Overview

overview

10

Static

static

10

silence/si...ce.exe

windows10-2004-x64

10

Resubmissions

19-03-2024 16:53

240319-vd25pagh87 10

19-03-2024 16:51

240319-vcxhtagh56 10

Analysis

  • max time kernel
    20s
  • max time network
    22s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2024 16:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    silence/silence-workspace.exe

  • Size

    1.7MB

  • MD5

    839a13e8b65aab0cb6d061ac82a8e3d4

  • SHA1

    3de9d9d68c94493867bcb081d093bf39d45bf923

  • SHA256

    a8741e78c8b8b86042814e65b5a7ab358f1050757de3738a0d358097db996bd3

  • SHA512

    ea2ded5b24dc88af32673957a7cc85c5b602fec5731c4af4d3cb9859009f0af6d2b9b629253090d23715af3b8030fc5727612f92a5339e08748fad5694eff2bc

  • SSDEEP

    49152:O0xx0GTBlPBAc2AVMlsHbeucMYc5pSoUiGG8:OWTkcH3Hyo

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIwODA5NTM2NDk2MDM1NDM3NA.GizXN5._a-pu5nHBPQiBTo-MibYQvf7mDtkutfsttwhUo

  • server_id

    1208095629734322196

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe
    "C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
      "C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4768
    • C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
      "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5 | find /i /v "md5" | find /i /v "certutil"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5
          4⤵
            PID:2964
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            4⤵
              PID:3972
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              4⤵
                PID:2708

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
          Filesize

          78KB

          MD5

          6f9c42f940f854243a2f445c8cb750ec

          SHA1

          aeed75218753dd1f184cc55ebbe8a1a80e5a59f3

          SHA256

          15fbe5942c60d92081fa93d5444a7abb355dc917c9ea3a44585d5a4b4219e91a

          SHA512

          612bfac0a8a079a67e361e87ac6eaf9c9cc5a4940b5dd74ecb6c61e2811707b2e60e60ee70102622c0bb222b01a3aced82853d130d2f07075e8d629e33bb8cb2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
          Filesize

          1.6MB

          MD5

          8b393057c5c9026495f8efbe7234b1c4

          SHA1

          21aff93ce1ff29a961ac947cafd75b6994fb5ae8

          SHA256

          c100648181026be6dbce91beb36b5cd859563c4b0edd8e4a0aa5d60829467b30

          SHA512

          57504769cff622817a129f4b0d235d2f148a381d588950949f0b0316c71aef46e3d0d17747a50a81a946e73af486962d52f23160fe937c1d6caf8db4b1996952

          Download Submit

        • memory/4768-16-0x0000013A391B0000-0x0000013A391C8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4768-19-0x0000013A53890000-0x0000013A53A52000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/4768-20-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4768-22-0x0000013A3AF60000-0x0000013A3AF70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4768-23-0x0000013A54090000-0x0000013A545B8000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/4768-24-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

          Filesize

          10.8MB

          Download