Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    04-05-2024 16:14

General

  • Target

    762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe

  • Size

    650KB

  • MD5

    41177aaae97b728d3ef8281563bdaf34

  • SHA1

    217586ee4699157434f1568e6eee180690c5750c

  • SHA256

    762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20

  • SHA512

    01e6ba88d026818e3008b31bc3a359e6fa636ab966b762d67c7c32f5e7c29b0b187ad2259304f7ac5a1583a4684ea0bb9e7252ec3c16d711703aff633533fc5a

  • SSDEEP

    12288:9BdlwHRn+WlYV+Y2M1Hh4OiR8aFXW/tmxjnedOQxOAfjrFaE:9BkVdlYAfJb/FXWgxjFQxOIrFaE

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIzMTYwODkyMTQwODY3MTgyNg.GyU5wW.z4dEi7ijUjrOfjBxpMvtoxwuv6X1yAlQjvlIuU

  • server_id

    1231610037986922578

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe
    "C:\Users\Admin\AppData\Local\Temp\762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\virus.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\virus.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2528 -s 596
        3⤵
        • Loads dropped DLL
        PID:2556
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:3048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\hecker.jpeg

    Filesize

    70KB

    MD5

    b33d5776d6a48b5679b3845069703ac2

    SHA1

    5b40ac0078ef8e86c9f7de118096403a43c2dfcb

    SHA256

    beb19c19f8b47fe64dc4e19b34edf933e0a43e131a8085deaca95b9edea85b23

    SHA512

    f1f1b9c14a2173e8d61280b4b5ba694798b5aed8ea4599fb2aa4c912001b83742356689673aaf93bc0341fb2d327ecfc93b5412baa73a2cd6d5549ac73372a6b

  • \Users\Admin\AppData\Local\Temp\RarSFX0\virus.exe

    Filesize

    78KB

    MD5

    9b05956fb67a4272d8f3a0758df244a1

    SHA1

    92155932364228e03533b1d6c006294e51b0d64f

    SHA256

    1d5c11fa25aee984d72491f021ca308601bf02795b81d41dbf05293268edd736

    SHA512

    515be9edcc8e9b189464b19ff489cd52bc754ecf8fd78024174c4b74b389e2921a68137a0df6db2651928af197e98ba65f2c25287522686d5f68d34eb40c93ea

  • memory/2528-13-0x000000013FE60000-0x000000013FE78000-memory.dmp

    Filesize

    96KB

  • memory/2912-4-0x00000000026A0000-0x00000000026A2000-memory.dmp

    Filesize

    8KB

  • memory/3048-5-0x0000000000100000-0x0000000000102000-memory.dmp

    Filesize

    8KB

  • memory/3048-6-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

  • memory/3048-20-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB