Overview

overview

10

Static

static

10

cdumper/compiler.exe

windows11-21h2-x64

10

cdumper/setup.bat

windows11-21h2-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    94s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-06-2024 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cdumper/compiler.exe

  • Size

    78KB

  • MD5

    cc0c0d53ea855321b892e9d69ce09d1f

  • SHA1

    604de3c919a7768f107e15c12c816ed11ea0146f

  • SHA256

    cd28a30e4e7970b5fe7e2d2ab0244a41ed3fed048904d671ce2db28de1a87529

  • SHA512

    58a7a3e9b374296d8898929a9c1806beb501e45c232efd11db1449583e8227b4a0511fc724d07be030baa640aa285ed7648ed1a328a40e47989b0d7673a4d609

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+SPIC:5Zv5PDwbjNrmAE+eIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1MzY2NzkzMTcwMzc0MjQ3NA.Gw8dsn.LeG778rjIzDyfb3CK-K3udb1GPBgWlxFwh_VdU

  • server_id

    1250682422434074634

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cdumper\compiler.exe
    "C:\Users\Admin\AppData\Local\Temp\cdumper\compiler.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Windows\System32\shutdown.exe
      "C:\Windows\System32\shutdown.exe" /L
      2⤵
        PID:3912
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa3a08055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:1080

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4256-0-0x00000204F7DE0000-0x00000204F7DF8000-memory.dmp
      Filesize

      96KB

      Download
    • memory/4256-1-0x00007FFEBD033000-0x00007FFEBD035000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4256-2-0x00000204FA410000-0x00000204FA5D2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4256-3-0x00007FFEBD030000-0x00007FFEBDAF2000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4256-4-0x00000204FB690000-0x00000204FBBB8000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4256-5-0x00007FFEBD030000-0x00007FFEBDAF2000-memory.dmp
      Filesize

      10.8MB

      Download