Overview

overview

10

Static

static

3

WatchThi‮gpjs.exe

windows7-x64

10

WatchThi‮gpjs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 13:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WatchThi‮gpjs.exe

  • Size

    604KB

  • MD5

    5dc72471a3a544dfbd2ebd65fad3a403

  • SHA1

    9d953d6402225705068713cb203a30f317f7cd31

  • SHA256

    b04ffd94e39de8e648b97403afdb5747c453f6d20876920c2eb8d41f7453f537

  • SHA512

    8db977c7e467caa30d260b2311a469746890c3b80f8718085e1d6d1117f2ed976a892409f6ca842c51c5ad10651f8e5dc950391fb08fb39fd7c5cdb237d6c720

  • SSDEEP

    12288:TCQjgAtAHM+vetZxF5EWry8AJGy0y/DODruQ5EqwmIBet:T5ZWs+OZVEWry8AFBmDEqxIkt

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI0MjgyODA0NTYzMTQ5MjE0Nw.GaK9_b.DkeSn-Pej4eo5IcrUmOmowhbH0dXKH8vZX3FZ4

  • server_id

    1242477718638170204

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WatchThi‮gpjs.exe
    "C:\Users\Admin\AppData\Local\Temp\WatchThi‮gpjs.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2172 -s 596
        3⤵
        • Loads dropped DLL
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
    Filesize

    78KB

    MD5

    bdeb1c21b2eb3126d5376a15e2438821

    SHA1

    7ee99a827ee71a6dc54d5e1adc1ee650f624bcab

    SHA256

    35f586efd9b4582468ddeb877a576ae97737b7976e6f6622a2959053d35edc91

    SHA512

    4dc3bffa35c9ae3b244f83a18b6043c9c2c6dd3b74e426bfd989662d71ca5ea1ad45839b24d9366fd390172b9bf34fce6552a866038b182b88fd2ccab888fdb8

    Download Submit

  • memory/1700-4-0x0000000002100000-0x0000000002101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2172-11-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2172-12-0x000000013FDC0000-0x000000013FDD8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2172-17-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2172-19-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

    Filesize

    9.9MB

    Download