Analysis
-
max time kernel
186s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 11:26
Static task
static1
Behavioral task
behavioral1
Sample
Kinito_horror.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Kinito_horror.exe
Resource
win10v2004-20240426-en
General
-
Target
Kinito_horror.exe
-
Size
536KB
-
MD5
ad96c8a2754e9842815afb1cfdb13581
-
SHA1
422d8a2a47975ca27ae9824a99e438d4e28ece68
-
SHA256
76629cc6ae5d1de771cf074cee28eb1b7e5ce236061a19f76fee039ac8f4d81d
-
SHA512
f4250022659705cb7e75530af1ec64f732942bc3db305d5e3e716eda61cfd8308ee2ca0d89b499696b8e7e2bdf8edae7b1e87387dfdc8dcd210eb9485efb70a8
-
SSDEEP
12288:fyveQB/fTHIGaPkKEYzURNA/bAg81p46UKXZlyyijD:fuDXTIGaPhEYzUzATqnxXRijD
Malware Config
Extracted
discordrat
-
discord_token
MTI0MDA4ODk5MTQwODE5MzYyOA.GRW5NI.uFPBjoMjH0IQ-FgxpiJSv246Xes3LsI1_5H1Y8
-
server_id
1239434854953648229
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Kinito_horror.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Kinito_horror.exe -
Executes dropped EXE 1 IoCs
Processes:
test.exepid process 1560 test.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
taskmgr.exepid process 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
test.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 1560 test.exe Token: SeDebugPrivilege 4840 taskmgr.exe Token: SeSystemProfilePrivilege 4840 taskmgr.exe Token: SeCreateGlobalPrivilege 4840 taskmgr.exe Token: 33 4840 taskmgr.exe Token: SeIncBasePriorityPrivilege 4840 taskmgr.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
Processes:
taskmgr.exepid process 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe -
Suspicious use of SendNotifyMessage 39 IoCs
Processes:
taskmgr.exepid process 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe 4840 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Kinito_horror.exedescription pid process target process PID 3652 wrote to memory of 1560 3652 Kinito_horror.exe test.exe PID 3652 wrote to memory of 1560 3652 Kinito_horror.exe test.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kinito_horror.exe"C:\Users\Admin\AppData\Local\Temp\Kinito_horror.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exeFilesize
78KB
MD5ae9c47b621a083a0b0681b7aa9530946
SHA16cdd316cb5b2869927b42597b25cf7d495d5f9a4
SHA256aa3727520be4bc19a78da7f575a9dcc93c0b5c2743725300f942e7dee2eaa3b1
SHA512ae6330429bb9bc21709162296de375a79f5b8b89b3f4b58a5da12737b2fe0b44570e5eaab8fbb92ce190600fb1fc2a5f91fa425a719d8363a481d99f173bb109
-
memory/1560-16-0x000001BA42F60000-0x000001BA43122000-memory.dmpFilesize
1.8MB
-
memory/1560-15-0x00007FFC74453000-0x00007FFC74455000-memory.dmpFilesize
8KB
-
memory/1560-14-0x000001BA28950000-0x000001BA28968000-memory.dmpFilesize
96KB
-
memory/1560-17-0x00007FFC74450000-0x00007FFC74F11000-memory.dmpFilesize
10.8MB
-
memory/1560-18-0x000001BA43760000-0x000001BA43C88000-memory.dmpFilesize
5.2MB
-
memory/1560-19-0x00007FFC74453000-0x00007FFC74455000-memory.dmpFilesize
8KB
-
memory/1560-20-0x00007FFC74450000-0x00007FFC74F11000-memory.dmpFilesize
10.8MB
-
memory/4840-21-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmpFilesize
4KB
-
memory/4840-23-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmpFilesize
4KB
-
memory/4840-22-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmpFilesize
4KB
-
memory/4840-33-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmpFilesize
4KB
-
memory/4840-32-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmpFilesize
4KB
-
memory/4840-31-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmpFilesize
4KB
-
memory/4840-30-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmpFilesize
4KB
-
memory/4840-29-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmpFilesize
4KB
-
memory/4840-28-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmpFilesize
4KB
-
memory/4840-27-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmpFilesize
4KB