Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-06-2024 14:30
Behavioral task
behavioral1
Sample
cdumper/compiler.exe
Resource
win11-20240611-en
windows11-21h2-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
cdumper/setup.bat
Resource
win11-20240508-en
windows11-21h2-x64
0 signatures
150 seconds
General
-
Target
cdumper/compiler.exe
-
Size
78KB
-
MD5
cc0c0d53ea855321b892e9d69ce09d1f
-
SHA1
604de3c919a7768f107e15c12c816ed11ea0146f
-
SHA256
cd28a30e4e7970b5fe7e2d2ab0244a41ed3fed048904d671ce2db28de1a87529
-
SHA512
58a7a3e9b374296d8898929a9c1806beb501e45c232efd11db1449583e8227b4a0511fc724d07be030baa640aa285ed7648ed1a328a40e47989b0d7673a4d609
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+SPIC:5Zv5PDwbjNrmAE+eIC
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTI1MzY2NzkzMTcwMzc0MjQ3NA.Gw8dsn.LeG778rjIzDyfb3CK-K3udb1GPBgWlxFwh_VdU
-
server_id
1250682422434074634
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 1 discord.com 4 discord.com 6 discord.com 7 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 1548 Process not Found 3136 Process not Found 1876 Process not Found 3328 Process not Found 4100 Process not Found 4504 Process not Found 2532 Process not Found 1276 Process not Found 572 Process not Found 4736 Process not Found 1916 Process not Found 1336 Process not Found 3040 Process not Found 3836 Process not Found 3560 Process not Found 3752 Process not Found 2492 Process not Found 4772 Process not Found 756 Process not Found 912 Process not Found 2760 Process not Found 4700 Process not Found 1552 Process not Found 708 Process not Found 1764 Process not Found 2284 Process not Found 1300 Process not Found 5076 Process not Found 2776 Process not Found 2836 Process not Found 1340 Process not Found 1572 Process not Found 1580 Process not Found 5036 Process not Found 1612 Process not Found 4664 Process not Found 1784 Process not Found 1312 Process not Found 4844 Process not Found 3120 Process not Found 5084 Process not Found 2960 Process not Found 752 Process not Found 1932 Process not Found 2416 Process not Found 4900 Process not Found 900 Process not Found 2820 Process not Found 3652 Process not Found 2024 Process not Found 3780 Process not Found 3360 Process not Found 3688 Process not Found 3588 Process not Found 3144 Process not Found 976 Process not Found 3076 Process not Found 4524 Process not Found 2896 Process not Found 4644 Process not Found 2080 Process not Found 3792 Process not Found 4896 Process not Found 2636 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4256 compiler.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1080 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4256 wrote to memory of 3912 4256 compiler.exe 78 PID 4256 wrote to memory of 3912 4256 compiler.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdumper\compiler.exe"C:\Users\Admin\AppData\Local\Temp\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /L2⤵PID:3912
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a08055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1080