Overview

overview

10

Static

static

1

wow.zip

windows7-x64

10

Analysis

  • max time kernel
    37s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 05:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wow.zip

  • Size

    28KB

  • MD5

    a98c71bc37633b0339b7df3e131020a3

  • SHA1

    a2db16bdbb7a8e061778762757379b9f0046ed50

  • SHA256

    0a6a0baaf4774255ad58385d3e99c2978ab2bf1429071212a52345c5171555da

  • SHA512

    fbe4d01746848b5d1c7d3d38f6645153f580a6b19675eea55d1bc64d096a98df216bf0271823a1fafc7f14e65f81bb148c3bdeeb4f35c7a12f3deffd21105a49

  • SSDEEP

    768:Rhj5hbiKvyvHg3ibJtZfJZZ8xgJdbvb9cL4sDL2kAm:R9LmK6/g3i9tPhJdTe1Z

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1MDY4MDAwOTA1NjcxODg1OA.Gsgb1p.yKrTtjnMzEfZMtnNe8EGmYm3XDkNU2c5sOLJ5Y

  • server_id

    1250638699088187392

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 45 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\wow.zip
    1⤵
      PID:112
    • C:\Windows\system32\verclsid.exe
      "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
      1⤵
        PID:1168
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\wow.zip"
        1⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2896
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\wow\" -ad -an -ai#7zMap8063:86:7zEvent12807
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2280
      • C:\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1776 -s 596
          2⤵
          • Loads dropped DLL
          PID:320
      • C:\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:280
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 280 -s 596
          2⤵
          • Loads dropped DLL
          PID:2704
      • C:\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1688 -s 596
          2⤵
          • Loads dropped DLL
          PID:1700
      • C:\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe
        "C:\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1676
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1676 -s 596
          2⤵
          • Loads dropped DLL
          PID:324

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe
        Filesize

        78KB

        MD5

        58152cdf93eed1f705ed64ba2f36ed60

        SHA1

        fac451bb4b4733c855479a0143306d0cf027da80

        SHA256

        0272a484c96171641cccca7b0315bd5e112c8cb7bf54ce05ad801d31d1c9296f

        SHA512

        4c3b670625b1ab15b16bf118ac32e13b7548a73f02eefdc0c6c415d09a2998ba2bd20b1ad59397abc788c8cb41633a0d37623c679a85f3996737a44b4f4aadb2

        Download Submit
      • memory/280-26-0x000000013F480000-0x000000013F498000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1676-50-0x000000013F4F0000-0x000000013F508000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1688-38-0x000000013F8E0000-0x000000013F8F8000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1776-14-0x000000013FC90000-0x000000013FCA8000-memory.dmp
        Filesize

        96KB

        Download