Overview

overview

10

Static

static

10

silence/si...ce.exe

windows10-2004-x64

10

silence/silence.json

windows10-2004-x64

3

Resubmissions

19-03-2024 16:46

240319-t968vagg74 10

19-03-2024 16:44

240319-t811fahe2x 10

19-03-2024 16:41

240319-t68x9sgf77 10

Analysis

  • max time kernel
    78s
  • max time network
    86s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2024 16:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    silence/silence-workspace.exe

  • Size

    1.7MB

  • MD5

    839a13e8b65aab0cb6d061ac82a8e3d4

  • SHA1

    3de9d9d68c94493867bcb081d093bf39d45bf923

  • SHA256

    a8741e78c8b8b86042814e65b5a7ab358f1050757de3738a0d358097db996bd3

  • SHA512

    ea2ded5b24dc88af32673957a7cc85c5b602fec5731c4af4d3cb9859009f0af6d2b9b629253090d23715af3b8030fc5727612f92a5339e08748fad5694eff2bc

  • SSDEEP

    49152:O0xx0GTBlPBAc2AVMlsHbeucMYc5pSoUiGG8:OWTkcH3Hyo

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIwODA5NTM2NDk2MDM1NDM3NA.GizXN5._a-pu5nHBPQiBTo-MibYQvf7mDtkutfsttwhUo

  • server_id

    1208095629734322196

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 53 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe
    "C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
      "C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2124
    • C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
      "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3784
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5 | find /i /v "md5" | find /i /v "certutil"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3552
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5
          4⤵
            PID:5108
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            4⤵
              PID:1608
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              4⤵
                PID:2836
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /7
          1⤵
          • Checks SCSI registry key(s)
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:5272
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:5780
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:5880

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
              Filesize

              78KB

              MD5

              6f9c42f940f854243a2f445c8cb750ec

              SHA1

              aeed75218753dd1f184cc55ebbe8a1a80e5a59f3

              SHA256

              15fbe5942c60d92081fa93d5444a7abb355dc917c9ea3a44585d5a4b4219e91a

              SHA512

              612bfac0a8a079a67e361e87ac6eaf9c9cc5a4940b5dd74ecb6c61e2811707b2e60e60ee70102622c0bb222b01a3aced82853d130d2f07075e8d629e33bb8cb2

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
              Filesize

              704KB

              MD5

              99cd7ad997482bbb4608e22d6c1f8ce5

              SHA1

              870166172f7800ea652e44571b13cab43525f1e8

              SHA256

              f48ffcc29c01795b6a73a4d479fed81a0666acc9b18219f72a2ebec68c62d296

              SHA512

              f2d9c1b682a353e7826db9416354aa8c3911367f392e88e80c11f7704dc7e1614853f7076268bf9cd68472b8af737251964514934fec20915a99be586b378367

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
              Filesize

              640KB

              MD5

              ac53e8b4fb2c02462158044a81f25213

              SHA1

              094fdb0b46f67e9b781ed49f2dc7562156eae92c

              SHA256

              cf26448737c8365bff5f9e0433ee9d1cf6aaab965b69342f325bed0e665dc8cd

              SHA512

              eb65c2cef8979b16abaf87303c8393a7e6601a6fd312e0bb50d32d08322e7a46bb7f394c1728b9d67a5c8456b22f0eb5fd4fae6fd720913ba89bf926709fb23a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
              Filesize

              1.6MB

              MD5

              8b393057c5c9026495f8efbe7234b1c4

              SHA1

              21aff93ce1ff29a961ac947cafd75b6994fb5ae8

              SHA256

              c100648181026be6dbce91beb36b5cd859563c4b0edd8e4a0aa5d60829467b30

              SHA512

              57504769cff622817a129f4b0d235d2f148a381d588950949f0b0316c71aef46e3d0d17747a50a81a946e73af486962d52f23160fe937c1d6caf8db4b1996952

              Download Submit

            • memory/2124-25-0x00000171AFB40000-0x00000171AFB50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2124-19-0x00000171AFBD0000-0x00000171AFD92000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/2124-21-0x00007FFCD4460000-0x00007FFCD4F21000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2124-22-0x00000171AFB40000-0x00000171AFB50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2124-23-0x00000171B0C80000-0x00000171B11A8000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/2124-24-0x00007FFCD4460000-0x00007FFCD4F21000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2124-15-0x00000171955F0000-0x0000017195608000-memory.dmp

              Filesize

              96KB

              Download

            • memory/5272-28-0x000001A0B3700000-0x000001A0B3701000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5272-26-0x000001A0B3700000-0x000001A0B3701000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5272-27-0x000001A0B3700000-0x000001A0B3701000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5272-32-0x000001A0B3700000-0x000001A0B3701000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5272-33-0x000001A0B3700000-0x000001A0B3701000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5272-34-0x000001A0B3700000-0x000001A0B3701000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5272-35-0x000001A0B3700000-0x000001A0B3701000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5272-36-0x000001A0B3700000-0x000001A0B3701000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5272-37-0x000001A0B3700000-0x000001A0B3701000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5272-38-0x000001A0B3700000-0x000001A0B3701000-memory.dmp

              Filesize

              4KB

              Download