Resubmissions
23-05-2024 03:41
240523-d8zvdacf5w 10Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 03:41
Static task
static1
Behavioral task
behavioral1
Sample
Supragpj.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Supragpj.exe
Resource
win10v2004-20240226-en
General
-
Target
Supragpj.exe
-
Size
582KB
-
MD5
6fada5257c7697ddfe77aac4dd35bb4f
-
SHA1
975a043beb300d2220476efd2ed1c2aff01a449e
-
SHA256
a7fda75ac14b403ed62f4a87fa7ffa55280b934d42a44d96266ef2e1f8e13257
-
SHA512
b01db0995e776c445267f8c11180f852d39f843aafb38d826f5c2d946c7d0b348e519c1e20642a147a4d2c5faebe0c2292db2bf5e577d3e624e70620ac1a0340
-
SSDEEP
12288:9CQjgAtAHM+vetZxF5EWry8AJGy0yWphUnWm/pmylo3jwD:95ZWs+OZVEWry8AFBBnPk0D
Malware Config
Extracted
discordrat
-
discord_token
MTI0MjgyODA0NTYzMTQ5MjE0Nw.GaK9_b.DkeSn-Pej4eo5IcrUmOmowhbH0dXKH8vZX3FZ4
-
server_id
1242477718638170204
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
pid Process 2540 BackDoor.exe -
Loads dropped DLL 6 IoCs
pid Process 1036 Supragpj.exe 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1036 wrote to memory of 2540 1036 Supragpj.exe 29 PID 1036 wrote to memory of 2540 1036 Supragpj.exe 29 PID 1036 wrote to memory of 2540 1036 Supragpj.exe 29 PID 2540 wrote to memory of 2244 2540 BackDoor.exe 30 PID 2540 wrote to memory of 2244 2540 BackDoor.exe 30 PID 2540 wrote to memory of 2244 2540 BackDoor.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Supragpj.exe"C:\Users\Admin\AppData\Local\Temp\Supragpj.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BackDoor.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BackDoor.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2540 -s 5963⤵
- Loads dropped DLL
PID:2244
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5bdeb1c21b2eb3126d5376a15e2438821
SHA17ee99a827ee71a6dc54d5e1adc1ee650f624bcab
SHA25635f586efd9b4582468ddeb877a576ae97737b7976e6f6622a2959053d35edc91
SHA5124dc3bffa35c9ae3b244f83a18b6043c9c2c6dd3b74e426bfd989662d71ca5ea1ad45839b24d9366fd390172b9bf34fce6552a866038b182b88fd2ccab888fdb8