Analysis Overview
SHA256
8cd446387f47cd667943aba6e1e636c36fe07fb2dbc0990201fb3552ca8077e4
Threat Level: Known bad
The file silence.rar was found to be: Known bad.
Malicious Activity Summary
Discordrat family
Discord RAT
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-19 16:46
Signatures
Discordrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-19 16:46
Reported
2024-03-19 16:48
Platform
win7-20240221-en
Max time kernel
53s
Max time network
70s
Command Line
Signatures
Discord RAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe
"C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe"
C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
"C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"
C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
"C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2600 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:49201 | tcp | |
| N/A | 127.0.0.1:49203 | tcp | |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 173.222.13.40:80 | x2.c.lencr.org | tcp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:49217 | tcp | |
| N/A | 127.0.0.1:49219 | tcp |
Files
\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
| MD5 | 6f9c42f940f854243a2f445c8cb750ec |
| SHA1 | aeed75218753dd1f184cc55ebbe8a1a80e5a59f3 |
| SHA256 | 15fbe5942c60d92081fa93d5444a7abb355dc917c9ea3a44585d5a4b4219e91a |
| SHA512 | 612bfac0a8a079a67e361e87ac6eaf9c9cc5a4940b5dd74ecb6c61e2811707b2e60e60ee70102622c0bb222b01a3aced82853d130d2f07075e8d629e33bb8cb2 |
C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
| MD5 | 93c283ea752d04bf8567bf031ad4230e |
| SHA1 | 5660e77c6bda05121fc2b235f059ed2a337514bb |
| SHA256 | 0474007452bfe2d5f999fd9710b67015202aa15bce6b7ac9a8f9ed155f1d3177 |
| SHA512 | 4c76cf90cfb2aac6a508e589059a1263fadc3c14176a18d61ec671dac2de9e20a493cb72e416fc45825bfeb32e57faf46592505023145294aa93a239696412d9 |
\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
| MD5 | 4415787ce0954600e25353463d43a5ef |
| SHA1 | 026bd5e1c5d085cd00c31c011f143687623e956c |
| SHA256 | 4adb9d1908673491d9dd2025c74db94ab0973c4fa450dfae06ff1b47e3ae9342 |
| SHA512 | beae33ffe9075da8f2317f6d8d204e0b8f2babcbc1309b67e1ec9f969da8513167039ce783b47fca4366da89373cf78945e93833afb95e54fb8694bd1a380044 |
memory/2600-12-0x000000013F9B0000-0x000000013F9C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
| MD5 | 8b393057c5c9026495f8efbe7234b1c4 |
| SHA1 | 21aff93ce1ff29a961ac947cafd75b6994fb5ae8 |
| SHA256 | c100648181026be6dbce91beb36b5cd859563c4b0edd8e4a0aa5d60829467b30 |
| SHA512 | 57504769cff622817a129f4b0d235d2f148a381d588950949f0b0316c71aef46e3d0d17747a50a81a946e73af486962d52f23160fe937c1d6caf8db4b1996952 |
memory/2600-13-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp
memory/2600-14-0x00000000005C0000-0x0000000000640000-memory.dmp
memory/2600-20-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp
memory/2600-21-0x00000000005C0000-0x0000000000640000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-19 16:46
Reported
2024-03-19 16:49
Platform
win10v2004-20240226-en
Max time kernel
136s
Max time network
170s
Command Line
Signatures
Discord RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe
"C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe"
C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
"C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"
C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
"C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 147.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.133.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 173.222.13.40:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | 219.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.72.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| N/A | 127.0.0.1:51503 | tcp | |
| N/A | 127.0.0.1:51505 | tcp | |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| N/A | 127.0.0.1:51521 | tcp | |
| N/A | 127.0.0.1:51523 | tcp | |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
| MD5 | 6f9c42f940f854243a2f445c8cb750ec |
| SHA1 | aeed75218753dd1f184cc55ebbe8a1a80e5a59f3 |
| SHA256 | 15fbe5942c60d92081fa93d5444a7abb355dc917c9ea3a44585d5a4b4219e91a |
| SHA512 | 612bfac0a8a079a67e361e87ac6eaf9c9cc5a4940b5dd74ecb6c61e2811707b2e60e60ee70102622c0bb222b01a3aced82853d130d2f07075e8d629e33bb8cb2 |
C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
| MD5 | 8b393057c5c9026495f8efbe7234b1c4 |
| SHA1 | 21aff93ce1ff29a961ac947cafd75b6994fb5ae8 |
| SHA256 | c100648181026be6dbce91beb36b5cd859563c4b0edd8e4a0aa5d60829467b30 |
| SHA512 | 57504769cff622817a129f4b0d235d2f148a381d588950949f0b0316c71aef46e3d0d17747a50a81a946e73af486962d52f23160fe937c1d6caf8db4b1996952 |
memory/1976-17-0x00000202B4710000-0x00000202B4728000-memory.dmp
memory/1976-19-0x00000202CED60000-0x00000202CEF22000-memory.dmp
memory/1976-21-0x00007FFEEE4D0000-0x00007FFEEEF91000-memory.dmp
memory/1976-22-0x00000202B6440000-0x00000202B6450000-memory.dmp
memory/1976-23-0x00000202CF560000-0x00000202CFA88000-memory.dmp
memory/1976-24-0x00007FFEEE4D0000-0x00007FFEEEF91000-memory.dmp
memory/1976-25-0x00000202B6440000-0x00000202B6450000-memory.dmp