Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-06-2024 14:28
Behavioral task
behavioral1
Sample
cdumper/compiler.exe
Resource
win11-20240611-en
Behavioral task
behavioral2
Sample
cdumper/setup.bat
Resource
win11-20240611-en
General
-
Target
cdumper/compiler.exe
-
Size
78KB
-
MD5
cc0c0d53ea855321b892e9d69ce09d1f
-
SHA1
604de3c919a7768f107e15c12c816ed11ea0146f
-
SHA256
cd28a30e4e7970b5fe7e2d2ab0244a41ed3fed048904d671ce2db28de1a87529
-
SHA512
58a7a3e9b374296d8898929a9c1806beb501e45c232efd11db1449583e8227b4a0511fc724d07be030baa640aa285ed7648ed1a328a40e47989b0d7673a4d609
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+SPIC:5Zv5PDwbjNrmAE+eIC
Malware Config
Extracted
discordrat
-
discord_token
MTI1MzY2NzkzMTcwMzc0MjQ3NA.Gw8dsn.LeG778rjIzDyfb3CK-K3udb1GPBgWlxFwh_VdU
-
server_id
1250682422434074634
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
Processes:
flow ioc 1 discord.com 3 discord.com 5 discord.com 7 discord.com 8 discord.com 9 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe -
Suspicious behavior: LoadsDriver 64 IoCs
Processes:
pid process 4832 4128 2076 3880 3200 2228 3264 2088 2256 2600 1216 1244 1264 4980 1528 4288 3596 1488 4988 4636 388 1576 2816 2972 3320 3356 2628 4624 3588 652 2400 4596 2444 1484 3720 4224 3904 976 2192 2116 4516 1384 2500 4256 4168 3920 2528 3040 3076 3716 4100 4952 132 4632 4972 1028 4020 4080 3944 3324 3884 3812 3908 3468 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
compiler.exedescription pid process Token: SeDebugPrivilege 912 compiler.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 4752 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
compiler.exedescription pid process target process PID 912 wrote to memory of 2776 912 compiler.exe shutdown.exe PID 912 wrote to memory of 2776 912 compiler.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdumper\compiler.exe"C:\Users\Admin\AppData\Local\Temp\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /L2⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a09055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/912-1-0x00007FFA92C93000-0x00007FFA92C95000-memory.dmpFilesize
8KB
-
memory/912-0-0x00000225C7ED0000-0x00000225C7EE8000-memory.dmpFilesize
96KB
-
memory/912-2-0x00000225E2590000-0x00000225E2752000-memory.dmpFilesize
1.8MB
-
memory/912-3-0x00007FFA92C90000-0x00007FFA93752000-memory.dmpFilesize
10.8MB
-
memory/912-4-0x00000225E3740000-0x00000225E3C68000-memory.dmpFilesize
5.2MB
-
memory/912-5-0x00007FFA92C90000-0x00007FFA93752000-memory.dmpFilesize
10.8MB