Analysis
-
max time kernel
361s -
max time network
368s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 20:16
Static task
static1
Behavioral task
behavioral1
Sample
sgpj.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
sgpj.exe
Resource
win10v2004-20240412-en
General
-
Target
sgpj.exe
-
Size
563KB
-
MD5
0bbc0a7dc1a58f8a33fbd893ec737bc2
-
SHA1
6cc449fffcf0111d62ff0475afb30eef7d774089
-
SHA256
9f7154d3786a9f445d249454777da82ebca55681b0fdbe54f1695ce31a30543f
-
SHA512
d6a4cb34a70180951925d5414c1a563a37a5a6d5c92b6fc8c741711637ebd1af60a0e375e00334599f322226a084641f099042b524f7152c720f8a2e7ee14445
-
SSDEEP
12288:oCQjgAtAHM+vetZxF5EWry8AJGy0yfnSWv46NuV9TXH2505/N:o5ZWs+OZVEWry8AFBTjNufH2kV
Malware Config
Extracted
discordrat
-
discord_token
MTIyOTg4MjMyNDM2ODM2MzcwMA.GrfReS.9yWuSoWr3uhKK0b6qurk33JdihJVamaZgss9Yg
-
server_id
1229880755757514752
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
pid Process 2552 Client-built.exe -
Loads dropped DLL 6 IoCs
pid Process 772 sgpj.exe 2072 WerFault.exe 2072 WerFault.exe 2072 WerFault.exe 2072 WerFault.exe 2072 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 772 wrote to memory of 2552 772 sgpj.exe 29 PID 772 wrote to memory of 2552 772 sgpj.exe 29 PID 772 wrote to memory of 2552 772 sgpj.exe 29 PID 2552 wrote to memory of 2072 2552 Client-built.exe 30 PID 2552 wrote to memory of 2072 2552 Client-built.exe 30 PID 2552 wrote to memory of 2072 2552 Client-built.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\sgpj.exe"C:\Users\Admin\AppData\Local\Temp\sgpj.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2552 -s 6003⤵
- Loads dropped DLL
PID:2072
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD59c9b36aa4fbe85b60277dd6ea9caf0e1
SHA1d037380d780a0165d02bdd51f3eb741519944a64
SHA25642b7cc111a1773cec2eb5c5e97e9d03cf3d32cbff97dc1f8027ed65955d63c47
SHA512a7d1d4d1f27407dcd49aaf111f84005534031cd4b705d2bc14a5594787af915410a82f41193072cddceeefd209997a24e379d970d94c8ff07bc5f950183884d6