Analysis Overview
SHA256
8cd446387f47cd667943aba6e1e636c36fe07fb2dbc0990201fb3552ca8077e4
Threat Level: Known bad
The file silence.rar was found to be: Known bad.
Malicious Activity Summary
Discordrat family
Discord RAT
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-19 16:51
Signatures
Discordrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-19 16:51
Reported
2024-03-19 16:53
Platform
win7-20240221-en
Max time kernel
48s
Max time network
49s
Command Line
Signatures
Discord RAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe
"C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe"
C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
"C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"
C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
"C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2028 -s 596
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
C:\Windows\system32\cmd.exe
cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3048 -s 272
C:\Windows\system32\timeout.exe
timeout /t 5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.0.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| N/A | 127.0.0.1:49203 | tcp | |
| N/A | 127.0.0.1:49205 | tcp | |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 173.222.13.40:80 | x2.c.lencr.org | tcp |
Files
\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
| MD5 | 6f9c42f940f854243a2f445c8cb750ec |
| SHA1 | aeed75218753dd1f184cc55ebbe8a1a80e5a59f3 |
| SHA256 | 15fbe5942c60d92081fa93d5444a7abb355dc917c9ea3a44585d5a4b4219e91a |
| SHA512 | 612bfac0a8a079a67e361e87ac6eaf9c9cc5a4940b5dd74ecb6c61e2811707b2e60e60ee70102622c0bb222b01a3aced82853d130d2f07075e8d629e33bb8cb2 |
\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
| MD5 | 8b393057c5c9026495f8efbe7234b1c4 |
| SHA1 | 21aff93ce1ff29a961ac947cafd75b6994fb5ae8 |
| SHA256 | c100648181026be6dbce91beb36b5cd859563c4b0edd8e4a0aa5d60829467b30 |
| SHA512 | 57504769cff622817a129f4b0d235d2f148a381d588950949f0b0316c71aef46e3d0d17747a50a81a946e73af486962d52f23160fe937c1d6caf8db4b1996952 |
memory/2028-11-0x000000013FA90000-0x000000013FAA8000-memory.dmp
memory/2028-13-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp
memory/2028-14-0x000000001B9F0000-0x000000001BA70000-memory.dmp
memory/2028-20-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp
memory/2028-21-0x000000001B9F0000-0x000000001BA70000-memory.dmp
memory/2028-22-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp