Overview

overview

10

Static

static

10

Client-bui...py.exe

windows11-21h2-x64

Analysis

  • max time kernel
    46s
  • max time network
    48s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-06-2024 05:00

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Client-built - Copy.exe

  • Size

    78KB

  • MD5

    fa1a7fb8afaef6825535ef885409a484

  • SHA1

    4ee27f06202c15c90c04dc4da55a8fad1adcb7f1

  • SHA256

    0e294775732a677349f781ee128643e719ec723638b0a4ea92b594aa6a5359a1

  • SHA512

    27911382db140aa75ec29ff0ff455735035d16d3ed7544289d5783202882f9457899c574274733b212f768a6a907b1e9ebf49be2137c8375f2f29c888fdc9f36

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+dPIC:5Zv5PDwbjNrmAE+NIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1NDI2NzMxMTc1NDMxNzkzNQ.G1kpEW.8_zOmb-wMjYJWcW9I4Z-tXZc1z0-NpZOZgk2y8

  • server_id

    1254269611520823366

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built - Copy.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Windows\System32\shutdown.exe
      "C:\Windows\System32\shutdown.exe" /s /t 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2404
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3a12855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3908

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4700-1-0x0000020FECC40000-0x0000020FECC58000-memory.dmp
    Filesize

    96KB

    Download
  • memory/4700-0-0x00007FFC5A173000-0x00007FFC5A175000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4700-2-0x0000020FEF220000-0x0000020FEF3E2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4700-3-0x00007FFC5A170000-0x00007FFC5AC32000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4700-4-0x0000020FF04F0000-0x0000020FF0A18000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4700-5-0x00007FFC5A173000-0x00007FFC5A175000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4700-6-0x00007FFC5A170000-0x00007FFC5AC32000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4700-7-0x00007FFC5A170000-0x00007FFC5AC32000-memory.dmp
    Filesize

    10.8MB

    Download