Description	Indicator	Process	Target
PID 2292 wrote to memory of 2756	N/A	C:\Users\Admin\AppData\Local\Temp\monoware.exe	C:\Windows\system32\WerFault.exe
PID 2292 wrote to memory of 2756	N/A	C:\Users\Admin\AppData\Local\Temp\monoware.exe	C:\Windows\system32\WerFault.exe
PID 2292 wrote to memory of 2756	N/A	C:\Users\Admin\AppData\Local\Temp\monoware.exe	C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\monoware.exe

"C:\Users\Admin\AppData\Local\Temp\monoware.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2292 -s 604

Network

N/A

Files

memory/2292-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

memory/2292-1-0x000000013FE00000-0x000000013FE18000-memory.dmp

memory/2292-2-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

memory/2292-3-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

memory/2292-4-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 20:14

Reported

2024-05-31 20:16

Platform

win10v2004-20240426-en

Max time kernel

90s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\monoware.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Downloads MZ/PE file

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\monoware.exe	N/A

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	C:\Windows\system32\LogonUI.exe	N/A
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	C:\Windows\system32\LogonUI.exe	N/A
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	C:\Windows\system32\LogonUI.exe	N/A
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	C:\Windows\system32\LogonUI.exe	N/A
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156"	C:\Windows\system32\LogonUI.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	C:\Windows\system32\LogonUI.exe	N/A
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	C:\Windows\system32\LogonUI.exe	N/A
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	C:\Windows\system32\LogonUI.exe	N/A
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	C:\Windows\system32\LogonUI.exe	N/A
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	C:\Windows\system32\LogonUI.exe	N/A
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	C:\Windows\system32\LogonUI.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	C:\Windows\system32\LogonUI.exe	N/A
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	C:\Windows\system32\LogonUI.exe	N/A
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	C:\Windows\system32\LogonUI.exe	N/A
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	C:\Windows\system32\LogonUI.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\monoware.exe	N/A
Token: 33	N/A	C:\Windows\system32\AUDIODG.EXE	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\system32\AUDIODG.EXE	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\shutdown.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\shutdown.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\LogonUI.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 556 wrote to memory of 2432	N/A	C:\Users\Admin\AppData\Local\Temp\monoware.exe	C:\Windows\System32\shutdown.exe
PID 556 wrote to memory of 2432	N/A	C:\Users\Admin\AppData\Local\Temp\monoware.exe	C:\Windows\System32\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\monoware.exe

"C:\Users\Admin\AppData\Local\Temp\monoware.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2fc

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" /s /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3942855 /state1:0x41c64e6d

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	gateway.discord.gg	udp
US	162.159.136.234:443	gateway.discord.gg	tcp
US	8.8.8.8:53	discord.com	udp
US	8.8.8.8:53	234.136.159.162.in-addr.arpa	udp
US	8.8.8.8:53	232.168.11.51.in-addr.arpa	udp
US	162.159.135.232:443	discord.com	tcp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	140.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	13.86.106.20.in-addr.arpa	udp
US	8.8.8.8:53	232.135.159.162.in-addr.arpa	udp
US	8.8.8.8:53	geolocation-db.com	udp
DE	159.89.102.253:443	geolocation-db.com	tcp
US	162.159.135.232:443	discord.com	tcp
US	8.8.8.8:53	253.102.89.159.in-addr.arpa	udp
US	162.159.135.232:443	discord.com	tcp
US	162.159.135.232:443	discord.com	tcp
US	8.8.8.8:53	86.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	198.187.3.20.in-addr.arpa	udp
US	8.8.8.8:53	cdn.discordapp.com	udp
US	162.159.133.233:443	cdn.discordapp.com	tcp
US	8.8.8.8:53	233.133.159.162.in-addr.arpa	udp
US	8.8.8.8:53	131.83.221.88.in-addr.arpa	udp
US	162.159.135.232:443	discord.com	tcp
US	162.159.135.232:443	discord.com	tcp

Files

memory/556-0-0x00007FFCE0913000-0x00007FFCE0915000-memory.dmp

memory/556-1-0x0000016C88230000-0x0000016C88248000-memory.dmp

memory/556-2-0x0000016CA2830000-0x0000016CA29F2000-memory.dmp

memory/556-3-0x00007FFCE0910000-0x00007FFCE13D1000-memory.dmp

memory/556-4-0x0000016CA3030000-0x0000016CA3558000-memory.dmp

memory/556-5-0x00007FFCE0913000-0x00007FFCE0915000-memory.dmp

memory/556-6-0x00007FFCE0910000-0x00007FFCE13D1000-memory.dmp

memory/556-7-0x0000016CA2BB0000-0x0000016CA2C5A000-memory.dmp

memory/556-11-0x00007FFCE0910000-0x00007FFCE13D1000-memory.dmp

memory/556-12-0x00007FFCE0910000-0x00007FFCE13D1000-memory.dmp

Sample ID	240531-y1gn2sbg5s
Target	monoware.exe
SHA256	aed0081d6aa8fa3b29d155c6bb45e9278b4562102f8d4497a51db56871a74134
Tags	discordrat persistence rat rootkit stealer

Malware Analysis Report

2024-09-11 09:27

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files