Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 16:14
Static task
static1
Behavioral task
behavioral1
Sample
762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe
Resource
win10v2004-20240419-en
General
-
Target
762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe
-
Size
650KB
-
MD5
41177aaae97b728d3ef8281563bdaf34
-
SHA1
217586ee4699157434f1568e6eee180690c5750c
-
SHA256
762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20
-
SHA512
01e6ba88d026818e3008b31bc3a359e6fa636ab966b762d67c7c32f5e7c29b0b187ad2259304f7ac5a1583a4684ea0bb9e7252ec3c16d711703aff633533fc5a
-
SSDEEP
12288:9BdlwHRn+WlYV+Y2M1Hh4OiR8aFXW/tmxjnedOQxOAfjrFaE:9BkVdlYAfJb/FXWgxjFQxOIrFaE
Malware Config
Extracted
discordrat
-
discord_token
MTIzMTYwODkyMTQwODY3MTgyNg.GyU5wW.z4dEi7ijUjrOfjBxpMvtoxwuv6X1yAlQjvlIuU
-
server_id
1231610037986922578
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation 762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe -
Executes dropped EXE 1 IoCs
pid Process 532 virus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 87 discord.com 83 discord.com 38 discord.com 29 discord.com 86 discord.com 88 discord.com 89 discord.com 25 discord.com 39 discord.com 82 discord.com 84 discord.com 85 discord.com 24 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 532 virus.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3816 wrote to memory of 532 3816 762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe 97 PID 3816 wrote to memory of 532 3816 762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe"C:\Users\Admin\AppData\Local\Temp\762b7762f589d9c3bbf8d05245ab043f6bf98369600451f911c83f9fed3bab20.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\virus.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\virus.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD59b05956fb67a4272d8f3a0758df244a1
SHA192155932364228e03533b1d6c006294e51b0d64f
SHA2561d5c11fa25aee984d72491f021ca308601bf02795b81d41dbf05293268edd736
SHA512515be9edcc8e9b189464b19ff489cd52bc754ecf8fd78024174c4b74b389e2921a68137a0df6db2651928af197e98ba65f2c25287522686d5f68d34eb40c93ea