Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 06:37
Static task
static1
Behavioral task
behavioral1
Sample
720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe
Resource
win10v2004-20240508-en
General
-
Target
720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe
-
Size
456KB
-
MD5
b1dd06c7737e0f8d7b2b390aa99e7900
-
SHA1
02e3374698f22818cb73b6736e197aa041ea2506
-
SHA256
720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f
-
SHA512
2156784311f9f8114d6729dd3433dbd1951d13bdc3a89273686039c7a18d626bb7c267dcd459e2c9d6b44065085ae2faeeceb9efa691b8930b972a81a049211d
-
SSDEEP
6144:JE+yclwQKjdn+WPtYVJIoBfORi4ImOkMhU1YIG/:JBdlwHRn+WlYV+3RojRU1Y7
Malware Config
Extracted
discordrat
-
discord_token
MTI0MzA2Nzk5NzQ4NTI3MzE3Mg.G6piH7.kZKxc7d4uXnq1WYJp43XerNKVtE4_zPhSDbgkM
-
server_id
1243088293344841749
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
pid Process 2484 Necurity.exe -
Loads dropped DLL 6 IoCs
pid Process 2220 720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe 2404 WerFault.exe 2404 WerFault.exe 2404 WerFault.exe 2404 WerFault.exe 2404 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2216 DllHost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2484 2220 720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe 29 PID 2220 wrote to memory of 2484 2220 720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe 29 PID 2220 wrote to memory of 2484 2220 720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe 29 PID 2220 wrote to memory of 2484 2220 720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe 29 PID 2484 wrote to memory of 2404 2484 Necurity.exe 30 PID 2484 wrote to memory of 2404 2484 Necurity.exe 30 PID 2484 wrote to memory of 2404 2484 Necurity.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe"C:\Users\Admin\AppData\Local\Temp\720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\Necurity.exe"C:\Users\Admin\AppData\Local\Temp\Necurity.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2484 -s 5963⤵
- Loads dropped DLL
PID:2404
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD55eb37c011ce35222ae21a559968b49ac
SHA169b03f51b8cee870d2d8c07eb0564737bb65532b
SHA256af8a484b863eda12986799261d0edbfdc28edb9fbe72fd25b1ef2bec08c93aac
SHA51279d09e40e41475d44d3aa690afeaa4fe9b1b951a43eed87f1e074a9524f596fc7b97de06cd6d9cfbb24e0983e4f75433c24965a9d7ebea8736ecc3f776260fb0
-
Filesize
78KB
MD51697f0e2cb9b4ea2c0b061f5f5a09748
SHA1c52c7bbd38cf30e996650756e0208c9a7e293c9e
SHA2568788dcec9f8eab91e3b27aec2a8fde1981977e2f78cfa208635639229c78f6cd
SHA5129abb578800122c2d997fb899f944c89f3e3c811e3cde2a6de125dfaf7ddc359140d42bfce965c4d00c9e3f1a3aea201741a5a9688ca24458b1f865a521e3c65c