Analysis
-
max time kernel
36s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 12:07
Static task
static1
Behavioral task
behavioral1
Sample
main.exe
Resource
win10v2004-20240508-en
Errors
General
-
Target
main.exe
-
Size
90KB
-
MD5
9932b9f4ba73846661de9cd3a1773db1
-
SHA1
3c03d8e1bcc1881a1dfecf4dd48281163fe7f8de
-
SHA256
0221bcc32a8271a709de78656db437e596306cddd049585b70376112feb3a486
-
SHA512
b1bec36207843d568d1ffec9457920afaea79c529a22e2e1d23ab38fda6d0fa39f523dfd2d4ec98485e34e5d880eac9beccafe36b2dc0cc45628145c87b1d047
-
SSDEEP
1536:Msi8yMgTYYVJtD0wNJBNHPP3lLuBZAWsSTN56WsSTN5MwEYLzMkupBCZr:C8uTtownn3lWsSTdsSTqYLzupYr
Malware Config
Extracted
discordrat
-
discord_token
MTEzNjc5NTQ5MjA0NzY2NzIzMg.Gw46q5.mJzQH6rMBkFiwBs0CyveXqxrxY_QdRW4PfdzkE
-
server_id
1208115914978107542
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
main.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation main.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2460 svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
Processes:
flow ioc 26 discord.com 37 discord.com 23 discord.com 24 discord.com 25 discord.com 38 discord.com 14 discord.com 15 discord.com 20 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2460 svchost.exe Token: SeShutdownPrivilege 2460 svchost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
main.exedescription pid process target process PID 672 wrote to memory of 2460 672 main.exe svchost.exe PID 672 wrote to memory of 2460 672 main.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
78KB
MD5206f64ecbc9b44294b492a9492f272c6
SHA1cead42b99b1e39cb21eda4f1033006337312f991
SHA256e1de218212a4f3d2dff3806e5bcd8e24a037648a598455dd1703500a87e1ba12
SHA512504ff60d659788ee617cf57d12f5991f484319299649e05133f5ae8f1145a78802d20a099e9fd0bc2ed94e9923bf9ac8c3766009b454bbe3f25a8f55b1987da3
-
memory/672-12-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2460-13-0x0000026518570000-0x0000026518588000-memory.dmpFilesize
96KB
-
memory/2460-14-0x00007FF9181B3000-0x00007FF9181B5000-memory.dmpFilesize
8KB
-
memory/2460-15-0x0000026532C40000-0x0000026532E02000-memory.dmpFilesize
1.8MB
-
memory/2460-16-0x0000026534730000-0x0000026534C58000-memory.dmpFilesize
5.2MB
-
memory/2460-17-0x00007FF9181B3000-0x00007FF9181B5000-memory.dmpFilesize
8KB