Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
03-07-2024 14:10
Static task
static1
Behavioral task
behavioral1
Sample
cutecatgjp.exe
Resource
win10-20240404-en
General
-
Target
cutecatgjp.exe
-
Size
571KB
-
MD5
56950b73f1d8a345e5cac4a890199ad6
-
SHA1
e06360883d38743190b0ce03eaf4ae61e50b104f
-
SHA256
32f2cb98c31c82d74dd71ff361c1b70b8a71b75b56348ce808d2521f4aab7b81
-
SHA512
f2c32d057c0e1ffa99d185ec4f6057f9941c8b21a51fdaf91f88f561e17ed07a74dafb1f213a066a52f79f771e1ca38ede6c663d471a325f3f900160c9f1e818
-
SSDEEP
12288:hyveQB/fTHIGaPkKEYzURNAwbAg8awGznzgJgHYxT4Nxt7HGt:huDXTIGaPhEYzUzA0q4znzgJgHYRmGt
Malware Config
Extracted
discordrat
-
discord_token
MTI1ODA0NzAxNDQ0MTMyNDY2NA.GJFaRS.ML3_kAVkMruyTd0hsxxYBK2V-qnvxomT03peSY
-
server_id
1255506406946373766
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
Processes:
backdoor.exepid process 2412 backdoor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
backdoor.exedescription pid process Token: SeDebugPrivilege 2412 backdoor.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cutecatgjp.exedescription pid process target process PID 1008 wrote to memory of 2412 1008 cutecatgjp.exe backdoor.exe PID 1008 wrote to memory of 2412 1008 cutecatgjp.exe backdoor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cutecatgjp.exe"C:\Users\Admin\AppData\Local\Temp\cutecatgjp.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exeFilesize
78KB
MD5cfc5ba6bfc1cb9ee620ec90d1f1adf90
SHA18edf8d4562c940cd5444aadeffe6657362a7262f
SHA256e6918fba0ddf8c2d9a7daf640762163dc8c2b9aaf474e3d45ddb2901328d5f16
SHA5129631aa7bab6c97aa19b365f5296f3fa37709349d567ba00d7bd8b67003279647ec62c18ddfd777990221300b1e069a09124e70d94496d2114aeffb67a9f5b58c
-
memory/2412-11-0x00007FFA0B5C3000-0x00007FFA0B5C4000-memory.dmpFilesize
4KB
-
memory/2412-10-0x0000020C9E760000-0x0000020C9E778000-memory.dmpFilesize
96KB
-
memory/2412-12-0x0000020CB8E30000-0x0000020CB8FF2000-memory.dmpFilesize
1.8MB
-
memory/2412-13-0x00007FFA0B5C0000-0x00007FFA0BFAC000-memory.dmpFilesize
9.9MB
-
memory/2412-14-0x0000020CB9730000-0x0000020CB9C56000-memory.dmpFilesize
5.1MB
-
memory/2412-15-0x00007FFA0B5C3000-0x00007FFA0B5C4000-memory.dmpFilesize
4KB
-
memory/2412-16-0x00007FFA0B5C0000-0x00007FFA0BFAC000-memory.dmpFilesize
9.9MB