Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 12:06

General

  • Target

    example.exe

  • Size

    678KB

  • MD5

    955a20bf9bbfc6a650f027d98de5dcde

  • SHA1

    4e688a55950cb668f8e644230ef53f1854cfa960

  • SHA256

    aec5fd78e242dbc6f94b87e479982b11c2d07f50b7008df3d735a45e765d9baa

  • SHA512

    737e384f576080acf8c549c349301d3aef913235a02ca065d4a06425d21779da1a8f6a198d399e386977d4f7d92e7083a2ae46a16362782716541e460908a957

  • SSDEEP

    12288:RD7/3BHTnGdBbrxr5kwvhnN9Lto9ghiJGZ/O:RD7/BHjGdBPxlfnN9LquhiuO

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIwNzQ0Mjc2MTY3MDk4Nzg5Nw.G7QGsq.mV9vPnqHSKpUueDX1U0MR64-D5ZHLEHM-uK5fI

  • server_id

    1228104284198015068

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\example.exe
    "C:\Users\Admin\AppData\Local\Temp\example.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Users\Public\check.exe
      "C:\Users\Public\check.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:584
      • C:\Users\Admin\AppData\Local\Temp\onefile_584_133578292191178000\sgs.exe
        "C:\Users\Public\check.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1600
    • C:\Users\Public\check_pic.exe
      "C:\Users\Public\check_pic.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Users\Public\check_ip.exe
        "C:\Users\Public\check_ip.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:396
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 396 -s 604
          4⤵
          • Loads dropped DLL
          PID:1380
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\example.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:908
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\example.exe" MD5
        3⤵
          PID:1848
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:1448
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:2516

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\Local\Temp\Tar7824.tmp

          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • C:\Users\Admin\AppData\Local\Temp\onefile_584_133578292191178000\python311.dll

          Filesize

          5.5MB

          MD5

          1fe47c83669491bf38a949253d7d960f

          SHA1

          de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

          SHA256

          0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

          SHA512

          05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

        • C:\Users\Public\check.exe

          Filesize

          14.0MB

          MD5

          3899a0b48d9e8ea5e03620341e7629dd

          SHA1

          1810ab9cc98fcf63bdc56bd563c42c90fdfee822

          SHA256

          98cca85b218b970a6210c5200fad72f748b0c85cc7aab8aee5776015891bd61a

          SHA512

          5445636d3e505eba0fc69c8f27792cc82ff27f9c595cd72ce31cf7c334a83429f373d167a2be383ed4c94aeec5ad2a8eb51567d2e3ae34955d8170a8787cbfd0

        • C:\Users\Public\check_ip.exe

          Filesize

          78KB

          MD5

          1ffb65a70c60aeb329faa730bf27ec08

          SHA1

          f0801acbb4d7c22650b6858c1385e4dfe4c8eb5b

          SHA256

          7633848cbdce6f2415f291f24e3c1773c3523ebeb2548a2dc4fd6c9bd6188ed0

          SHA512

          c7c5a9f84d6bc93cec18c849fab3e817365aff4540c97c2fc547d9d2c4e4d3b72263bafd46c93c721683fd7e071ddf94054f9a9f3008b26a003db39bb8ce2c60

        • C:\Users\Public\check_pic.exe

          Filesize

          91KB

          MD5

          2a6bcd471e17bf7e517ed75b3f96dfd9

          SHA1

          2a1318834be42e05de6c1a466958ce475b1bbb58

          SHA256

          939fed83d6381ce90f7e69833204f77be7134c62b0fef6f2d8e82722b1a30e9c

          SHA512

          f10bc9f91b0c3b497bb1aea79022948d56979f04f86d3992066ade731a776246231c93c1045a57c70514ddd1f3e0d87d9ec88f166f180667adac8f7c2619099c

        • \Users\Admin\AppData\Local\Temp\onefile_584_133578292191178000\sgs.exe

          Filesize

          23.2MB

          MD5

          857a93080f4f0967197ddcbb13c7296d

          SHA1

          9c5e7c323834a976d3d23e7b63c2528d1095941a

          SHA256

          45866d29843a0a09836e37a3b2c8242f5084fff4f2373ed4506536d805c9e7bc

          SHA512

          47d39416e2bccdb81de90848212dd4f28768785093f23faf1fe50da1c13d6e2f3d3477b0fc2649639d43a8f4ae0af574d86a16b014dd14ccf4073bd1cb43641e

        • memory/396-204-0x000000013F0D0000-0x000000013F0E8000-memory.dmp

          Filesize

          96KB

        • memory/396-205-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

          Filesize

          9.9MB

        • memory/396-207-0x000000001B7C0000-0x000000001B840000-memory.dmp

          Filesize

          512KB

        • memory/396-213-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

          Filesize

          9.9MB

        • memory/396-214-0x000000001B7C0000-0x000000001B840000-memory.dmp

          Filesize

          512KB

        • memory/1648-131-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

          Filesize

          9.9MB

        • memory/1648-83-0x0000000000270000-0x000000000028E000-memory.dmp

          Filesize

          120KB

        • memory/1648-206-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

          Filesize

          9.9MB