Overview

overview

10

Static

static

3

Lethal Com...fx.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-06-2024 14:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Lethal Company.sfx.exe

  • Size

    441KB

  • MD5

    894400e9cad147e5cd861e788ba80739

  • SHA1

    bdf4a2e17183b8fa6e932ebf5adea42cf3e544b9

  • SHA256

    2103f44233a623b29738ecd251656c3964a873920956fa4cfe7ce17a17001e6e

  • SHA512

    013e3386d7f67fc80628f457580c03d294aa27a94602265aca1675bdc6332ee2b4f2b9a092bc50a9f0a75dc24258dac3e01a0aca912f96e42bef10b667fd774a

  • SSDEEP

    12288:SBdlwHRn+WlYV+W2X+t4uwBDmNWKejrFaE:SBkVdlYAW0uwFmUrFaE

Score
10/10
discordratpersistenceratrootkitspywarestealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1NDQzOTMwMjU1MzkyNzc2MQ.G0gbWG.p0dvgGvhzUkkjFPeMGPUIjn6cnvAGT0-eTUVi4

  • server_id

    539143760898949148

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lethal Company.sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\Lethal Company.sfx.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lethal Company.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lethal Company.exe"
      2⤵
      • Executes dropped EXE
      PID:856
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:292
      • C:\Windows\SYSTEM32\SCHTASKS.exe
        "SCHTASKS.exe" /create /tn "$77Client-built.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe'" /sc onlogon /rl HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
    Filesize

    78KB

    MD5

    f42bdf8f20e5255f795c8674660b1726

    SHA1

    33f091151b0c8fd79a54147745cf31a73fdc5b09

    SHA256

    29c656fea6ff37a604471ab0ad639c84ee126068e0d35ec08ad4b7d6e10800df

    SHA512

    348a29e0e4fbd64ac039987d5368e949c033a45ae51165f3f50d1d8189c3b5955d9ccb4fff40427f12771b4584dadc6aa7244e9241a5a76e1584f2442d8b43a2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lethal Company.exe
    Filesize

    651KB

    MD5

    a5721809407229d21ea49a2eb5d8e962

    SHA1

    1456ec35a2d975ec9d5e732c1fb27987c4184697

    SHA256

    469f208de455fcb6d334b6ec3655102ae6893de374f890961ab9f317bdfb2c8c

    SHA512

    f2d5dfb53b790f65987cba5340a3983f03eb23416dc8eb1a1d768a109d845191c48a445f54783b16ed4e089086d2f2815f91582a0f2a547d959a74c5a2f4064a

    Download Submit
  • memory/292-13-0x000002C362B80000-0x000002C362B98000-memory.dmp
    Filesize

    96KB

    Download
  • memory/292-14-0x00007FFF7A123000-0x00007FFF7A124000-memory.dmp
    Filesize

    4KB

    Download
  • memory/292-15-0x000002C37D110000-0x000002C37D2D2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/292-16-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/292-17-0x000002C37D910000-0x000002C37DE36000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/292-18-0x00007FFF7A123000-0x00007FFF7A124000-memory.dmp
    Filesize

    4KB

    Download
  • memory/292-19-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/292-20-0x000002C37F980000-0x000002C37F9F6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/292-21-0x000002C37CFA0000-0x000002C37CFB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/292-22-0x000002C37D8B0000-0x000002C37D8CE000-memory.dmp
    Filesize

    120KB

    Download