Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-05-2024 16:14

General

  • Target

    762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe

  • Size

    650KB

  • MD5

    41177aaae97b728d3ef8281563bdaf34

  • SHA1

    217586ee4699157434f1568e6eee180690c5750c

  • SHA256

    762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20

  • SHA512

    01e6ba88d026818e3008b31bc3a359e6fa636ab966b762d67c7c32f5e7c29b0b187ad2259304f7ac5a1583a4684ea0bb9e7252ec3c16d711703aff633533fc5a

  • SSDEEP

    12288:9BdlwHRn+WlYV+Y2M1Hh4OiR8aFXW/tmxjnedOQxOAfjrFaE:9BkVdlYAfJb/FXWgxjFQxOIrFaE

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIzMTYwODkyMTQwODY3MTgyNg.GyU5wW.z4dEi7ijUjrOfjBxpMvtoxwuv6X1yAlQjvlIuU

  • server_id

    1231610037986922578

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe
    "C:\Users\Admin\AppData\Local\Temp\762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3816
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\virus.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\virus.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\virus.exe

    Filesize

    78KB

    MD5

    9b05956fb67a4272d8f3a0758df244a1

    SHA1

    92155932364228e03533b1d6c006294e51b0d64f

    SHA256

    1d5c11fa25aee984d72491f021ca308601bf02795b81d41dbf05293268edd736

    SHA512

    515be9edcc8e9b189464b19ff489cd52bc754ecf8fd78024174c4b74b389e2921a68137a0df6db2651928af197e98ba65f2c25287522686d5f68d34eb40c93ea

  • memory/532-14-0x000001D8949E0000-0x000001D8949F8000-memory.dmp

    Filesize

    96KB

  • memory/532-15-0x00007FFF9CCC3000-0x00007FFF9CCC5000-memory.dmp

    Filesize

    8KB

  • memory/532-16-0x000001D8AF190000-0x000001D8AF352000-memory.dmp

    Filesize

    1.8MB

  • memory/532-17-0x00007FFF9CCC0000-0x00007FFF9D781000-memory.dmp

    Filesize

    10.8MB

  • memory/532-18-0x000001D8B04F0000-0x000001D8B0A18000-memory.dmp

    Filesize

    5.2MB

  • memory/532-19-0x00007FFF9CCC3000-0x00007FFF9CCC5000-memory.dmp

    Filesize

    8KB

  • memory/532-20-0x00007FFF9CCC0000-0x00007FFF9D781000-memory.dmp

    Filesize

    10.8MB