Overview

overview

10

Static

static

1

MainMenu.rbxm

windows10-2004-x64

10

MainMenu.rbxm

windows11-21h2-x64

3

Resubmissions

16-04-2024 10:41

240416-mrjaqsab9w 3

15-04-2024 18:03

240415-wnfj4sfa2v 6

15-04-2024 17:57

240415-wj2xjsce98 10

15-04-2024 17:53

240415-wgfljaeg6s 10

Analysis

  • max time kernel
    49s
  • max time network
    50s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-04-2024 17:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MainMenu.rbxm

  • Size

    14KB

  • MD5

    570b9b9cd36ee573826296c9c1e24dea

  • SHA1

    69bb3c2b05b2043b53fa2fa25f3c227d3b3c7bbc

  • SHA256

    398c45daf283a0bb0a57696cac3c2f67fff96d5ea5f0f53a6f1dd7a693a0e22a

  • SHA512

    6d59a8fed062a7a95ddeab579e21f2eda37c9c9a635be657bd1122fb57498f20a18deb9fa3434c4d9dad62bf85a1a9a1751e5e21a7a0403863039edd51a39a82

  • SSDEEP

    192:WkV5Yqitq3KfkjaGRCNkjWKARcZizO9Bpy/nw8vJemQQJ:pDaiLRCJKocZiy9Py/nLvJeyJ

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIyMjY1ODg0NzM1NzkyNzQzNQ.G46owp.2JEzFsoF0sNveJ3Ig7Q_yTdVD59ktO7ZBNMdzw

  • server_id

    1211370597838487562

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\MainMenu.rbxm
    1⤵
    • Modifies registry class
    PID:3192
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3960
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4708
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4708.0.1112656540\1292596843" -parentBuildID 20221007134813 -prefsHandle 1800 -prefMapHandle 1796 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dba6850-55e7-4dd8-a2e4-95984507dd09} 4708 "\\.\pipe\gecko-crash-server-pipe.4708" 1964 1d82f7d7e58 gpu
        3⤵
          PID:2224
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4708.1.1878204917\333203703" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f086b29a-d5cc-41f6-bdce-9a28a59b2794} 4708 "\\.\pipe\gecko-crash-server-pipe.4708" 2364 1d82f4fd258 socket
          3⤵
            PID:2676
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4708.2.1864992970\1152001785" -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3176 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de6d0ba3-1b79-45c3-bea9-a9bdf79a1f41} 4708 "\\.\pipe\gecko-crash-server-pipe.4708" 3192 1d82f75fc58 tab
            3⤵
              PID:4852
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4708.3.1507651361\76900345" -childID 2 -isForBrowser -prefsHandle 3580 -prefMapHandle 3576 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bc33636-208e-48e2-84be-5361c0a294f3} 4708 "\\.\pipe\gecko-crash-server-pipe.4708" 3560 1d831ec5558 tab
              3⤵
                PID:372
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4708.4.609373687\1596989693" -childID 3 -isForBrowser -prefsHandle 3852 -prefMapHandle 3848 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {523d5e66-cb08-4957-98f5-2e87cb485ad4} 4708 "\\.\pipe\gecko-crash-server-pipe.4708" 3860 1d832210258 tab
                3⤵
                  PID:4284
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4708.5.1061289369\1989049075" -childID 4 -isForBrowser -prefsHandle 2840 -prefMapHandle 2836 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34ccba0d-4755-4236-bbf0-88c4987cdc3c} 4708 "\\.\pipe\gecko-crash-server-pipe.4708" 4896 1d81ba5f858 tab
                  3⤵
                    PID:5168
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4708.6.2139700390\1010091529" -childID 5 -isForBrowser -prefsHandle 4912 -prefMapHandle 4908 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebea6162-0795-45a2-88ed-a3ea59ffdd24} 4708 "\\.\pipe\gecko-crash-server-pipe.4708" 5052 1d835c27158 tab
                    3⤵
                      PID:5176
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4708.7.700898513\48033796" -childID 6 -isForBrowser -prefsHandle 5060 -prefMapHandle 3792 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eba99e19-9aa3-4465-9bf4-72e57a7f114c} 4708 "\\.\pipe\gecko-crash-server-pipe.4708" 5076 1d8354ca058 tab
                      3⤵
                        PID:5184
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4708.8.1455826871\1649245467" -childID 7 -isForBrowser -prefsHandle 5948 -prefMapHandle 5944 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58fe8b60-fa50-41ce-a920-fff448f805e9} 4708 "\\.\pipe\gecko-crash-server-pipe.4708" 5932 1d83665e458 tab
                        3⤵
                          PID:5908
                        • C:\Users\Admin\Downloads\FunnyDoxTool.exe
                          "C:\Users\Admin\Downloads\FunnyDoxTool.exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5132
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3760 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
                      1⤵
                        PID:4612

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        2KB

                        MD5

                        5f0d276d3c2b52fd46ab8ad07f106815

                        SHA1

                        716d90a0f427ccc6d20793de726e57033c8acf4e

                        SHA256

                        25049e85156ad860c74039c2b6b937c9a2946c5c32d4e4c5a622a6c8ee4502e1

                        SHA512

                        d6a52e02054f5cd29d67bc364635e2cdc5d7f5b7cbba8b88aecc881d898fa270b2bb5701b56e7f83e6bdb0b933e1e6e7d8dd7e968ffa4f2ca98e58964c0ca37a

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\4149f1be-0c0c-471c-b6eb-59c01cf318be
                        Filesize

                        10KB

                        MD5

                        b28972e3661a2b365f4f7da50a764bce

                        SHA1

                        aae4eae2332e5c7b2fa38ba54aea1fbf26021f9c

                        SHA256

                        f5635755f659999928a769c86aeff7bd75624edbfa74693388149b43d8e59f6b

                        SHA512

                        5ea109556be23766cabe933bc2e06e11ba51ba31d8e41ea81a4f037667da872f404af9a7ceca0c69b2feada9a17a7bbc861c0a37104063537108303a360c949a

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\a2b04458-38ce-4662-bfc9-4587cef99d54
                        Filesize

                        746B

                        MD5

                        32ee747284c35c22ee1fa72f80bc1c98

                        SHA1

                        8cb7b952ee8773d238ba5df86145da1a3a903639

                        SHA256

                        1e5e62a0405c9fd3f04940f3ac35cd3c068a5cfe6b5c8901c2884b30c852920d

                        SHA512

                        ee17276988dfe20df0dbbd45f582df22eeddb34068c0023a5ef1f9e1b6884834a6ee861a265ec99ce34e0ceb415cdd0531b7b5bfc196f95fe7a6483f2645e5ed

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        fbd97398c8bf468c19a402633d608312

                        SHA1

                        2b4beecf6af0162527a0444f781c63e7ad25b03d

                        SHA256

                        a5790ee075066d7cf1b32ffab242d856187e80d31e4b463dfe88ad5581be9fe3

                        SHA512

                        1a9f2961544a34d4d738a69a6a7a0b439d404faa71fb5fe853c4ed68443753695979811d919a58873c84c3c7ab4a92600aef76a50751ecbc777057aef674c7e5

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        f177dd9827f534c8cd5efdb8ea7256f2

                        SHA1

                        db770bd15960eb17685364cd00d2c89cc20c363d

                        SHA256

                        fa6723d9d5680096714bee381255170b2148f7e26c6a4d25dd4cd868102d99ec

                        SHA512

                        d72d69a5dc6a2648afb58264806ae0e1ef3d8d81c9b162d2d06c60adc50e85449bd83e9910e89eec0d172bd0ccd0574f6a01cfc5c0dc6ee3780d55ba5798af9b

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        9707815b496b271212af49db0d86f180

                        SHA1

                        2fb95180b26ebd30f9610bd03c1f8d7b8e04140f

                        SHA256

                        771b4e79891e8aeba0aa4117783c146e0608ece6da1eddca9e1dcadebcd7948e

                        SHA512

                        237d4f16c69193c3b6c12c356665242c5123ab14ca6ddda19e69acb3efac28f233befeba9f52f54a9fa86b7ba241fc0cf2eea0fbcb68d4ddeb902266295f2156

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        4KB

                        MD5

                        d9c6f07a019f3634a771af3ee68476c1

                        SHA1

                        e1b42ea2403d593d7e4a49e5d6e6783a8b7a0a1b

                        SHA256

                        77fea8a05d73b95cebc21fa40b8d25d27760f4b430c9c7495dd269b08b911e0d

                        SHA512

                        d65ca68cf463dc30873736e70c22be6c2acc4c92e8b82bd09030412228a0e90acfd3d0fe6af33ce6448c2f35c6f0a2d8f3915c222a1b0b90ac7c513e48904a10

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        5KB

                        MD5

                        2ee9558a6f6c05b152de3c870a888abb

                        SHA1

                        20c5b9e8aa6b4c271e4d1a704de2506a21adf387

                        SHA256

                        c619b91e08b94503cd569f927802a985e4866d3fa76cfc02d33b8197a0e524cd

                        SHA512

                        c73ecc412948dfc97a347be4aed311342e677c83f13bcf1d6783cf4622743895f95cbd2b268bd679c80777500d9b8a05661b09613ac16b031791b5887a4057a7

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                        Filesize

                        184KB

                        MD5

                        03994b88bdc9e598d88f9273dfec8e0e

                        SHA1

                        9c4d73dc30e024c6884167494d36edc072a59cc6

                        SHA256

                        51f2123c825c0e1071fa87a6d9e6cf057b9829be2092ba1277681ce095dd270e

                        SHA512

                        17741d2e38e8a695c7b10ad67bf390d5ce515136ccf2e7445aa705d427c2f05213ce83cfa333651971759e49bebd2d70b3fd3535b17008328f69cf3a04c407a0

                        Download Submit

                      • C:\Users\Admin\Downloads\FunnyDoxTool.exe
                        Filesize

                        78KB

                        MD5

                        d0b858303947d101e8b9a57c343d71ff

                        SHA1

                        17c34168cc66dd98722a9d8c775e1323271e9488

                        SHA256

                        f5c01bceb79437333a7fcee8c7eb537f0d165d22626815fd45cc6721895e17f8

                        SHA512

                        8a309d3c63ed8ac01096e31d8676abc6515352ff0411df453a754c2f5c73c17e0e144b1aaefae289adf21f1cbaecfcadb965df848424c0f40c7cc7bd5f707532

                        Download Submit

                      • C:\Users\Admin\Downloads\FunnyDoxTool.vY07lNUT.exe.part
                        Filesize

                        76KB

                        MD5

                        667502c9be62c10149edbd19b014f53e

                        SHA1

                        39d4277eb185e73b02916fd2dcbfcdee675b9e25

                        SHA256

                        11e0c1364ab259fa9ac8fc1eb9d8a05a2e52800fdea1a78cd8c6efa4ab77fb56

                        SHA512

                        91c687e7c40a73174822409b1bf96243a367aa2d0f61447af4788046706ec975146eab38555066e94f8ae7f5427202e42596d7c13d8fe24f42148709fe3a28bc

                        Download Submit

                      • memory/5132-183-0x000001CA56F50000-0x000001CA57112000-memory.dmp

                        Filesize

                        1.8MB

                        Download

                      • memory/5132-184-0x00007FFC4CEC0000-0x00007FFC4D981000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/5132-185-0x000001CA56EA0000-0x000001CA56EB0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/5132-187-0x000001CA58410000-0x000001CA58938000-memory.dmp

                        Filesize

                        5.2MB

                        Download

                      • memory/5132-182-0x000001CA3C8A0000-0x000001CA3C8B8000-memory.dmp

                        Filesize

                        96KB

                        Download