Overview

overview

10

Static

static

10

HackerTool.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    142s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-07-2024 23:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HackerTool.exe

  • Size

    78KB

  • MD5

    700cbe7842075702ba7a814135377cba

  • SHA1

    afc4dae81fdcd51e6cfba4df93b95473019db51d

  • SHA256

    aca13de69b970f10357414fc04b9d424e3ec91d46c48dcf23244309e6994de24

  • SHA512

    1a364f96ee78c3e83ec4a9e9a88d070a67fa55cbc4f3e2e5a99f2c4f5d933abee9f98f5537d56159a57771d82e78a19a1b14e1a52002d2420783cfafde59de11

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+LPIC:5Zv5PDwbjNrmAE+jIC

Score
10/10
discordratevasionpersistenceprivilege_escalationratrootkitspywarestealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1Nzk1NzI4ODU0MzUyMjk0OA.GIpluZ.fDKYKipS9PVq4yhIAizQmTyDwK5kQQ8ux_PrHQ

  • server_id

    1257954812113190942

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs
  • Drops file in Windows directory 4 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HackerTool.exe
    "C:\Users\Admin\AppData\Local\Temp\HackerTool.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Windows\SYSTEM32\NetSh.exe
      "NetSh.exe" Advfirewall set allprofiles state off
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:1248
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:5028
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:4184
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2656
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4992
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:1108
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFFC46BF1F388296F5.TMP
    Filesize

    16KB

    MD5

    94cb6695cd33bce26458595f4e32157e

    SHA1

    ccadb7503d8915c8df19a62278d28fb3a77193aa

    SHA256

    b184a122bad0dc4fd0b3c8d2996975a95fdd11e4b1cd9d84accf3cc69fe760d7

    SHA512

    514d15e08a78dbb9a4369b8014e9b30d39d7a9384a8b69840bd569820018b69413d178ee758e8a65faac633e5da681286e30a5e71f9987d2b66679dd5ffcd7ba

    Download Submit

  • memory/1108-60-0x000002CE60CA0000-0x000002CE60CA2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1108-70-0x000002CE60EE0000-0x000002CE60EE2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1108-57-0x000002CE50000000-0x000002CE50100000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1108-62-0x000002CE60CC0000-0x000002CE60CC2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1108-64-0x000002CE60CE0000-0x000002CE60CE2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1108-66-0x000002CE60E00000-0x000002CE60E02000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1108-68-0x000002CE60E20000-0x000002CE60E22000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1572-102-0x00000202703E0000-0x00000202706AA000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/1572-6-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1572-0-0x00007FFF16C53000-0x00007FFF16C54000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1572-3-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1572-2-0x000002026F6B0000-0x000002026F872000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1572-101-0x000002026FD60000-0x000002026FD6E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1572-1-0x0000020255130000-0x0000020255148000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1572-4-0x000002026FEB0000-0x00000202703D6000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1572-5-0x00007FFF16C53000-0x00007FFF16C54000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4992-52-0x0000022D4B800000-0x0000022D4B900000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/5028-42-0x00000267EC880000-0x00000267EC882000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5028-23-0x00000267ED720000-0x00000267ED730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5028-91-0x00000267F1970000-0x00000267F1972000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5028-94-0x00000267EC8D0000-0x00000267EC8D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5028-98-0x00000267EC7E0000-0x00000267EC7E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5028-7-0x00000267ED620000-0x00000267ED630000-memory.dmp

    Filesize

    64KB

    Download