Dropped files

PID
Process
Filename
Type
3996ultimate_discord_nuke.exeC:\Users\admin\AppData\Local\Temp\_MEI39962\_asyncio.pydexecutable
MD5:5435CE08F40FBE43230CAE8D3DFF232C
SHA256:79FDA30CBFC95DB2BA60646FF53DFF45B5ADD57C12241C4A82FA798CB3B543DF
3996ultimate_discord_nuke.exeC:\Users\admin\AppData\Local\Temp\_MEI39962\_lzma.pydexecutable
MD5:54F12E2385A77D825AE4D41A4AC515FE
SHA256:08DE18FBA635822F3BB89C9429F175E3680B7261546430BA9E2ED09BB31F5218
3996ultimate_discord_nuke.exeC:\Users\admin\AppData\Local\Temp\_MEI39962\_socket.pydexecutable
MD5:CEA329CE0935E99A8BC01070F07FEFAF
SHA256:D1A4D66C557C2FE7DC441614CA62E67F37EC44BEF5A762BAC41BAC15D491A930
3996ultimate_discord_nuke.exeC:\Users\admin\AppData\Local\Temp\_MEI39962\_ctypes.pydexecutable
MD5:3A2E78784B929003A6BACEEBDB0EFA4D
SHA256:F205948B01B29CB244AE09C5B57FD4B6C8F356DFCD2F8CB49E7CFD177A748CF9
3996ultimate_discord_nuke.exeC:\Users\admin\AppData\Local\Temp\_MEI39962\_elementtree.pydexecutable
MD5:29928F61AAC2E9989BB097620B52A289
SHA256:EB8DE455AE9EF9B5223DA2EAA2A74121EB2FE5371CB07E803E8E6E5C3CB5FB44
3996ultimate_discord_nuke.exeC:\Users\admin\AppData\Local\Temp\_MEI39962\_multiprocessing.pydexecutable
MD5:8901E96BB7A8EEAD994AF2BDF54A2447
SHA256:823A96F080A3424F4C5327CF61FF517723E19A69679EBE93EA97061063D8D593
3996ultimate_discord_nuke.exeC:\Users\admin\AppData\Local\Temp\_MEI39962\_queue.pydexecutable
MD5:BC5FCE7B8DE6CA765CBF79F9D0587164
SHA256:A5DB4D041F40FB01761B5BAA907099DB89CF891B0DF0251D92DA2FBF9DC3897B
3996ultimate_discord_nuke.exeC:\Users\admin\AppData\Local\Temp\_MEI39962\_ssl.pydexecutable
MD5:B9ECF769FC63A542A113CA1552DC7A7B
SHA256:E0BDB16CFFC7B5A19C5AF22D8A33D3C999D55A3117F2DA07ED3171CA9487927E
3996ultimate_discord_nuke.exeC:\Users\admin\AppData\Local\Temp\_MEI39962\_overlapped.pydexecutable
MD5:AA428E44A78A280EC8152C43D8284F6F
SHA256:F8FDA2A6E3FF0069E634FEEC4854EE7A8C24134C747DE3211AC2BA26E0188C79
3996ultimate_discord_nuke.exeC:\Users\admin\AppData\Local\Temp\_MEI39962\_tkinter.pydexecutable
MD5:D65A7C7A6AB77DC73E0E339D27FF4BBE
SHA256:994F1006DF8DA63C1456F18A0203452486FBD5A946C431F610A824170B2AA728
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ultimate_discord_nuke.exe