Analysis

  • max time kernel
    46s
  • max time network
    48s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-06-2024 05:00

Errors

Reason
Machine shutdown

General

  • Target

    Client-built - Copy.exe

  • Size

    78KB

  • MD5

    fa1a7fb8afaef6825535ef885409a484

  • SHA1

    4ee27f06202c15c90c04dc4da55a8fad1adcb7f1

  • SHA256

    0e294775732a677349f781ee128643e719ec723638b0a4ea92b594aa6a5359a1

  • SHA512

    27911382db140aa75ec29ff0ff455735035d16d3ed7544289d5783202882f9457899c574274733b212f768a6a907b1e9ebf49be2137c8375f2f29c888fdc9f36

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+dPIC:5Zv5PDwbjNrmAE+NIC

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1NDI2NzMxMTc1NDMxNzkzNQ.G1kpEW.8_zOmb-wMjYJWcW9I4Z-tXZc1z0-NpZOZgk2y8

  • server_id

    1254269611520823366

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built - Copy.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Windows\System32\shutdown.exe
      "C:\Windows\System32\shutdown.exe" /s /t 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2404
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3a12855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3908

Network

  • flag-us
    DNS
    gateway.discord.gg
    Client-built - Copy.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
    Response
    gateway.discord.gg
    IN A
    162.159.135.234
    gateway.discord.gg
    IN A
    162.159.130.234
    gateway.discord.gg
    IN A
    162.159.136.234
    gateway.discord.gg
    IN A
    162.159.134.234
    gateway.discord.gg
    IN A
    162.159.133.234
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Client-built - Copy.exe
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    discord.com
    Client-built - Copy.exe
    Remote address:
    8.8.8.8:53
    Request
    discord.com
    IN A
    Response
    discord.com
    IN A
    162.159.136.232
    discord.com
    IN A
    162.159.137.232
    discord.com
    IN A
    162.159.135.232
    discord.com
    IN A
    162.159.128.233
    discord.com
    IN A
    162.159.138.232
  • flag-us
    DNS
    232.136.159.162.in-addr.arpa
    Client-built - Copy.exe
    Remote address:
    8.8.8.8:53
    Request
    232.136.159.162.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    234.135.159.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    234.135.159.162.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    geolocation-db.com
    Remote address:
    8.8.8.8:53
    Request
    geolocation-db.com
    IN A
    Response
    geolocation-db.com
    IN A
    159.89.102.253
  • flag-us
    DNS
    253.102.89.159.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    253.102.89.159.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    self.events.data.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    self.events.data.microsoft.com
    IN A
    Response
    self.events.data.microsoft.com
    IN CNAME
    self-events-data.trafficmanager.net
    self-events-data.trafficmanager.net
    IN CNAME
    onedscolprdeus17.eastus.cloudapp.azure.com
    onedscolprdeus17.eastus.cloudapp.azure.com
    IN A
    20.42.65.91
  • flag-de
    GET
    https://geolocation-db.com/json
    Client-built - Copy.exe
    Remote address:
    159.89.102.253:443
    Request
    GET /json HTTP/1.1
    Host: geolocation-db.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.14.0 (Ubuntu)
    Date: Mon, 24 Jun 2024 05:00:44 GMT
    Content-Type: text/html
    Content-Length: 194
    Location: https://geolocation-db.com/json/
    Connection: keep-alive
  • flag-de
    GET
    https://geolocation-db.com/json/
    Client-built - Copy.exe
    Remote address:
    159.89.102.253:443
    Request
    GET /json/ HTTP/1.1
    Host: geolocation-db.com
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Mon, 24 Jun 2024 05:00:44 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Origin: *
  • 162.159.135.234:443
    gateway.discord.gg
    tls
    Client-built - Copy.exe
    2.4kB
    20.9kB
    26
    29
  • 162.159.136.232:443
    discord.com
    tls
    Client-built - Copy.exe
    1.1kB
    5.5kB
    9
    10
  • 159.89.102.253:443
    https://geolocation-db.com/json/
    tls, http
    Client-built - Copy.exe
    1.6kB
    4.5kB
    12
    10

    HTTP Request

    GET https://geolocation-db.com/json

    HTTP Response

    301

    HTTP Request

    GET https://geolocation-db.com/json/

    HTTP Response

    200
  • 162.159.136.232:443
    discord.com
    tls
    Client-built - Copy.exe
    1.5kB
    3.5kB
    10
    10
  • 162.159.136.232:443
    discord.com
    tls
    Client-built - Copy.exe
    8.9kB
    4.7kB
    16
    14
  • 162.159.136.232:443
    discord.com
    tls
    Client-built - Copy.exe
    1.3kB
    3.4kB
    8
    9
  • 162.159.136.232:443
    discord.com
    tls
    Client-built - Copy.exe
    1.1kB
    936 B
    5
    4
  • 8.8.8.8:53
    gateway.discord.gg
    dns
    Client-built - Copy.exe
    261 B
    507 B
    4
    4

    DNS Request

    gateway.discord.gg

    DNS Response

    162.159.135.234
    162.159.130.234
    162.159.136.234
    162.159.134.234
    162.159.133.234

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    discord.com

    DNS Response

    162.159.136.232
    162.159.137.232
    162.159.135.232
    162.159.128.233
    162.159.138.232

    DNS Request

    232.136.159.162.in-addr.arpa

  • 8.8.8.8:53
    234.135.159.162.in-addr.arpa
    dns
    287 B
    550 B
    4
    4

    DNS Request

    234.135.159.162.in-addr.arpa

    DNS Request

    geolocation-db.com

    DNS Response

    159.89.102.253

    DNS Request

    253.102.89.159.in-addr.arpa

    DNS Request

    self.events.data.microsoft.com

    DNS Response

    20.42.65.91

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4700-1-0x0000020FECC40000-0x0000020FECC58000-memory.dmp

    Filesize

    96KB

  • memory/4700-0-0x00007FFC5A173000-0x00007FFC5A175000-memory.dmp

    Filesize

    8KB

  • memory/4700-2-0x0000020FEF220000-0x0000020FEF3E2000-memory.dmp

    Filesize

    1.8MB

  • memory/4700-3-0x00007FFC5A170000-0x00007FFC5AC32000-memory.dmp

    Filesize

    10.8MB

  • memory/4700-4-0x0000020FF04F0000-0x0000020FF0A18000-memory.dmp

    Filesize

    5.2MB

  • memory/4700-5-0x00007FFC5A173000-0x00007FFC5A175000-memory.dmp

    Filesize

    8KB

  • memory/4700-6-0x00007FFC5A170000-0x00007FFC5AC32000-memory.dmp

    Filesize

    10.8MB

  • memory/4700-7-0x00007FFC5A170000-0x00007FFC5AC32000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.