Resubmissions
19-06-2024 18:57
240619-xl3gjaxbnf 10Analysis
-
max time kernel
91s -
max time network
126s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-06-2024 18:57
Behavioral task
behavioral1
Sample
hehe's external.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
hehe's external.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
hehe's external.exe
Resource
win11-20240611-en
General
-
Target
hehe's external.exe
-
Size
78KB
-
MD5
89843ea4105378e4fbe7afe99f2b291b
-
SHA1
a469ae734ba46f9a3712d95fa987286a303263d7
-
SHA256
d71e071decfbf58e254b4c45a18c71b30446ca83d7acff324761569e57027b24
-
SHA512
7cff64984b9d4cd233542e10cb507b99fd7c291d4cea52af6feb36e029094d7db68643d120f6239623ef567867baab903095a56fc713565cddddbcb66b5f5574
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+9GPIC:5Zv5PDwbjNrmAE+8IC
Malware Config
Extracted
discordrat
-
discord_token
MTI1MjM2MzM1NDQwNDgxOTEzOA.Gu7T7x.fG7ImMChaLHchh6lcv8_MHa3JQWR8Fn4L12thY
-
server_id
1251916764929982485
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2020 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 9 discord.com 1 discord.com 3 discord.com 5 discord.com 6 discord.com 7 discord.com 8 discord.com -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2020 powershell.exe 2020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4288 hehe's external.exe Token: 33 416 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 416 AUDIODG.EXE Token: SeDebugPrivilege 2020 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4288 wrote to memory of 2020 4288 hehe's external.exe 83 PID 4288 wrote to memory of 2020 4288 hehe's external.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\hehe's external.exe"C:\Users\Admin\AppData\Local\Temp\hehe's external.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004F8 0x00000000000005001⤵
- Suspicious use of AdjustPrivilegeToken
PID:416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82