Overview

overview

10

Static

static

3

720f911303...4f.exe

windows7-x64

10

720f911303...4f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe

  • Size

    456KB

  • MD5

    b1dd06c7737e0f8d7b2b390aa99e7900

  • SHA1

    02e3374698f22818cb73b6736e197aa041ea2506

  • SHA256

    720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f

  • SHA512

    2156784311f9f8114d6729dd3433dbd1951d13bdc3a89273686039c7a18d626bb7c267dcd459e2c9d6b44065085ae2faeeceb9efa691b8930b972a81a049211d

  • SSDEEP

    6144:JE+yclwQKjdn+WPtYVJIoBfORi4ImOkMhU1YIG/:JBdlwHRn+WlYV+3RojRU1Y7

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI0MzA2Nzk5NzQ4NTI3MzE3Mg.G6piH7.kZKxc7d4uXnq1WYJp43XerNKVtE4_zPhSDbgkM

  • server_id

    1243088293344841749

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe
    "C:\Users\Admin\AppData\Local\Temp\720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Users\Admin\AppData\Local\Temp\Necurity.exe
      "C:\Users\Admin\AppData\Local\Temp\Necurity.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Necurity.exe
    Filesize

    78KB

    MD5

    1697f0e2cb9b4ea2c0b061f5f5a09748

    SHA1

    c52c7bbd38cf30e996650756e0208c9a7e293c9e

    SHA256

    8788dcec9f8eab91e3b27aec2a8fde1981977e2f78cfa208635639229c78f6cd

    SHA512

    9abb578800122c2d997fb899f944c89f3e3c811e3cde2a6de125dfaf7ddc359140d42bfce965c4d00c9e3f1a3aea201741a5a9688ca24458b1f865a521e3c65c

    Download Submit

  • memory/1120-15-0x00007FFCF80B3000-0x00007FFCF80B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1120-14-0x000001C93DB40000-0x000001C93DB58000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1120-16-0x000001C958190000-0x000001C958352000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1120-17-0x00007FFCF80B0000-0x00007FFCF8B71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1120-18-0x000001C959410000-0x000001C959938000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1120-19-0x00007FFCF80B3000-0x00007FFCF80B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1120-20-0x00007FFCF80B0000-0x00007FFCF8B71000-memory.dmp

    Filesize

    10.8MB

    Download