Analysis
-
max time kernel
150s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 02:37
Behavioral task
behavioral1
Sample
rizz.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
rizz.exe
-
Size
78KB
-
MD5
6ed2528aa8fff43587739f7b2638ee92
-
SHA1
4148b092d718188de7b4ed127ff64cd7f0be63bf
-
SHA256
5df303a1df4baca2c539771c6d55058c8ff3ef2a790f696d470edfeb06cde1dc
-
SHA512
bd5022345d34f1cfd2c55be07b19502b657376f3bd4b98dcf69a02b9cd67f38448b7d69bf2f4c95a3d1f5ebcaa603b7b3d3ca2fc9080b0784726667e5bfdf967
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+xPIC:5Zv5PDwbjNrmAE+hIC
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTIzOTAzODExOTgxMTIxOTQ4Ng.GFwX-u.vbyy2FgWgxWiAFGiAQUcg_ucSW0DuGYLoG4ZsA
-
server_id
1239038552336109569
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation rizz.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 17 discord.com 28 discord.com 29 discord.com 43 discord.com 6 discord.com 7 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 4564 Process not Found 1484 Process not Found 3004 Process not Found 3944 Process not Found 1648 Process not Found 2560 Process not Found 4508 Process not Found 4008 Process not Found 396 Process not Found 5108 Process not Found 2556 Process not Found 4836 Process not Found 4432 Process not Found 972 Process not Found 3800 Process not Found 4728 Process not Found 1536 Process not Found 2840 Process not Found 4104 Process not Found 4724 Process not Found 2404 Process not Found 1628 Process not Found 4860 Process not Found 4612 Process not Found 4192 Process not Found 3968 Process not Found 4868 Process not Found 2636 Process not Found 4656 Process not Found 1464 Process not Found 1472 Process not Found 5044 Process not Found 4532 Process not Found 5028 Process not Found 3488 Process not Found 4620 Process not Found 1816 Process not Found 2448 Process not Found 5020 Process not Found 5080 Process not Found 2120 Process not Found 3672 Process not Found 232 Process not Found 4324 Process not Found 4560 Process not Found 1204 Process not Found 3528 Process not Found 3760 Process not Found 3996 Process not Found 2496 Process not Found 3232 Process not Found 1756 Process not Found 4972 Process not Found 1612 Process not Found 828 Process not Found 1268 Process not Found 2052 Process not Found 544 Process not Found 1364 Process not Found 4968 Process not Found 2320 Process not Found 548 Process not Found 4664 Process not Found 3624 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4820 rizz.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1300 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4820 wrote to memory of 3152 4820 rizz.exe 92 PID 4820 wrote to memory of 3152 4820 rizz.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\rizz.exe"C:\Users\Admin\AppData\Local\Temp\rizz.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /L2⤵PID:3152
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3944855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1300