Analysis
-
max time kernel
46s -
max time network
48s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-06-2024 05:00
Behavioral task
behavioral1
Sample
Client-built - Copy.exe
Resource
win11-20240611-en
windows11-21h2-x64
7 signatures
300 seconds
Errors
Reason
Machine shutdown
General
-
Target
Client-built - Copy.exe
-
Size
78KB
-
MD5
fa1a7fb8afaef6825535ef885409a484
-
SHA1
4ee27f06202c15c90c04dc4da55a8fad1adcb7f1
-
SHA256
0e294775732a677349f781ee128643e719ec723638b0a4ea92b594aa6a5359a1
-
SHA512
27911382db140aa75ec29ff0ff455735035d16d3ed7544289d5783202882f9457899c574274733b212f768a6a907b1e9ebf49be2137c8375f2f29c888fdc9f36
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+dPIC:5Zv5PDwbjNrmAE+NIC
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTI1NDI2NzMxMTc1NDMxNzkzNQ.G1kpEW.8_zOmb-wMjYJWcW9I4Z-tXZc1z0-NpZOZgk2y8
-
server_id
1254269611520823366
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 7 discord.com 8 discord.com 9 discord.com 1 discord.com 4 discord.com 6 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "35" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4700 Client-built - Copy.exe Token: SeShutdownPrivilege 2404 shutdown.exe Token: SeRemoteShutdownPrivilege 2404 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3908 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4700 wrote to memory of 2404 4700 Client-built - Copy.exe 81 PID 4700 wrote to memory of 2404 4700 Client-built - Copy.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built - Copy.exe"C:\Users\Admin\AppData\Local\Temp\Client-built - Copy.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a12855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3908
Network
-
Remote address:8.8.8.8:53Requestgateway.discord.ggIN AResponsegateway.discord.ggIN A162.159.135.234gateway.discord.ggIN A162.159.130.234gateway.discord.ggIN A162.159.136.234gateway.discord.ggIN A162.159.134.234gateway.discord.ggIN A162.159.133.234
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestdiscord.comIN AResponsediscord.comIN A162.159.136.232discord.comIN A162.159.137.232discord.comIN A162.159.135.232discord.comIN A162.159.128.233discord.comIN A162.159.138.232
-
Remote address:8.8.8.8:53Request232.136.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request234.135.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestgeolocation-db.comIN AResponsegeolocation-db.comIN A159.89.102.253
-
Remote address:8.8.8.8:53Request253.102.89.159.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestself.events.data.microsoft.comIN AResponseself.events.data.microsoft.comIN CNAMEself-events-data.trafficmanager.netself-events-data.trafficmanager.netIN CNAMEonedscolprdeus17.eastus.cloudapp.azure.comonedscolprdeus17.eastus.cloudapp.azure.comIN A20.42.65.91
-
Remote address:159.89.102.253:443RequestGET /json HTTP/1.1
Host: geolocation-db.com
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Date: Mon, 24 Jun 2024 05:00:44 GMT
Content-Type: text/html
Content-Length: 194
Location: https://geolocation-db.com/json/
Connection: keep-alive
-
Remote address:159.89.102.253:443RequestGET /json/ HTTP/1.1
Host: geolocation-db.com
ResponseHTTP/1.1 200 OK
Date: Mon, 24 Jun 2024 05:00:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
-
2.4kB 20.9kB 26 29
-
1.1kB 5.5kB 9 10
-
1.6kB 4.5kB 12 10
HTTP Request
GET https://geolocation-db.com/jsonHTTP Response
301HTTP Request
GET https://geolocation-db.com/json/HTTP Response
200 -
1.5kB 3.5kB 10 10
-
8.9kB 4.7kB 16 14
-
1.3kB 3.4kB 8 9
-
1.1kB 936 B 5 4
-
261 B 507 B 4 4
DNS Request
gateway.discord.gg
DNS Response
162.159.135.234162.159.130.234162.159.136.234162.159.134.234162.159.133.234
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
discord.com
DNS Response
162.159.136.232162.159.137.232162.159.135.232162.159.128.233162.159.138.232
DNS Request
232.136.159.162.in-addr.arpa
-
287 B 550 B 4 4
DNS Request
234.135.159.162.in-addr.arpa
DNS Request
geolocation-db.com
DNS Response
159.89.102.253
DNS Request
253.102.89.159.in-addr.arpa
DNS Request
self.events.data.microsoft.com
DNS Response
20.42.65.91