Overview

overview

10

Static

static

10

cdumper/compiler.exe

windows7-x64

10

cdumper/compiler.exe

windows10-2004-x64

10

cdumper/setup.bat

windows7-x64

1

cdumper/setup.bat

windows10-2004-x64

1

Analysis

  • max time kernel
    93s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-06-2024 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cdumper/compiler.exe

  • Size

    78KB

  • MD5

    cc0c0d53ea855321b892e9d69ce09d1f

  • SHA1

    604de3c919a7768f107e15c12c816ed11ea0146f

  • SHA256

    cd28a30e4e7970b5fe7e2d2ab0244a41ed3fed048904d671ce2db28de1a87529

  • SHA512

    58a7a3e9b374296d8898929a9c1806beb501e45c232efd11db1449583e8227b4a0511fc724d07be030baa640aa285ed7648ed1a328a40e47989b0d7673a4d609

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+SPIC:5Zv5PDwbjNrmAE+eIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1MzY2NzkzMTcwMzc0MjQ3NA.Gw8dsn.LeG778rjIzDyfb3CK-K3udb1GPBgWlxFwh_VdU

  • server_id

    1250682422434074634

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cdumper\compiler.exe
    "C:\Users\Admin\AppData\Local\Temp\cdumper\compiler.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5024
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1396
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.0.1972049484\1816877333" -parentBuildID 20230214051806 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fb9b10c-0b74-4f36-88d5-a3378b5eea74} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 1868 249709e7a58 gpu
        3⤵
          PID:1264
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.1.1205095530\45787735" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {646e6e6f-f82a-4102-9bf2-d1393836abfd} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 2436 24964c89358 socket
          3⤵
          • Checks processor information in registry
          PID:1960
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.2.724354009\563627700" -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2972 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f80dd55f-4a7d-4ff6-9a3f-a520aac2ed2e} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 2988 249746edd58 tab
          3⤵
            PID:3804
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.3.1410662834\155034935" -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 2836 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98d9b37d-9d63-46af-be6f-d3121ef18378} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 3704 249764d2458 tab
            3⤵
              PID:1632
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.4.1450551812\1616609593" -childID 3 -isForBrowser -prefsHandle 5092 -prefMapHandle 5088 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c9dc821-11bc-4e81-8714-5baf4d708d09} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 5124 249786efc58 tab
              3⤵
                PID:3136
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.5.992737942\1310033322" -childID 4 -isForBrowser -prefsHandle 5284 -prefMapHandle 5292 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8977024-aa79-461a-ae21-8d8aa61056cb} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 5276 249786ede58 tab
                3⤵
                  PID:3848
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.6.1715838597\623193095" -childID 5 -isForBrowser -prefsHandle 5544 -prefMapHandle 5540 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d9b307c-2fc7-415e-b429-a17949ecea98} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 5460 249786ed858 tab
                  3⤵
                    PID:4612
              • C:\Windows\system32\notepad.exe
                "C:\Windows\system32\notepad.exe"
                1⤵
                  PID:1976

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  27KB

                  MD5

                  296c1b0dfc66f9685cb4e3e21552c40e

                  SHA1

                  cc1d6a72603f937ea4e78e94f150e8e45d47309a

                  SHA256

                  33864b42fc0a63432a6fc014fceb628a353c4ffe8f18576b5544503ec9edd397

                  SHA512

                  584f85219f7b8001b4c569762278285aedc6ad9a243d4e6fcde62693dafaca584dd431d382e0c06581e8e2d5b17abb0b898f7185305db7006d747c972e22ece0

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  6e99ed372bfb7480364b84c7942ca7e6

                  SHA1

                  0b440b19904a36523b0abe200d3d817bb70f631c

                  SHA256

                  7f6fa19930900ecc80c0edc4cf0da4afad8245915de187ffc5233ee33e6ae4c0

                  SHA512

                  d369055c6d4e4a14dbe559d3d8270c2d91b1e1fc0f3bb5dbfebb9885a0cc9c3c8c6991f6284e0d2f1e39cd17054398a7e8f9f368164fb84577da1bfa8d103eab

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  0afee1f4786fc408d1210191fbdec628

                  SHA1

                  55f0c6946206e137ddf4a5c236f88309aa91837e

                  SHA256

                  88789bd4c964a9cd51c508282910cf8585cf76ab9503e724351ec11644a6039a

                  SHA512

                  acba7cdf1cd2dfe93768625dd19a53e421e782bef8134ed5606a5a9bb50f9196df7f783754a0c229ae303a79ad23f51664f9e7920af441eb45863605cc779e26

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4
                  Filesize

                  901B

                  MD5

                  8269c6087ab2af10508019dadca4b177

                  SHA1

                  98b08ac1070da11a4547597ecb6a21aeb6f5ecf0

                  SHA256

                  0eae41324d11bb512b0ea4dc2f22d79a6de16070d077deb4028868f757e3ae1f

                  SHA512

                  7f674d5a8d159ac312df1d84af25a30ceec32fa808bb0ae288c38adffb20841496eba61fd2f3cd931f7e4400070535149fa476019d63c9ded422a848c9eaec3f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  192KB

                  MD5

                  ac00157ac293d8bed87680352dbf820a

                  SHA1

                  d0ca3dd3bac5cf7a75c1ff883e6bd0a4783f5995

                  SHA256

                  4d5eb90affec601acaf76e6209efd8ddb4cae39bf7461048387d5ebdf53d3c5c

                  SHA512

                  331782195fd488207b36bce4329126aeda3cda8d1f483474da65eccad0a3128e629f8ab38906c4087b6554cc3276c0ddc9f42cd4b2a50cefaf9f07f84f50d5ec

                  Download Submit

                • memory/5024-0-0x00007FFBF0D83000-0x00007FFBF0D85000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/5024-1-0x000001D3352A0000-0x000001D3352B8000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/5024-2-0x000001D34F8A0000-0x000001D34FA62000-memory.dmp

                  Filesize

                  1.8MB

                  Download

                • memory/5024-3-0x000001D336E90000-0x000001D336EA0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/5024-4-0x000001D3500A0000-0x000001D3505C8000-memory.dmp

                  Filesize

                  5.2MB

                  Download

                • memory/5024-5-0x00007FFBF0D83000-0x00007FFBF0D85000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/5024-6-0x000001D336E90000-0x000001D336EA0000-memory.dmp

                  Filesize

                  64KB

                  Download