Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 16:14
Static task
static1
Behavioral task
behavioral1
Sample
762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe
Resource
win10v2004-20240419-en
General
-
Target
762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe
-
Size
650KB
-
MD5
41177aaae97b728d3ef8281563bdaf34
-
SHA1
217586ee4699157434f1568e6eee180690c5750c
-
SHA256
762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20
-
SHA512
01e6ba88d026818e3008b31bc3a359e6fa636ab966b762d67c7c32f5e7c29b0b187ad2259304f7ac5a1583a4684ea0bb9e7252ec3c16d711703aff633533fc5a
-
SSDEEP
12288:9BdlwHRn+WlYV+Y2M1Hh4OiR8aFXW/tmxjnedOQxOAfjrFaE:9BkVdlYAfJb/FXWgxjFQxOIrFaE
Malware Config
Extracted
discordrat
-
discord_token
MTIzMTYwODkyMTQwODY3MTgyNg.GyU5wW.z4dEi7ijUjrOfjBxpMvtoxwuv6X1yAlQjvlIuU
-
server_id
1231610037986922578
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
pid Process 2528 virus.exe -
Loads dropped DLL 6 IoCs
pid Process 2912 762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe 2556 WerFault.exe 2556 WerFault.exe 2556 WerFault.exe 2556 WerFault.exe 2556 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3048 DllHost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2912 wrote to memory of 2528 2912 762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe 29 PID 2912 wrote to memory of 2528 2912 762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe 29 PID 2912 wrote to memory of 2528 2912 762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe 29 PID 2912 wrote to memory of 2528 2912 762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe 29 PID 2528 wrote to memory of 2556 2528 virus.exe 30 PID 2528 wrote to memory of 2556 2528 virus.exe 30 PID 2528 wrote to memory of 2556 2528 virus.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe"C:\Users\Admin\AppData\Local\Temp\762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\virus.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\virus.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2528 -s 5963⤵
- Loads dropped DLL
PID:2556
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:3048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5b33d5776d6a48b5679b3845069703ac2
SHA15b40ac0078ef8e86c9f7de118096403a43c2dfcb
SHA256beb19c19f8b47fe64dc4e19b34edf933e0a43e131a8085deaca95b9edea85b23
SHA512f1f1b9c14a2173e8d61280b4b5ba694798b5aed8ea4599fb2aa4c912001b83742356689673aaf93bc0341fb2d327ecfc93b5412baa73a2cd6d5549ac73372a6b
-
Filesize
78KB
MD59b05956fb67a4272d8f3a0758df244a1
SHA192155932364228e03533b1d6c006294e51b0d64f
SHA2561d5c11fa25aee984d72491f021ca308601bf02795b81d41dbf05293268edd736
SHA512515be9edcc8e9b189464b19ff489cd52bc754ecf8fd78024174c4b74b389e2921a68137a0df6db2651928af197e98ba65f2c25287522686d5f68d34eb40c93ea