Analysis
-
max time kernel
670s -
max time network
679s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
Tulpical_V3 lock.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Tulpical_V3 lock.exe
Resource
win10v2004-20240508-en
General
-
Target
Tulpical_V3 lock.exe
-
Size
736KB
-
MD5
adb97c2b434b39f7aec3240097430b8a
-
SHA1
33575f816b3e281aa327e2f07f673bd1fab25a81
-
SHA256
02e896adebf162d071bf730e2c5eed52e207efe3d7eeafc094acc5b2cb763b52
-
SHA512
cf85986f9527730964d92af0cc556bbbc4ad6eadca43af7427daf4addace189e9b12bebf146226df74c1882c864991b9a859decf6a1fd6d8b78bbfdd7e83ba66
-
SSDEEP
12288:aCQjgAtAHM+vetZxF5EWry8AJGy0kWyOV5b+mkSAgjxbH93kZ:a5ZWs+OZVEWry8AFi9Vx+mkSTRH93C
Malware Config
Extracted
discordrat
-
discord_token
MTIxMTA5OTM2NzcyMTc5NTYzNA.GqkwcX.UOjwiFdGIpv_jY2sOCDo02zExIyfhOxTIiOv6c
-
server_id
1251241660453752944
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Tulpical_V3 lock.exe -
Executes dropped EXE 1 IoCs
pid Process 208 lock image.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 208 lock image.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3924 wrote to memory of 208 3924 Tulpical_V3 lock.exe 82 PID 3924 wrote to memory of 208 3924 Tulpical_V3 lock.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tulpical_V3 lock.exe"C:\Users\Admin\AppData\Local\Temp\Tulpical_V3 lock.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\lock image.exe"C:\Users\Admin\AppData\Local\Temp\lock image.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:208
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5eb574fb1d907ffd85ce1854f5585d67a
SHA16b72bc26e0f282010c1c1e5589e130d250d28bb5
SHA2561a3072f72b2747d1bbe6f8aec7945d7753c061cd02ab1a1632963d13ba9e61bd
SHA5120df1476ff05cc2c34e9c84ac4ba7760c233755f8a9f031ac33241aab71cfc1fbba20344b1403620c7f7695360d30ab124cf3557bff4730bd10f8f8b71a580c6f