Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29/06/2024, 12:00
Static task
static1
Behavioral task
behavioral1
Sample
main.exe
Resource
win10v2004-20240611-en
General
-
Target
main.exe
-
Size
90KB
-
MD5
9932b9f4ba73846661de9cd3a1773db1
-
SHA1
3c03d8e1bcc1881a1dfecf4dd48281163fe7f8de
-
SHA256
0221bcc32a8271a709de78656db437e596306cddd049585b70376112feb3a486
-
SHA512
b1bec36207843d568d1ffec9457920afaea79c529a22e2e1d23ab38fda6d0fa39f523dfd2d4ec98485e34e5d880eac9beccafe36b2dc0cc45628145c87b1d047
-
SSDEEP
1536:Msi8yMgTYYVJtD0wNJBNHPP3lLuBZAWsSTN56WsSTN5MwEYLzMkupBCZr:C8uTtownn3lWsSTdsSTqYLzupYr
Malware Config
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation main.exe -
Executes dropped EXE 4 IoCs
pid Process 1688 svchost.exe 4256 svchost.exe 1572 svchost.exe 4348 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1688 svchost.exe Token: SeDebugPrivilege 4256 svchost.exe Token: SeDebugPrivilege 4348 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3528 wrote to memory of 1688 3528 main.exe 87 PID 3528 wrote to memory of 1688 3528 main.exe 87 PID 1940 wrote to memory of 1572 1940 cmd.exe 110 PID 1940 wrote to memory of 1572 1940 cmd.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\svchost.exesvchost.exe2⤵
- Executes dropped EXE
PID:1572
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD5d13905e018eb965ded2e28ba0ab257b5
SHA16d7fe69566fddc69b33d698591c9a2c70d834858
SHA2562bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec
SHA512b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb