Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 06:37
Static task
static1
Behavioral task
behavioral1
Sample
720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe
Resource
win10v2004-20240508-en
General
-
Target
720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe
-
Size
456KB
-
MD5
b1dd06c7737e0f8d7b2b390aa99e7900
-
SHA1
02e3374698f22818cb73b6736e197aa041ea2506
-
SHA256
720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f
-
SHA512
2156784311f9f8114d6729dd3433dbd1951d13bdc3a89273686039c7a18d626bb7c267dcd459e2c9d6b44065085ae2faeeceb9efa691b8930b972a81a049211d
-
SSDEEP
6144:JE+yclwQKjdn+WPtYVJIoBfORi4ImOkMhU1YIG/:JBdlwHRn+WlYV+3RojRU1Y7
Malware Config
Extracted
discordrat
-
discord_token
MTI0MzA2Nzk5NzQ4NTI3MzE3Mg.G6piH7.kZKxc7d4uXnq1WYJp43XerNKVtE4_zPhSDbgkM
-
server_id
1243088293344841749
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe -
Executes dropped EXE 1 IoCs
pid Process 1120 Necurity.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 29 discord.com 33 discord.com 28 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1120 Necurity.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3108 wrote to memory of 1120 3108 720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe 96 PID 3108 wrote to memory of 1120 3108 720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe"C:\Users\Admin\AppData\Local\Temp\720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\Necurity.exe"C:\Users\Admin\AppData\Local\Temp\Necurity.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD51697f0e2cb9b4ea2c0b061f5f5a09748
SHA1c52c7bbd38cf30e996650756e0208c9a7e293c9e
SHA2568788dcec9f8eab91e3b27aec2a8fde1981977e2f78cfa208635639229c78f6cd
SHA5129abb578800122c2d997fb899f944c89f3e3c811e3cde2a6de125dfaf7ddc359140d42bfce965c4d00c9e3f1a3aea201741a5a9688ca24458b1f865a521e3c65c