Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 12:06
Static task
static1
Behavioral task
behavioral1
Sample
example.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
example.exe
Resource
win10v2004-20240412-en
General
-
Target
example.exe
-
Size
678KB
-
MD5
955a20bf9bbfc6a650f027d98de5dcde
-
SHA1
4e688a55950cb668f8e644230ef53f1854cfa960
-
SHA256
aec5fd78e242dbc6f94b87e479982b11c2d07f50b7008df3d735a45e765d9baa
-
SHA512
737e384f576080acf8c549c349301d3aef913235a02ca065d4a06425d21779da1a8f6a198d399e386977d4f7d92e7083a2ae46a16362782716541e460908a957
-
SSDEEP
12288:RD7/3BHTnGdBbrxr5kwvhnN9Lto9ghiJGZ/O:RD7/BHjGdBPxlfnN9LquhiuO
Malware Config
Extracted
discordrat
-
discord_token
MTIwNzQ0Mjc2MTY3MDk4Nzg5Nw.G7QGsq.mV9vPnqHSKpUueDX1U0MR64-D5ZHLEHM-uK5fI
-
server_id
1228104284198015068
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 584 check.exe 1648 check_pic.exe 1600 sgs.exe 396 check_ip.exe -
Loads dropped DLL 9 IoCs
pid Process 1392 example.exe 584 check.exe 1600 sgs.exe 1648 check_pic.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 example.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 example.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 example.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1392 example.exe 1392 example.exe 1392 example.exe 1392 example.exe 1392 example.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1392 wrote to memory of 584 1392 example.exe 30 PID 1392 wrote to memory of 584 1392 example.exe 30 PID 1392 wrote to memory of 584 1392 example.exe 30 PID 1392 wrote to memory of 1648 1392 example.exe 31 PID 1392 wrote to memory of 1648 1392 example.exe 31 PID 1392 wrote to memory of 1648 1392 example.exe 31 PID 1392 wrote to memory of 908 1392 example.exe 32 PID 1392 wrote to memory of 908 1392 example.exe 32 PID 1392 wrote to memory of 908 1392 example.exe 32 PID 908 wrote to memory of 1848 908 cmd.exe 33 PID 908 wrote to memory of 1848 908 cmd.exe 33 PID 908 wrote to memory of 1848 908 cmd.exe 33 PID 908 wrote to memory of 1448 908 cmd.exe 34 PID 908 wrote to memory of 1448 908 cmd.exe 34 PID 908 wrote to memory of 1448 908 cmd.exe 34 PID 908 wrote to memory of 2516 908 cmd.exe 35 PID 908 wrote to memory of 2516 908 cmd.exe 35 PID 908 wrote to memory of 2516 908 cmd.exe 35 PID 584 wrote to memory of 1600 584 check.exe 36 PID 584 wrote to memory of 1600 584 check.exe 36 PID 584 wrote to memory of 1600 584 check.exe 36 PID 1648 wrote to memory of 396 1648 check_pic.exe 37 PID 1648 wrote to memory of 396 1648 check_pic.exe 37 PID 1648 wrote to memory of 396 1648 check_pic.exe 37 PID 396 wrote to memory of 1380 396 check_ip.exe 38 PID 396 wrote to memory of 1380 396 check_ip.exe 38 PID 396 wrote to memory of 1380 396 check_ip.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\example.exe"C:\Users\Admin\AppData\Local\Temp\example.exe"1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Public\check.exe"C:\Users\Public\check.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\AppData\Local\Temp\onefile_584_133578292191178000\sgs.exe"C:\Users\Public\check.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600
-
-
-
C:\Users\Public\check_pic.exe"C:\Users\Public\check_pic.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Public\check_ip.exe"C:\Users\Public\check_ip.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 396 -s 6044⤵
- Loads dropped DLL
PID:1380
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\example.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\example.exe" MD53⤵PID:1848
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:1448
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:2516
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
5.5MB
MD51fe47c83669491bf38a949253d7d960f
SHA1de5cc181c0e26cbcb31309fe00d9f2f5264d2b25
SHA2560a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae
SHA51205cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4
-
Filesize
14.0MB
MD53899a0b48d9e8ea5e03620341e7629dd
SHA11810ab9cc98fcf63bdc56bd563c42c90fdfee822
SHA25698cca85b218b970a6210c5200fad72f748b0c85cc7aab8aee5776015891bd61a
SHA5125445636d3e505eba0fc69c8f27792cc82ff27f9c595cd72ce31cf7c334a83429f373d167a2be383ed4c94aeec5ad2a8eb51567d2e3ae34955d8170a8787cbfd0
-
Filesize
78KB
MD51ffb65a70c60aeb329faa730bf27ec08
SHA1f0801acbb4d7c22650b6858c1385e4dfe4c8eb5b
SHA2567633848cbdce6f2415f291f24e3c1773c3523ebeb2548a2dc4fd6c9bd6188ed0
SHA512c7c5a9f84d6bc93cec18c849fab3e817365aff4540c97c2fc547d9d2c4e4d3b72263bafd46c93c721683fd7e071ddf94054f9a9f3008b26a003db39bb8ce2c60
-
Filesize
91KB
MD52a6bcd471e17bf7e517ed75b3f96dfd9
SHA12a1318834be42e05de6c1a466958ce475b1bbb58
SHA256939fed83d6381ce90f7e69833204f77be7134c62b0fef6f2d8e82722b1a30e9c
SHA512f10bc9f91b0c3b497bb1aea79022948d56979f04f86d3992066ade731a776246231c93c1045a57c70514ddd1f3e0d87d9ec88f166f180667adac8f7c2619099c
-
Filesize
23.2MB
MD5857a93080f4f0967197ddcbb13c7296d
SHA19c5e7c323834a976d3d23e7b63c2528d1095941a
SHA25645866d29843a0a09836e37a3b2c8242f5084fff4f2373ed4506536d805c9e7bc
SHA51247d39416e2bccdb81de90848212dd4f28768785093f23faf1fe50da1c13d6e2f3d3477b0fc2649639d43a8f4ae0af574d86a16b014dd14ccf4073bd1cb43641e