Overview

overview

10

Static

static

1

wow.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wow.zip

  • Size

    28KB

  • MD5

    a98c71bc37633b0339b7df3e131020a3

  • SHA1

    a2db16bdbb7a8e061778762757379b9f0046ed50

  • SHA256

    0a6a0baaf4774255ad58385d3e99c2978ab2bf1429071212a52345c5171555da

  • SHA512

    fbe4d01746848b5d1c7d3d38f6645153f580a6b19675eea55d1bc64d096a98df216bf0271823a1fafc7f14e65f81bb148c3bdeeb4f35c7a12f3deffd21105a49

  • SSDEEP

    768:Rhj5hbiKvyvHg3ibJtZfJZZ8xgJdbvb9cL4sDL2kAm:R9LmK6/g3i9tPhJdTe1Z

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1MDY4MDAwOTA1NjcxODg1OA.Gsgb1p.yKrTtjnMzEfZMtnNe8EGmYm3XDkNU2c5sOLJ5Y

  • server_id

    1250638699088187392

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Executes dropped EXE 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\wow.zip
    1⤵
      PID:992
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1572
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap10174:86:7zEvent11475
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3108
      • C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4520
      • C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2104
      • C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1272
      • C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4764
      • C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3552
      • C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1320
      • C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3408
      • C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2000
      • C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2124
      • C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:468
      • C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3784
      • C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3892
      • C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4708
      • C:\Users\Admin\Desktop\discord nitro generator.exe
        "C:\Users\Admin\Desktop\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3064
      • C:\Users\Admin\Desktop\discord nitro generator.exe
        "C:\Users\Admin\Desktop\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3824
      • C:\Users\Admin\Desktop\discord nitro generator.exe
        "C:\Users\Admin\Desktop\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2256
      • C:\Users\Admin\Desktop\discord nitro generator.exe
        "C:\Users\Admin\Desktop\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5124
      • C:\Users\Admin\Desktop\discord nitro generator.exe
        "C:\Users\Admin\Desktop\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5496

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\wow\discord nitro generator.exe
        Filesize

        78KB

        MD5

        58152cdf93eed1f705ed64ba2f36ed60

        SHA1

        fac451bb4b4733c855479a0143306d0cf027da80

        SHA256

        0272a484c96171641cccca7b0315bd5e112c8cb7bf54ce05ad801d31d1c9296f

        SHA512

        4c3b670625b1ab15b16bf118ac32e13b7548a73f02eefdc0c6c415d09a2998ba2bd20b1ad59397abc788c8cb41633a0d37623c679a85f3996737a44b4f4aadb2

        Download Submit

      • memory/4520-4-0x000002389E0C0000-0x000002389E0D8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4520-5-0x00000238B86B0000-0x00000238B8872000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4520-6-0x00000238B8FF0000-0x00000238B9518000-memory.dmp

        Filesize

        5.2MB

        Download