Overview

overview

10

Static

static

3

leokadia f...pm.exe

windows7-x64

10

leokadia f...pm.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    46s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 16:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    leokadia film/leosia s‮4pm.exe

  • Size

    1.1MB

  • MD5

    3d988d51bb78c7f05d1d9d621704bd8b

  • SHA1

    63d9eb61ef9c3a8c06e551651b8ad191f5cbe5a6

  • SHA256

    f9c95d44186d306f43e7c7b0be319d9feaba04226ce016b56949916c5185c007

  • SHA512

    c6ccf1423ab8bb6821521810b1247b288bb27dd00047a9deb5dc81be215a9a70f41bc44efce93638056e3a20b9f6efa2b552dae0b2483b613d5302bbcad25a62

  • SSDEEP

    24576:9uDXTIGaPhEYzUzA0x4w0LzbUNfGL4w0LzbUNHFMkcY4VV+XqyPJcOtk3MrS6y:gDjlabwz9Wvb8vbgFxcYZXfX+kS6y

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI0MzY3MDczMTU5MDcyOTc5OQ.G25Fr1.zUYZMU8iXioqif_5Uws8Eat0XjMaXMVbm9OT_0

  • server_id

    1243671022599802944

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 52 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\leokadia film\leosia s‮4pm.exe
    "C:\Users\Admin\AppData\Local\Temp\leokadia film\leosia s‮4pm.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Users\Admin\AppData\Local\Temp\leokadia film\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\leokadia film\Client-built.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1256 -s 596
        3⤵
        • Loads dropped DLL
        PID:2560
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\leokadia film\leokadia.mp4"
      2⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2732
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\leokadia film\Client-built.exe
    Filesize

    78KB

    MD5

    2a562de28a4a276c5fd1496b298bf78c

    SHA1

    fa9be444f9dd748c9e244f9590e210322d619127

    SHA256

    cf49718a7221223c4ac270b07f1775f82424a2edda1788fa47a743249c9ebe1b

    SHA512

    28aede7a8c9572a5f1d68ff32b7fe4a47c8382f958f71df6cf5425e5e4ecc015c321b697334790b5f0615455761ace07854213dff0d1c3536c3ebeea5a851d59

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\leokadia film\leokadia.mp4
    Filesize

    470KB

    MD5

    1e98d436a0b9f09aa3944e545ec8764d

    SHA1

    f9c1aa370097c6849349d2453419e19be2e48eac

    SHA256

    04d524c0b369b29199bb956576c18be7933ad25db9a836e205d48850fb664fdb

    SHA512

    387fa769d3f8c78efc36a76eb464dd548e4c7acd0e46eeacc2c324f343773e976d7aca18cb0b16379f5cb2a06def9f09fbe80d038a001d688b2d4321999b95d2

    Download Submit

  • memory/1256-12-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1256-13-0x000000013F210000-0x000000013F228000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2732-32-0x000000013FD80000-0x000000013FE78000-memory.dmp

    Filesize

    992KB

    Download

  • memory/2732-33-0x000007FEF77B0000-0x000007FEF77E4000-memory.dmp

    Filesize

    208KB

    Download

  • memory/2732-34-0x000007FEF5F60000-0x000007FEF6216000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2732-35-0x000007FEF2CD0000-0x000007FEF3D80000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/2856-36-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2856-37-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download