Overview

overview

10

Static

static

10

Tic Toe/TTT.exe

windows11-21h2-x64

10

Tic Toe/dnlib.dll

windows11-21h2-x64

1

Resubmissions

16-04-2024 20:05

240416-ytw56ach4z 10

16-04-2024 19:50

240416-ykjhpsba36 10

Analysis

  • max time kernel
    1448s
  • max time network
    1508s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-04-2024 20:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Tic Toe/TTT.exe

  • Size

    78KB

  • MD5

    bea6449a9c00cf3667941b6d9de42610

  • SHA1

    dd771bee34b16935ff90b3baea5f854e8371b3dd

  • SHA256

    161b52b3f8b209d6ef096dd464d9ab5a749846f5593ed4b9e3d03aeb3a7a9861

  • SHA512

    8913be46ebcba2a7ce997a8b93caf80e5aa1878afd18c12191c6af6f388969970e625f8299dec08f2261bed5f00fd7408c542128d33d9139a72a0adcfbbd356e

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V++PIC:5Zv5PDwbjNrmAE+6IC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIyNjYzNzczNjgyODYwMDMzMA.G6KXZO.KhvjpXnxesj0UFK2f4VA8aIK-hpf6VfhFGsAVo

  • server_id

    1224114376949235764

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Tic Toe\TTT.exe
    "C:\Users\Admin\AppData\Local\Temp\Tic Toe\TTT.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5580
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:2744
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1408

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\ApproveRename.xlsb
        Filesize

        634KB

        MD5

        277080ee271f25718be7d98d72066a40

        SHA1

        fa362c6809ab06a81d4e916acc72368d98043e3e

        SHA256

        206f34a58cab7c534217e03103fe39339877a47a8d405e5b5f8ba13a402ede2e

        SHA512

        b3ffc8a12d5723d48123c59e7f8c8496453ea8aedb04edeaf0cf96a376f047cff65f7fe2944c22ff713cdc50c82d079ea1afb0b0013045b293ff1e5660a35eec

        Download Submit

      • C:\Users\Admin\Desktop\ClearRepair.wmx
        Filesize

        352KB

        MD5

        559f3080a153136c16ff42030fc8853e

        SHA1

        031704105c4b3f23ce37f39374719f60f1c6dfa2

        SHA256

        0075a135e2d04d6ac90c4d7f90ccd13097833c3504a90f9cc46f691bcdedfded

        SHA512

        05a961ff676db36eb1214b04e222bcc4b406e303b157adfc9999c37fd0b8a994eb1ab00a08861eb75bf0859a04a122cce5028ecd9afdbe3538649b3b8c9a9c38

        Download Submit

      • C:\Users\Admin\Desktop\CloseRevoke.csv
        Filesize

        540KB

        MD5

        bd9f85e1b318038bdeaa232970db3dc1

        SHA1

        011aeb749d7789036a8cac3f2ccbd620aecec15c

        SHA256

        4ba4b466732723f5efa9317153778d399e1c3e2306df4cb6c685b278ec2ee888

        SHA512

        a9f560672b44b4e3432d692f7ad0cac32f9bf15e27183c09b82a9dc3a3a84ae587323db460e6cedd115252b1613b8bf71a64df540c033da79b7d028185662536

        Download Submit

      • C:\Users\Admin\Desktop\CompleteDisable.vsd
        Filesize

        681KB

        MD5

        cf0762dae4ac7110d8028a860e52fd07

        SHA1

        44a7e89b3015db8699eef32fc24d34bc970c1f30

        SHA256

        27e81c40fad78f7f97934d51710803f1d186a4e6396dc492795a3da1cb679327

        SHA512

        5e54f9c1aaf08bb46a4d9a2f7f13838935c539cf26b3ddfe3579ca4707e50dbae3a83ed08b17e99c15b843f4cdf15db9adaf68e1055fa0332cc9bd5ae547ea31

        Download Submit

      • C:\Users\Admin\Desktop\ConfirmSave.vbs
        Filesize

        658KB

        MD5

        749427947d4668d3c3b9bc3dc550dda2

        SHA1

        f02418011f7078c38423651a0fb9ba8aa001829e

        SHA256

        623a7e6276f8c7c28db3d0ad3aa33d56713f0b27e09f401967a2f12b209958cd

        SHA512

        96081a1e679a34f86b6e4f47733dcf529395c0cdd77660b52f018ecaed8da132a530198cc0db65e0785e987ca4771bc25fbae6459dc313b380138661c4ee550f

        Download Submit

      • C:\Users\Admin\Desktop\DebugDeny.TTS
        Filesize

        423KB

        MD5

        cba65aafe11241b2d0f5d242bc48eb0b

        SHA1

        98cd83364631e19146827771baa2896d9b909536

        SHA256

        84a0f989336ebd753e5d3754060410c4b156378e1d5144eab6eeacb485d07ea5

        SHA512

        64c4f7ef2655dac3b7a57c320b4c38c7c5da46a50e09057f824b75ad3bd89147927623653d2572059e1cffe0e6b02a3f659fdb598d598449a56d25e7543b5c09

        Download Submit

      • C:\Users\Admin\Desktop\DisableAssert.eprtx
        Filesize

        376KB

        MD5

        4323cc776345f6556a2c361f37eb52bd

        SHA1

        35b8275712f7910270800facc25ce534153f399b

        SHA256

        03bdc3844d49ada7b97f1311521be1eeb73c778f6ee8de68d2418e93744791f0

        SHA512

        9545e5527e351afdbfdf7368ff0f9e650ddf5972687c70a76f0fb353879aa542fef473c1679b0e32f80b179a9ff4663d95ab9fbf1ad0a7245129f7363efa4a00

        Download Submit

      • C:\Users\Admin\Desktop\DisconnectFormat.mp3
        Filesize

        517KB

        MD5

        d3884680ae08ac721633fa58fd6079c0

        SHA1

        0dcd2e8f7f25ddf9a9b5003f26419aa7f5891b55

        SHA256

        410642306bf1e86c4c9f00abae9a46e303ea7ac9f2353697b1a238ee9d2e2896

        SHA512

        969f83d907f2d54b68a6dbcc008dc70ac32bfa4a4a29206ce5f08070cea8de19b1be06e8aa136d392805e3664be8f45ced1a7c4f47aba7ce051646cd1b3910dc

        Download Submit

      • C:\Users\Admin\Desktop\DisconnectRename.ram
        Filesize

        564KB

        MD5

        cde960cc8da71c1f65306a746d5d9c4d

        SHA1

        347d737617d400be317c2142a6c501f4d8e14962

        SHA256

        aaf378c4689eb1a463d1a92a117002eee3633df557171421a6d250d3136a9373

        SHA512

        3bfdef25905389d0ab484932d4f7c6b57028ffad14e5ebbf98a43dca50b7fd234e53135f4bf6347cfec5381474e4553a96e72bf02aa7368c1de5232de6e6ef3d

        Download Submit

      • C:\Users\Admin\Desktop\EditOptimize.pdf
        Filesize

        869KB

        MD5

        6a1e2a1cd4893d0a948b8d74fa1afdfe

        SHA1

        535aed9fef96ab5a20b1d7f74b885a2a3b897436

        SHA256

        1dfb90dafc510a96c63db4b083c13376afdd42cfacd8d8b6833f17cff9e50d4e

        SHA512

        ebb5be81837d98a6f29d6214d29d321d6e02f60804fd2c93e0726ec875a5d994fd82734a28d58e23583703650ef40fc82c7f28a3c8d70e42d6a2795eb10f5649

        Download Submit

      • C:\Users\Admin\Desktop\GetSet.xlsb
        Filesize

        611KB

        MD5

        dbabfb478036ed4d9d09837c377e9860

        SHA1

        9c65844cb4340143da8d01e40df19d5bf2e72a20

        SHA256

        a798b533a92e1ec4ef0cbc5c46751959eab1814735c4edb86fe03055ea656b7e

        SHA512

        c9f80e86b363fb7635ce0c51264a1fdaafcbc15adb56f32840ac55d1fef287e7b992c1076e67ef9aa4238686df00b6ead18bad791f453e8bfb84d776e2ec100c

        Download Submit

      • C:\Users\Admin\Desktop\InitializeStop.avi
        Filesize

        728KB

        MD5

        ce92e9b9fb5e0c885434451c26035e83

        SHA1

        b6f0c42a38f3d053294bf726ab6cd4ac5cbbb8dd

        SHA256

        fdd00f0ab950a69de912a8038f2cc11127be40e1ed7767cd7b78b7a7a67a4192

        SHA512

        f444e04096b0997599a191cd28604741047498b5871524ad0fc27e2fcd150cbf858002256582b48792da5499e4c745ba720b6e3c93c8c043983f2c01b3e19898

        Download Submit

      • C:\Users\Admin\Desktop\InitializeUnlock.odt
        Filesize

        705KB

        MD5

        6d2b6427093282072838a6f9a97b2dbe

        SHA1

        60a437b6ea172b0ff54f36237ff31acc4c2fffe2

        SHA256

        25a7ca4398f324c30cecf7122a3f93fd2181a5c0f2f66e64722eb137f8007071

        SHA512

        53894b397eb42a11c17312866b9c9f5c4ede142c4d529915c5db79431755d5abf6a6ea7823cc2ba80347db025b961659ea09e984d3e05d700e9276d6b537a9b2

        Download Submit

      • C:\Users\Admin\Desktop\MountGet.ttc
        Filesize

        846KB

        MD5

        4adac1dd3ddf872b884637b9959c918d

        SHA1

        bd1ed3e9007b1d62b0ad93d6d100d6f94362c7a6

        SHA256

        d5642eb3518a390dbcf36017032ecb11a1965ed83e6708c3241fdcd8ecb3f4cc

        SHA512

        253e9fa61d8b154c34401dbfbc697fd2b8f247e20d3ecc919ebbba771484bde872064475a661d6b04b602ae963754a989205f7a91e8876b7ea132a80699185ca

        Download Submit

      • C:\Users\Admin\Desktop\MoveCheckpoint.mpv2
        Filesize

        493KB

        MD5

        2fed90733dc9c0b8f5575aff6ae541e1

        SHA1

        c92f3326f7626734519e44371d3b617e7eb51a14

        SHA256

        1569ce25af8ed05dbc7c0412bc9c502983ca2ee1c7f0f960adb0177e40fd40d0

        SHA512

        557cd8efdf13462286fcaed0b6c2d0464fc536dae9e25c257da3a0069133cf5549939f06a9a59e8f65d89560336ab781094e139e5d4be666db86bbded6406d64

        Download Submit

      • C:\Users\Admin\Desktop\NewUnregister.xltm
        Filesize

        916KB

        MD5

        0edebd4eeffa5c6e00aea0237bd12b21

        SHA1

        7584205369d9d4b29b3bf25277e651ec878ebb70

        SHA256

        34168cccd01c8d1fd18e7730fb0dfb590620179f8e53f7cf4e7fe28dba6aade0

        SHA512

        259c9cd208a369ce68503b457b3ebd8b97d7dffb1846e72bd816e15e1ae1448c4d53a4d30bd019785b3e1e2b7a0ea539650f97c62129ab7f030dc3d374d5e7b9

        Download Submit

      • C:\Users\Admin\Desktop\OptimizeDebug.pptx
        Filesize

        1.3MB

        MD5

        136494fa74262c56cacec915a336b580

        SHA1

        a92db3b0a84efa2423bccca924ed81c6391e63e7

        SHA256

        629ad6c158d0268e4fd0563408d942864cd6a6b9d8d815541731e8ba5bd0eb00

        SHA512

        2d3b9a9eebf7fdc137d24376309297365216fc297d04423a284977735cf1048feff5be6904d7ef16b470dec2b6d71489373ee47034c0e695c4c1e93e4a78ea2b

        Download Submit

      • C:\Users\Admin\Desktop\OptimizeStep.kix
        Filesize

        822KB

        MD5

        562b1e2c10bd54aff327b092e0f72be6

        SHA1

        c302a57e6b256f4381f2d3e40f28f0793c3e1e68

        SHA256

        bc2df8d8028391566de5b37786f0fef747f077f108c660e41f3e9b521635130f

        SHA512

        696f76f5c3ccd7c83609a1a2c97b3ae60c4c98491b4599b922642a2d6d105a78430165225a5647790974288073f8c84de1f93a5d84075930b58a591070ef0ec3

        Download Submit

      • C:\Users\Admin\Desktop\OptimizeStep.mpeg3
        Filesize

        329KB

        MD5

        c1dcaaa63a63ff288972bee34fab92ec

        SHA1

        bdcf477f5caa1908477e69530700a28c5d2bdd78

        SHA256

        1c4d05e4dc6aa3ec004c5921ce8eab011633336bef5f680f0439a87f7f15054a

        SHA512

        59268b19b9710f3823af77965f4ecbb443069220c794338cea74d2d93019f683ada9bf2a0a60ef43efa395cba68ae6f01622803943efe3dc52170a80ad1d7c3c

        Download Submit

      • C:\Users\Admin\Desktop\PopSend.otf
        Filesize

        399KB

        MD5

        19cdabb564a864c4cee77c0623f5500d

        SHA1

        fd6a447859d9df88bb31dfa4cdef38eee2161e09

        SHA256

        0f110db7ae68e85269271d2d909d51b7ba06eca9c809c933b528e8199ca6efa1

        SHA512

        80de84fa22509cf1e4b0b7e12059983837fbca0f2381d9eaf48fc1163b3834802ae5f6cb5fd5a7135db7c83ac45faa7e1daad302c6d963a494083cf15fb34693

        Download Submit

      • C:\Users\Admin\Desktop\ProtectEnter.DVR
        Filesize

        775KB

        MD5

        752c04d4fbc17abc294fc381cf4922df

        SHA1

        4e337a6bb1bc711c56d59af13fbda91d059c3ca4

        SHA256

        30c39ff1839b7fc0ba7072d2144c0f3678e41b19c9423d57916ff2e1c6f8214f

        SHA512

        9fc97c7293d6b95297218e3ebdc6b1037cffa159fa9ad15a331adbb9101d19ee3d82ae85657ecd741f4cdd59e84851fa8dd2e78650c1caf8f7581b435b5d964a

        Download Submit

      • C:\Users\Admin\Desktop\RegisterLimit.xltm
        Filesize

        470KB

        MD5

        3c19676e04762d4a34b03d8bd253388e

        SHA1

        31a0fc78fc3efa792011331202896c7aab7f3b1f

        SHA256

        05748e9aae961a9c3494be2e0a0da4a0e5bb47018d50da9ec32f9710884152b9

        SHA512

        c1785720c804fe9b86e9bdb95c6e6b3fa83e179c2d96c27a9548c5917ef66919c3a780a45dc41ae2d67a0487e1e3a8106c32963af89d18d781f26a2d3ba84c00

        Download Submit

      • C:\Users\Admin\Desktop\RemoveMeasure.docx
        Filesize

        893KB

        MD5

        021580f8a2d83c046bacc8da57fd60c1

        SHA1

        9bc9238b1013ce31c6b43fed4af79aa1781ee834

        SHA256

        9a776d06f3feaf8337da0c4255568f6eb422c4c6e91f8ff9680457c48982b883

        SHA512

        aaf0f9c79054c78bb3290ca36f4ffb546fa15b1623baf9f9488f6a11c834b7db0670542fcfb09c44201e6b5ba87011a5416eb9bc6d93b584e18edc19b10c2923

        Download Submit

      • C:\Users\Admin\Desktop\StartOpen.rtf
        Filesize

        752KB

        MD5

        c823bdcc48da8dc06be5ffdc8ea6566a

        SHA1

        a02db6a5ce5fc63913829910e43635a3cd31d011

        SHA256

        1702d76c6b2a311d77db754f08a6ee083ea781a2a1594a80c49e5a3b7ba9bc88

        SHA512

        a43d022089ab0f8007677e8dd8ac65d2688de82d1310c1685014590d38d1f8963fe90cc0944cf35f5b7c64e280c2c57ad1307ce0e934a4b7c62f4a5fe1b68d48

        Download Submit

      • C:\Users\Admin\Desktop\TestRevoke.tif
        Filesize

        587KB

        MD5

        11749dfb00979a129504ea39d9eb787e

        SHA1

        5b6cc7f7b06082dc0b1ae7288cacbc62fe608b23

        SHA256

        7e22c46715d6221c878c4a3f82b0e0788e72616f14a8ff83ef2d3fe061b88358

        SHA512

        57ed40d9a355166b57d4aea43c3bc2612a998764dee38851dece95a1ab585efaaaddc095d4208099fb50891cdce5e4f6182d814129fd5fb5a954670fffc1a6cf

        Download Submit

      • C:\Users\Admin\Desktop\TestSearch.mpeg
        Filesize

        446KB

        MD5

        2a94a2cfd72aa5c8c4fbb40bda866563

        SHA1

        59a58464bc4083c8b3af8f428c0771e23e39c8bf

        SHA256

        a44a93f4a9d8d2352407027b804702d2e97c973fd1340de636b0a8c730b1fb2f

        SHA512

        bf32fe49bbc4e8236ea83e44eff4d267f6ccf7a35852670cc8dbf340d51628bc8fa1bd7b55ecbdb2483f9528049b05571c4d630ac70f8f3859bd29da53f135c0

        Download Submit

      • C:\Users\Admin\Desktop\TraceConvertFrom.bin
        Filesize

        799KB

        MD5

        cbcc4f0f00b16907aef831e588b345c9

        SHA1

        74232159ee80a85b615d3530a0cfb10f7f77c5a2

        SHA256

        d142f02a6d89e5769da6b1fee23a714d13276f8927455250196d798e8d32864b

        SHA512

        8d132c8e644187d597d418b5bd7b53dacd2ba309fb8269741eecdc5e9d5884d792dc8497d2bb3072cc7b805f248021929db45c1a128d9f589471ef2cb90ed870

        Download Submit

      • C:\Users\Admin\Desktop\UnregisterMove.temp
        Filesize

        940KB

        MD5

        c669fe8e4b0508863194f678bb6c4d5a

        SHA1

        bd42024deb2530cbb78a5e2d29b72be3cd0bbb1b

        SHA256

        9e1a8b769c59551c9c6e3f699e76c0404a79e3225967df19b3f439971f4a952b

        SHA512

        170995f8c791b96592416d1f44012488301ac49775b677e9ee6b519c75ac560651bfd7a47b2f45f57d74377a837eb85a2903ebeb867fa6902af7f6e1225d3c62

        Download Submit

      • memory/5580-4-0x0000014B40A80000-0x0000014B40FA8000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/5580-2-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5580-1-0x0000014B3F800000-0x0000014B3F9C2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/5580-3-0x0000014B255E0000-0x0000014B255F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5580-5-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5580-0-0x0000014B251A0000-0x0000014B251B8000-memory.dmp

        Filesize

        96KB

        Download