Analysis Overview
SHA256
b1f32da53c09893e50094325682f61d0b6e662ab7d1df628dd5167d25b7a7c67
Threat Level: Known bad
The file Z1ON Dot Net Obfuscator v2.exe was found to be: Known bad.
Malicious Activity Summary
Discord RAT
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-24 18:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-24 18:26
Reported
2024-03-24 18:35
Platform
win7-20240215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Discord RAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe
"C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe"
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
"C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1304 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 628
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
Files
memory/2028-0-0x00000000000E0000-0x00000000001B6000-memory.dmp
memory/2028-1-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp
memory/2028-2-0x000000001B190000-0x000000001B210000-memory.dmp
\Users\Admin\AppData\Local\Temp\Client-built.exe
| MD5 | cc9f95bc616eaa9f2e7b6318eac6ef60 |
| SHA1 | 60f6705dad7f26f6284006f29f7fb64b9075fed1 |
| SHA256 | e9157690a3c1cab1d44afaabbdceb26679f5a02202f185ad854f6264a23a7c31 |
| SHA512 | abf98ac5e492d56808b10111c9663a59251c0a0c61396b6d49307bce3357e6585c0da7f20f78707846f18af1fa5bccb4d9d91b4778140b583ae64462d770f668 |
memory/1304-10-0x000000013F480000-0x000000013F498000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
| MD5 | c7fa9a7d9b0d2cdb6742477158b190f8 |
| SHA1 | 44258c848294d209c6504640f9c785241485fc28 |
| SHA256 | 08aa03c784c192aa76acc4da4f79eca7a86e769e405e33c4bff9b0246989af74 |
| SHA512 | 2f0b2af4400a16abf365fcc122ae92e6a6ebcd0aa5ce77a7601e27f219dd03132eb47ad9a84916028e3dd0eb228000652ad8f3059f6e717fa22c4049c9ec5540 |
memory/1304-16-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp
memory/2028-17-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp
memory/1160-18-0x0000000000A60000-0x0000000000B64000-memory.dmp
memory/1160-19-0x00000000749A0000-0x000000007508E000-memory.dmp
memory/1304-20-0x0000000002260000-0x00000000022E0000-memory.dmp
memory/1160-21-0x0000000004B90000-0x0000000004BD0000-memory.dmp
memory/1160-26-0x0000000004A70000-0x0000000004B4C000-memory.dmp
memory/1160-33-0x00000000749A0000-0x000000007508E000-memory.dmp
memory/1304-34-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp
memory/2552-35-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2552-36-0x0000000140000000-0x00000001405E8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-24 18:26
Reported
2024-03-24 18:35
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Discord RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2664 wrote to memory of 3744 | N/A | C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe |
| PID 2664 wrote to memory of 3744 | N/A | C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe |
| PID 2664 wrote to memory of 3972 | N/A | C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe | C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe |
| PID 2664 wrote to memory of 3972 | N/A | C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe | C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe |
| PID 2664 wrote to memory of 3972 | N/A | C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe | C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe
"C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe"
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
"C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3972 -ip 3972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1060
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.136.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 234.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.177.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| GB | 96.17.179.68:80 | tcp |
Files
memory/2664-0-0x00000000005A0000-0x0000000000676000-memory.dmp
memory/2664-1-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp
memory/2664-2-0x000000001B3B0000-0x000000001B3C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
| MD5 | cc9f95bc616eaa9f2e7b6318eac6ef60 |
| SHA1 | 60f6705dad7f26f6284006f29f7fb64b9075fed1 |
| SHA256 | e9157690a3c1cab1d44afaabbdceb26679f5a02202f185ad854f6264a23a7c31 |
| SHA512 | abf98ac5e492d56808b10111c9663a59251c0a0c61396b6d49307bce3357e6585c0da7f20f78707846f18af1fa5bccb4d9d91b4778140b583ae64462d770f668 |
C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
| MD5 | c7fa9a7d9b0d2cdb6742477158b190f8 |
| SHA1 | 44258c848294d209c6504640f9c785241485fc28 |
| SHA256 | 08aa03c784c192aa76acc4da4f79eca7a86e769e405e33c4bff9b0246989af74 |
| SHA512 | 2f0b2af4400a16abf365fcc122ae92e6a6ebcd0aa5ce77a7601e27f219dd03132eb47ad9a84916028e3dd0eb228000652ad8f3059f6e717fa22c4049c9ec5540 |
memory/3744-17-0x00000223652B0000-0x00000223652C8000-memory.dmp
memory/3744-26-0x000002237F940000-0x000002237FB02000-memory.dmp
memory/3744-28-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp
memory/2664-29-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp
memory/3972-31-0x0000000075320000-0x0000000075AD0000-memory.dmp
memory/3744-32-0x000002237F920000-0x000002237F930000-memory.dmp
memory/3972-30-0x0000000000F40000-0x0000000001044000-memory.dmp
memory/3972-33-0x0000000005980000-0x0000000005A5C000-memory.dmp
memory/3972-35-0x0000000005B00000-0x0000000005B92000-memory.dmp
memory/3972-34-0x0000000006010000-0x00000000065B4000-memory.dmp
memory/3744-36-0x0000022300530000-0x0000022300A58000-memory.dmp
memory/3972-37-0x0000000005CA0000-0x0000000005CAA000-memory.dmp
memory/3972-38-0x0000000075320000-0x0000000075AD0000-memory.dmp
memory/3744-39-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp
memory/3744-40-0x000002237F920000-0x000002237F930000-memory.dmp