discordrat | 02bfbb334d865f9d3017805f497f796e2e196daac380363c66a400f703e24dd9

Analysis

max time kernel
62s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 23:27

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-24T23:29:13Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_10-dirty.qcow2\"}"

Report Analysis Logs

General

Target

i_like_women.exe
Size

78KB
MD5

5a5b6e53ccb50923996ca249327a7e9f
SHA1

61ac9c582c6e8b47575f7876726e7cd7a858b01e
SHA256

02bfbb334d865f9d3017805f497f796e2e196daac380363c66a400f703e24dd9
SHA512

e90a0aeede476c96d5b58dd01f92481725170de93096fab445a89d40da327553d989f7c15c726ef5bac98cb93e805d434b27174b03d6a11271ece8ab38e242ce
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+/PIC:5Zv5PDwbjNrmAE+HIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE5MjYwNjY1NDg4NjMzMDM2OA.G9UZ1L.0eBfljxuZnpbdAapktcja1jSowd2_zkrNq1bm8
server_id
1192606928027795548

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	i_like_women.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
31	discord.com
53	discord.com
80	discord.com
85	discord.com
90	discord.com
6	discord.com
7	discord.com
52	discord.com
72	raw.githubusercontent.com
73	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	i_like_women.exe
Token: SeDebugPrivilege	4080	taskmgr.exe
Token: SeSystemProfilePrivilege	4080	taskmgr.exe
Token: SeCreateGlobalPrivilege	4080	taskmgr.exe
Token: 33	4080	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4080	taskmgr.exe
Token: SeShutdownPrivilege	4568	shutdown.exe
Token: SeRemoteShutdownPrivilege	4568	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe
4080	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4872	LogonUI.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 4568	1912	i_like_women.exe	111
PID 1912 wrote to memory of 4568	1912	i_like_women.exe	111

C:\Users\Admin\AppData\Local\Temp\i_like_women.exe
"C:\Users\Admin\AppData\Local\Temp\i_like_women.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4568

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4080

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3936055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1912-18-0x00007FFCD2600000-0x00007FFCD30C1000-memory.dmp

Filesize
10.8MB

Download
memory/1912-1-0x0000013D4EF40000-0x0000013D4F102000-memory.dmp

Filesize
1.8MB

Download
memory/1912-2-0x00007FFCD2600000-0x00007FFCD30C1000-memory.dmp

Filesize
10.8MB

Download
memory/1912-3-0x0000013D36410000-0x0000013D36420000-memory.dmp

Filesize
64KB

Download
memory/1912-4-0x0000013D4F740000-0x0000013D4FC68000-memory.dmp

Filesize
5.2MB

Download
memory/1912-21-0x00007FFCD2600000-0x00007FFCD30C1000-memory.dmp

Filesize
10.8MB

Download
memory/1912-20-0x0000013D36690000-0x0000013D3669E000-memory.dmp

Filesize
56KB

Download
memory/1912-19-0x0000013D36410000-0x0000013D36420000-memory.dmp

Filesize
64KB

Download
memory/1912-0-0x0000013D34890000-0x0000013D348A8000-memory.dmp

Filesize
96KB

Download
memory/4080-11-0x0000021158090000-0x0000021158091000-memory.dmp

Filesize
4KB

Download
memory/4080-13-0x0000021158090000-0x0000021158091000-memory.dmp

Filesize
4KB

Download
memory/4080-14-0x0000021158090000-0x0000021158091000-memory.dmp

Filesize
4KB

Download
memory/4080-15-0x0000021158090000-0x0000021158091000-memory.dmp

Filesize
4KB

Download
memory/4080-16-0x0000021158090000-0x0000021158091000-memory.dmp

Filesize
4KB

Download
memory/4080-17-0x0000021158090000-0x0000021158091000-memory.dmp

Filesize
4KB

Download
memory/4080-12-0x0000021158090000-0x0000021158091000-memory.dmp

Filesize
4KB

Download
memory/4080-7-0x0000021158090000-0x0000021158091000-memory.dmp

Filesize
4KB

Download
memory/4080-6-0x0000021158090000-0x0000021158091000-memory.dmp

Filesize
4KB

Download
memory/4080-5-0x0000021158090000-0x0000021158091000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads