Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-06-2024 15:45
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win11-20240426-en
windows11-21h2-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
macos-20240410-en
macos-10.15-amd64
1 signatures
150 seconds
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
4ac3fe07724438ff7c3e3ba1fc92bbb3
-
SHA1
20b3a217c9789769f30834be154e144317f25287
-
SHA256
0ff130c66f8539585e58166cf27ff4f452baa925106e68f0ee39ab16933f0527
-
SHA512
6fc513f4e14fb81b44997569df3c0a224c17e2ad4cd9664df52331c854fe1ef92d38ce12b114114b33d735f355faa17a2c6c0592110d977b2daa8612b3391d23
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+qPIC:5Zv5PDwbjNrmAE+2IC
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTI0NzIwNDM3NzM3OTQ3MTQ4Mw.GWLx7p.fDU6rq8p_NFx3C6V9QrvUaRIvcVbRqtgosu9Ik
-
server_id
1247204822399320144
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 1 discord.com 4 discord.com 6 discord.com 7 discord.com 8 discord.com 9 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "118" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 396 Process not Found 4460 Process not Found 1196 Process not Found 2428 Process not Found 1368 Process not Found 3936 Process not Found 1080 Process not Found 1444 Process not Found 864 Process not Found 1656 Process not Found 1260 Process not Found 4844 Process not Found 1680 Process not Found 2188 Process not Found 4472 Process not Found 2148 Process not Found 2312 Process not Found 3016 Process not Found 2868 Process not Found 2840 Process not Found 1032 Process not Found 4136 Process not Found 3924 Process not Found 4612 Process not Found 352 Process not Found 3720 Process not Found 856 Process not Found 3596 Process not Found 1124 Process not Found 2192 Process not Found 2576 Process not Found 5080 Process not Found 2476 Process not Found 4384 Process not Found 2540 Process not Found 4656 Process not Found 1816 Process not Found 1720 Process not Found 4192 Process not Found 4568 Process not Found 4064 Process not Found 2316 Process not Found 776 Process not Found 460 Process not Found 5064 Process not Found 2860 Process not Found 744 Process not Found 2080 Process not Found 2480 Process not Found 3340 Process not Found 2496 Process not Found 4552 Process not Found 2152 Process not Found 2820 Process not Found 3304 Process not Found 2948 Process not Found 5032 Process not Found 4028 Process not Found 2864 Process not Found 3148 Process not Found 2252 Process not Found 2236 Process not Found 1620 Process not Found 1464 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3140 Client-built.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 992 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3140 wrote to memory of 3152 3140 Client-built.exe 77 PID 3140 wrote to memory of 3152 3140 Client-built.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /L2⤵PID:3152
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a00855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:992