Analysis
-
max time kernel
838s -
max time network
842s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
Tulpical_V3 lock.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Tulpical_V3 lock.exe
Resource
win10v2004-20240508-en
General
-
Target
Tulpical_V3 lock.exe
-
Size
736KB
-
MD5
adb97c2b434b39f7aec3240097430b8a
-
SHA1
33575f816b3e281aa327e2f07f673bd1fab25a81
-
SHA256
02e896adebf162d071bf730e2c5eed52e207efe3d7eeafc094acc5b2cb763b52
-
SHA512
cf85986f9527730964d92af0cc556bbbc4ad6eadca43af7427daf4addace189e9b12bebf146226df74c1882c864991b9a859decf6a1fd6d8b78bbfdd7e83ba66
-
SSDEEP
12288:aCQjgAtAHM+vetZxF5EWry8AJGy0kWyOV5b+mkSAgjxbH93kZ:a5ZWs+OZVEWry8AFi9Vx+mkSTRH93C
Malware Config
Extracted
discordrat
-
discord_token
MTIxMTA5OTM2NzcyMTc5NTYzNA.GqkwcX.UOjwiFdGIpv_jY2sOCDo02zExIyfhOxTIiOv6c
-
server_id
1251241660453752944
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
pid Process 2956 lock image.exe -
Loads dropped DLL 6 IoCs
pid Process 2764 Tulpical_V3 lock.exe 2756 WerFault.exe 2756 WerFault.exe 2756 WerFault.exe 2756 WerFault.exe 2756 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2956 2764 Tulpical_V3 lock.exe 28 PID 2764 wrote to memory of 2956 2764 Tulpical_V3 lock.exe 28 PID 2764 wrote to memory of 2956 2764 Tulpical_V3 lock.exe 28 PID 2956 wrote to memory of 2756 2956 lock image.exe 29 PID 2956 wrote to memory of 2756 2956 lock image.exe 29 PID 2956 wrote to memory of 2756 2956 lock image.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tulpical_V3 lock.exe"C:\Users\Admin\AppData\Local\Temp\Tulpical_V3 lock.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\lock image.exe"C:\Users\Admin\AppData\Local\Temp\lock image.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2956 -s 5963⤵
- Loads dropped DLL
PID:2756
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5eb574fb1d907ffd85ce1854f5585d67a
SHA16b72bc26e0f282010c1c1e5589e130d250d28bb5
SHA2561a3072f72b2747d1bbe6f8aec7945d7753c061cd02ab1a1632963d13ba9e61bd
SHA5120df1476ff05cc2c34e9c84ac4ba7760c233755f8a9f031ac33241aab71cfc1fbba20344b1403620c7f7695360d30ab124cf3557bff4730bd10f8f8b71a580c6f