Overview

overview

10

Static

static

10

Client-built.exe

windows11-21h2-x64

Resubmissions

28-06-2024 20:12

240628-yzbfms1blg 10

28-06-2024 20:10

240628-yxrpvatenl 10

28-06-2024 20:02

240628-yr991atdlp 10

Analysis

  • max time kernel
    103s
  • max time network
    106s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-06-2024 20:10

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    c053ebb3f0f90a7705729579d25dd194

  • SHA1

    fe045f0584ee3656af1e89a6ca37ef68e7f252a3

  • SHA256

    85a287edb6eeb66eeada945ff71c946a76171be92244071c07d0ac5553d96cf2

  • SHA512

    a5beac0ec0b1ecad655f52555ff83d756169335be383bd2dd4310b4e9d2120fb939ed42116554ae1544ed9db56a3846d6ca0369d2af0430a8d7c3717e2223854

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+nPIC:5Zv5PDwbjNrmAE+PIC

Score
10/10
discordratevasionpersistenceprivilege_escalationratrootkitspywarestealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI0NzYzMjcxMjk1Nzk1NjE4Nw.G3MXNZ.B896PWyca43CGShZp7WvFVoaKLYOSP1no8IyaM

  • server_id

    1247637478639271976

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\SYSTEM32\NetSh.exe
      "NetSh.exe" Advfirewall set allprofiles state off
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:4588
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
    Filesize

    11KB

    MD5

    cd56e155edf53e5728c46b6c9eb9c413

    SHA1

    14b1b0f090803c9ee39797aed4af13dc7849566d

    SHA256

    70a6cf268c013fb4d907bedc12af3e5f802f179f0cc8353c7b8227dde840d31a

    SHA512

    a4ada455d44a89fd2baa505aa9266b70913967b839522ef5da8d7afd31af6662c3ad96ac3e3531d82a72be7d019c9d88f1ce391c5b5fa0e4422a634c51491165

    Download Submit
  • memory/2544-0-0x00007FFD8D1F3000-0x00007FFD8D1F5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2544-1-0x000001EA46310000-0x000001EA46328000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2544-2-0x000001EA60990000-0x000001EA60B52000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2544-3-0x00007FFD8D1F0000-0x00007FFD8DCB2000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2544-4-0x000001EA61D60000-0x000001EA62288000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/2544-5-0x000001EA61830000-0x000001EA61AFA000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/2544-6-0x00007FFD8D1F3000-0x00007FFD8D1F5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2544-7-0x00007FFD8D1F0000-0x00007FFD8DCB2000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2544-15-0x000001EA607C0000-0x000001EA607CE000-memory.dmp
    Filesize

    56KB

    Download