Overview

overview

10

Static

static

3

tic tac toe.exe

windows7-x64

10

tic tac toe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    05-04-2024 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tic tac toe.exe

  • Size

    462KB

  • MD5

    d030b7b8bf2872b8e7eff5256f227e6f

  • SHA1

    5f7d935437cb40224cf7d0cd42c25357bcec216d

  • SHA256

    b61487c5c147a2cce5fde93ecbbbf1fbd43b50d478df10225de3d9a18b490b5f

  • SHA512

    e36fc3ee24afa393da618f923fdd082a759cc75a7e76c060919dfa2e8d30e5a11d2b79d37050113a570106ad032d8aeac1f54146fd660c956c22cb151e23e479

  • SSDEEP

    12288:7CQjgAtAHM+vetZxF5EWry8AJGy0y5bj76:75ZWs+OZVEWry8AFBdS

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIyNTg2NjQwNDQwMjU2MTEyNA.G6BFhc.X7me8e4THH9YJHaWJb1zFmIAZ2d2W9j2YEjuLI

  • server_id

    1225868572644085790

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tic tac toe.exe
    "C:\Users\Admin\AppData\Local\Temp\tic tac toe.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2060 -s 596
        3⤵
        • Loads dropped DLL
        PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
    Filesize

    78KB

    MD5

    b6b9da8bd11b21bf9990b94d2f2416cd

    SHA1

    24441737f32d145fa936b2500e337f08f9e694a5

    SHA256

    dc4df607b2b4a3c80f2400a1566bf87ae981e42cb614b41d6400429d46cd9255

    SHA512

    ae526306ae1a9305ba344c3b53b1b7f378c30eebeb25101a95960259330f268f19d79963c15e71888e6f8f75088bae5238e2cc116b2f8347a0d0e85ba15288a6

    Download Submit

  • memory/2060-11-0x000000013F700000-0x000000013F718000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2060-12-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2060-13-0x000000001AC00000-0x000000001AC80000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2060-20-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2060-21-0x000000001AC00000-0x000000001AC80000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2952-4-0x0000000003140000-0x0000000003141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2952-19-0x0000000003140000-0x0000000003141000-memory.dmp

    Filesize

    4KB

    Download