Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 11:26
Static task
static1
Behavioral task
behavioral1
Sample
Kinito_horror.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Kinito_horror.exe
Resource
win10v2004-20240426-en
General
-
Target
Kinito_horror.exe
-
Size
536KB
-
MD5
ad96c8a2754e9842815afb1cfdb13581
-
SHA1
422d8a2a47975ca27ae9824a99e438d4e28ece68
-
SHA256
76629cc6ae5d1de771cf074cee28eb1b7e5ce236061a19f76fee039ac8f4d81d
-
SHA512
f4250022659705cb7e75530af1ec64f732942bc3db305d5e3e716eda61cfd8308ee2ca0d89b499696b8e7e2bdf8edae7b1e87387dfdc8dcd210eb9485efb70a8
-
SSDEEP
12288:fyveQB/fTHIGaPkKEYzURNA/bAg81p46UKXZlyyijD:fuDXTIGaPhEYzUzATqnxXRijD
Malware Config
Extracted
discordrat
-
discord_token
MTI0MDA4ODk5MTQwODE5MzYyOA.GRW5NI.uFPBjoMjH0IQ-FgxpiJSv246Xes3LsI1_5H1Y8
-
server_id
1239434854953648229
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
pid Process 2736 test.exe -
Loads dropped DLL 6 IoCs
pid Process 1936 Kinito_horror.exe 2872 WerFault.exe 2872 WerFault.exe 2872 WerFault.exe 2872 WerFault.exe 2872 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2736 1936 Kinito_horror.exe 28 PID 1936 wrote to memory of 2736 1936 Kinito_horror.exe 28 PID 1936 wrote to memory of 2736 1936 Kinito_horror.exe 28 PID 2736 wrote to memory of 2872 2736 test.exe 29 PID 2736 wrote to memory of 2872 2736 test.exe 29 PID 2736 wrote to memory of 2872 2736 test.exe 29 PID 1936 wrote to memory of 3008 1936 Kinito_horror.exe 30 PID 1936 wrote to memory of 3008 1936 Kinito_horror.exe 30 PID 1936 wrote to memory of 3008 1936 Kinito_horror.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kinito_horror.exe"C:\Users\Admin\AppData\Local\Temp\Kinito_horror.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2736 -s 5963⤵
- Loads dropped DLL
PID:2872
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\message.vbs"2⤵PID:3008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85B
MD50a1ad62f6ca61c35292fbb6a6ba92012
SHA1a197804ef65d506aae02ee680ac0efa24b40b93d
SHA256872a5050ddab629a34445e745086a43ab4d293a8ca5d1062b6a066352c678cc4
SHA512e55cfcb712a564053cd3d831a6b5c1105411cee1f0986c02badd73ecb603fdd2c5bd46aae5d601145c08c41e05f9da7250aecbe4574c5a505511a87e56ce6d34
-
Filesize
78KB
MD5ae9c47b621a083a0b0681b7aa9530946
SHA16cdd316cb5b2869927b42597b25cf7d495d5f9a4
SHA256aa3727520be4bc19a78da7f575a9dcc93c0b5c2743725300f942e7dee2eaa3b1
SHA512ae6330429bb9bc21709162296de375a79f5b8b89b3f4b58a5da12737b2fe0b44570e5eaab8fbb92ce190600fb1fc2a5f91fa425a719d8363a481d99f173bb109