Overview

overview

10

Static

static

10

newgame.exe

windows10-1703-x64

10

newgame.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08-06-2024 22:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    newgame.exe

  • Size

    86KB

  • MD5

    da73d03e7e63df84355ca62baaefae8a

  • SHA1

    4a24296ce0275ab6d5439a155a17d8de80d549d5

  • SHA256

    16cef3c03efe6d11b261709e330058536b7bd186fad81e932f2a9db1cef78610

  • SHA512

    7d8c28fa0ee62228104af1bd25aefe3f18fea9e9983d1cbcfa2f18f9f2832c5471fe4f545e775f6ed775802b3d687d81c1a14292af3406f6ef613c39e0c617e7

  • SSDEEP

    1536:t2WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+UPIoC1:tZv5PDwbjNrmAE+IIoe

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI0NzYwNjA2ODE3NTk2MjEzMw.G3Bv2h.Oi-mmhg6ZK_uTFZKjQiDOwr-wcEm-Hq0xizKtQ

  • server_id

    1247606720864321577

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\newgame.exe
    "C:\Users\Admin\AppData\Local\Temp\newgame.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Windows\System32\shutdown.exe
      "C:\Windows\System32\shutdown.exe" /L
      2⤵
        PID:3336
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0 /state0:0xa3aec055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:1540

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4296-1-0x00007FFD6FBC3000-0x00007FFD6FBC4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4296-0-0x0000021E38400000-0x0000021E3841A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4296-2-0x0000021E52A10000-0x0000021E52BD2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4296-3-0x00007FFD6FBC0000-0x00007FFD705AC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4296-4-0x0000021E53210000-0x0000021E53736000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4296-5-0x00007FFD6FBC3000-0x00007FFD6FBC4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4296-6-0x00007FFD6FBC0000-0x00007FFD705AC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4296-7-0x00007FFD6FBC0000-0x00007FFD705AC000-memory.dmp

      Filesize

      9.9MB

      Download