Overview

overview

10

Static

static

10

qwd.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03-03-2024 14:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    qwd.exe

  • Size

    78KB

  • MD5

    33d24b41f83ca9261ca0b3ccf6958ac9

  • SHA1

    7c5706704f6d25defcf21a73cfcf1dc0a4d3a77c

  • SHA256

    677e3f181c2103e53a9700fe162e9d39ab8a43001db4ae444ac45670bf3ac999

  • SHA512

    c68da7679537e8b38732c994a60391f95334ff0d1f09a90da5cc35acdd666b168e20203a2c2e5e635fa4a09cfb1744b99b5c6c561f8cac9adcb9366c9032f669

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+oPIC:5Zv5PDwbjNrmAE+sIC

Score
10/10
discordratpersistenceratrootkitspywarestealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIxMzg2MDU4OTk0MDY0MTgxMg.G9LWzO.om3J5EslAC-fvEPdEqmHkMqOfsLzKjbpsdQNG8

  • server_id

    1213861042640388136

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\qwd.exe
    "C:\Users\Admin\AppData\Local\Temp\qwd.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3948
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C whoami
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4608
      • C:\Windows\system32\whoami.exe
        whoami
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1872
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
    Filesize

    11KB

    MD5

    bfa79d7a546b5ac60f5a8562b2c86799

    SHA1

    f3509bbf7224a4e35e92c453cf13d8c522a0219c

    SHA256

    f23d82f15277079aab16232383cf5829c9f53bc997e98e9bd3b5599cfa80df83

    SHA512

    32d99ab686be4e39ab1206e048f8fa566948adeff1b2f97e74bc27e85eece45047736e1779aea97fc1d142dcfb7472f3f12650532b86a2d3fe547c7334307366

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
    Filesize

    11KB

    MD5

    ae9795843ff54860f7ebb5569f434e83

    SHA1

    3bdcba3b4e7ea0f191c90d4211395d5a6e3c8cab

    SHA256

    b46781bfff93fe6a51f19337b2c0f68c940a8a1497f56ffbc5e66688073abfbd

    SHA512

    6a6c20f0f39710bb93868d61d7222e5082ceb06c07f1fe685a41e96fd52a6b8d8e568d4cd134b2824e416e8b819b7c94ffae2c7b68c7ec25f411c48943cc2357

    Download Submit

  • memory/3948-0-0x0000012736FD0000-0x0000012736FE8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3948-1-0x0000012751700000-0x00000127518C2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3948-2-0x00007FFE32560000-0x00007FFE33022000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3948-3-0x00000127516E0000-0x00000127516F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3948-4-0x0000012752980000-0x0000012752EA8000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3948-5-0x00007FFE32560000-0x00007FFE33022000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3948-24-0x0000012752EB0000-0x000001275317A000-memory.dmp

    Filesize

    2.8MB

    Download