Analysis
-
max time kernel
299s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 19:09
Behavioral task
behavioral1
Sample
StarPredictorV8.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
7 signatures
300 seconds
General
-
Target
StarPredictorV8.exe
-
Size
78KB
-
MD5
6853d172cb6541f87621bee250b872e0
-
SHA1
be9df9068b361b6ec32d4d12f8c45f14753b10e3
-
SHA256
37d6d9f29987afae8c860a6f3fdd3645e71654fe56d2765a3d9a9310b24597ad
-
SHA512
8348ebd28b9683b39ee49aa67625bbe3f126e6e4454ce391d60de072d21964a51e828059ebb30a769c0da28f003a16d2ac087439f6db4c240d9fa00b126b5c3e
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+hPIC:5Zv5PDwbjNrmAE+xIC
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTIwMjI5NDQyMDg2NzkxMTc0Mg.G_IGPJ.e5G7ZTy7lxD6XVLCjQSUyIfNknmxDjQfb0El_g
-
server_id
1202294602145468516
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3300 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1552 StarPredictorV8.exe Token: SeDebugPrivilege 3300 taskmgr.exe Token: SeSystemProfilePrivilege 3300 taskmgr.exe Token: SeCreateGlobalPrivilege 3300 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe 3300 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\StarPredictorV8.exe"C:\Users\Admin\AppData\Local\Temp\StarPredictorV8.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3300