Analysis
-
max time kernel
129s -
max time network
140s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
08-05-2024 08:10
Static task
static1
Behavioral task
behavioral1
Sample
Tria.gay.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral2
Sample
Tria.gay.exe
Resource
win10-20240404-en
General
-
Target
Tria.gay.exe
-
Size
629KB
-
MD5
b3cea39c19b4c87e9a4e5400fa5c9c48
-
SHA1
d08516f598618d5d01f4ca0f536e1c946fe6bfec
-
SHA256
c41bbd9aeb765015231cb1b05de9ef13fba577877a226817cfad9bfeebe8fc5a
-
SHA512
322e324f2fe98ab272e92cb2663b16e20db7b61a1a170e2eb1c31b0ff9bf17d1c9a6e66819bd628d9611b6ed23be2e353b465f9bb7c9662252c5a49126c1dc6d
-
SSDEEP
12288:0CQjgAtAHM+vetZxF5EWry8AJGy0Aq2aQOyfHrJnU44:05ZWs+OZVEWry8AFu2aQvfHmR
Malware Config
Extracted
discordrat
-
discord_token
MTIzNDcyMDk2NjIzNjU3MzgwNg.GAgMA7.5Fr2VglBtzELzBN5jTv1isgkXurp9_3fiYShzU
-
server_id
1235156619520901140
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
pid Process 4324 Client-built.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 5 discord.com 9 discord.com 12 discord.com 13 discord.com 14 discord.com 18 discord.com 4 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4324 Client-built.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4388 wrote to memory of 4324 4388 Tria.gay.exe 74 PID 4388 wrote to memory of 4324 4388 Tria.gay.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tria.gay.exe"C:\Users\Admin\AppData\Local\Temp\Tria.gay.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD50cccb44d8b9efe2baa53f809f54923f6
SHA157f8d3877af9853fc9f880e05a045274dd7c7c3d
SHA2567fbdcb4fc89ad23c70c9b17e5e633e4b4688beaa7081b7e530f156608246aee9
SHA5120aef03daf778f7b0b5cc1a077fb0b7a37972220e816ce577968f564aa192e226658aced1865a5917d623d28ec53b3c92f893940fec726268f2cdb4b991227f32