Overview

overview

10

Static

static

3

main.exe

windows10-2004-x64

10

Resubmissions

29/06/2024, 12:07

240629-papsaszfnl 10

29/06/2024, 12:00

240629-n6lj3szeqq 10

Analysis

  • max time kernel
    118s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/06/2024, 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main.exe

  • Size

    90KB

  • MD5

    9932b9f4ba73846661de9cd3a1773db1

  • SHA1

    3c03d8e1bcc1881a1dfecf4dd48281163fe7f8de

  • SHA256

    0221bcc32a8271a709de78656db437e596306cddd049585b70376112feb3a486

  • SHA512

    b1bec36207843d568d1ffec9457920afaea79c529a22e2e1d23ab38fda6d0fa39f523dfd2d4ec98485e34e5d880eac9beccafe36b2dc0cc45628145c87b1d047

  • SSDEEP

    1536:Msi8yMgTYYVJtD0wNJBNHPP3lLuBZAWsSTN56WsSTN5MwEYLzMkupBCZr:C8uTtownn3lWsSTdsSTqYLzupYr

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3528
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1688
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2104
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4256
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        svchost.exe
        2⤵
        • Executes dropped EXE
        PID:1572
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4348

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      79KB

      MD5

      d13905e018eb965ded2e28ba0ab257b5

      SHA1

      6d7fe69566fddc69b33d698591c9a2c70d834858

      SHA256

      2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

      SHA512

      b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

      Download Submit

    • memory/1688-13-0x00007FF93AB53000-0x00007FF93AB55000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1688-14-0x000001CA21AE0000-0x000001CA21AF8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1688-15-0x000001CA3D340000-0x000001CA3D502000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1688-16-0x000001CA3DB80000-0x000001CA3E0A8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3528-12-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

      Download