Analysis

  • max time kernel
    43s
  • max time network
    44s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-04-2024 23:31

General

  • Target

    Adobe After Effects 2024 Loader.exe

  • Size

    78KB

  • MD5

    808e8843edbdb751f81d0f8b3cbadc06

  • SHA1

    8aad16da21c5baef2a4484f58a8a6e101949a097

  • SHA256

    9f20ab32cfec115c1079563a1f3d447d75da4035820f9232b7d543eb8dfa7156

  • SHA512

    535e26dce1c9e81319d24a8fb9c03808af79a9e403cb15a6dff0e87c188dc045d6386914841261ab378b21dd622a6fbd3993d88edeebb961f86d1dc1f7dfab1c

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+mPIC:5Zv5PDwbjNrmAE+CIC

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIyOTkzMzQ1Njc2NzU4NjMxNQ.GA8lvX.p2sO85UW28jqHfp9V6UnNZYpTZjcyonJ3PZ21I

  • server_id

    1211176359427313724

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Adobe After Effects 2024 Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Adobe After Effects 2024 Loader.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3636
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4516
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3572

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

      Filesize

      11KB

      MD5

      e3e15a868a60c5bc28058860580772ff

      SHA1

      31e64db52bcf6826fb18556214cc11cfca9ef116

      SHA256

      4dfd6f56923734f981111a3fc4cf3e11b420522506dac49441312b2fe80c4db9

      SHA512

      2b0db39c132bf6df3945c6acf0bc656650051c9483f0f454afd4640dc252c964049f4338889ed1289334fb536ad27997ff19746af420d11eaabf95db0e89f11c

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

      Filesize

      11KB

      MD5

      c0030affddfc4db4d0a06599ddadda16

      SHA1

      2e7a60a302ab2ba17317fdcead42cf4d3759eb08

      SHA256

      e8479f26639eefedde0ef3fe76b3eb20d077d9d0394c026a8c6d6841c9dead09

      SHA512

      018f14e2481294cefc16aac1693526c0aafc8469dffacad96ddf4bc93a965dceb11b2e4c3eed258938e9a7b5e646d455e499377a3334154a8cf749648b9f4fa2

    • memory/3636-0-0x000002AF904C0000-0x000002AF904D8000-memory.dmp

      Filesize

      96KB

    • memory/3636-1-0x000002AFAAD00000-0x000002AFAAEC2000-memory.dmp

      Filesize

      1.8MB

    • memory/3636-2-0x00007FFBC27D0000-0x00007FFBC3292000-memory.dmp

      Filesize

      10.8MB

    • memory/3636-3-0x000002AFAB0B0000-0x000002AFAB0C0000-memory.dmp

      Filesize

      64KB

    • memory/3636-4-0x000002AFAC070000-0x000002AFAC598000-memory.dmp

      Filesize

      5.2MB

    • memory/3636-24-0x00007FFBC27D0000-0x00007FFBC3292000-memory.dmp

      Filesize

      10.8MB

    • memory/3636-25-0x000002AFAB0B0000-0x000002AFAB0C0000-memory.dmp

      Filesize

      64KB