Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 12:00
Static task
static1
Behavioral task
behavioral1
Sample
main.exe
Resource
win10v2004-20240611-en
General
-
Target
main.exe
-
Size
90KB
-
MD5
9932b9f4ba73846661de9cd3a1773db1
-
SHA1
3c03d8e1bcc1881a1dfecf4dd48281163fe7f8de
-
SHA256
0221bcc32a8271a709de78656db437e596306cddd049585b70376112feb3a486
-
SHA512
b1bec36207843d568d1ffec9457920afaea79c529a22e2e1d23ab38fda6d0fa39f523dfd2d4ec98485e34e5d880eac9beccafe36b2dc0cc45628145c87b1d047
-
SSDEEP
1536:Msi8yMgTYYVJtD0wNJBNHPP3lLuBZAWsSTN56WsSTN5MwEYLzMkupBCZr:C8uTtownn3lWsSTdsSTqYLzupYr
Malware Config
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
main.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation main.exe -
Executes dropped EXE 4 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exepid process 1688 svchost.exe 4256 svchost.exe 1572 svchost.exe 4348 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 1688 svchost.exe Token: SeDebugPrivilege 4256 svchost.exe Token: SeDebugPrivilege 4348 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
main.execmd.exedescription pid process target process PID 3528 wrote to memory of 1688 3528 main.exe svchost.exe PID 3528 wrote to memory of 1688 3528 main.exe svchost.exe PID 1940 wrote to memory of 1572 1940 cmd.exe svchost.exe PID 1940 wrote to memory of 1572 1940 cmd.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exesvchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
79KB
MD5d13905e018eb965ded2e28ba0ab257b5
SHA16d7fe69566fddc69b33d698591c9a2c70d834858
SHA2562bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec
SHA512b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb
-
memory/1688-13-0x00007FF93AB53000-0x00007FF93AB55000-memory.dmpFilesize
8KB
-
memory/1688-14-0x000001CA21AE0000-0x000001CA21AF8000-memory.dmpFilesize
96KB
-
memory/1688-15-0x000001CA3D340000-0x000001CA3D502000-memory.dmpFilesize
1.8MB
-
memory/1688-16-0x000001CA3DB80000-0x000001CA3E0A8000-memory.dmpFilesize
5.2MB
-
memory/3528-12-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB