Overview

overview

10

Static

static

10

veydovokna.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-ja
  • resource tags

    arch:x64arch:x86image:win10-20240404-jalocale:ja-jpos:windows10-1703-x64systemwindows
  • submitted
    03-07-2024 15:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    veydovokna.exe

  • Size

    78KB

  • MD5

    7ee32f2553fa474e79b2f1a444172735

  • SHA1

    fc17876384c197f73a7471850d13748aa6f659b0

  • SHA256

    d99a4d776f04dfd3e8004c466ab81788da8f0ba08b83430df4dd984fa1ef4e39

  • SHA512

    2789dc16e615f28c29f5e81ade9e4b03a47d9855cc9092bbcdf90ce7419fe38cabd729a87f038f4aa3d8e2f5317ac69a0637737f468dd8d05532dbd3dda738b9

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+APIC:5Zv5PDwbjNrmAE+kIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1NjYyNDkzOTk3MzQ4MDYzOA.GmmRJ5.-nbYbt2H8apuatUJNXT2gF-Pq4ZpLJRKwy0hls

  • server_id

    1257063713945419826

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies registry class 12 IoCs
  • Suspicious behavior: AddClipboardFormatListener 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\veydovokna.exe
    "C:\Users\Admin\AppData\Local\Temp\veydovokna.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:200
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C notepad
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4496
      • C:\Windows\system32\notepad.exe
        notepad
        3⤵
          PID:4684
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DebugSelect.png" /ForceBootstrapPaint3D
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:5028
    • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
      "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4920
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:212
    • C:\Windows\System32\IME\SHARED\imebroker.exe
      C:\Windows\System32\IME\SHARED\imebroker.exe -Embedding
      1⤵
        PID:2104
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
        1⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2948
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:3764
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4348
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4348 CREDAT:82945 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4380
        • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
          "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Downloads\UpdateSave.potm"
          1⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:4612

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4F11BAC9-7E2B-45BD-BE40-FB947FE16720
          Filesize

          168KB

          MD5

          f64192fe685ad22718f4ea306fa8e5a2

          SHA1

          817dac34cec7bbce59cc3ed1aff9d16b4f96b703

          SHA256

          5a92e5720c0282c229b6903ca6c59f5d082cc85252ae9e692fb496954d01f2da

          SHA512

          d8c3cfc57385c64b75284e0181bea1f62732a1c033e6508295a4051533c3bc0fa0b42630b338b7c558bc81c82867d8c03e776db956066a7060681114d871f845

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\74a0ad00a184813f0b8867eb2f8dfef7227a18a4.tbres
          Filesize

          2KB

          MD5

          849028bb95b6b8892d3fd5da719f4faa

          SHA1

          4489570aa68a5a808b6de7bfb2b96d1fc3bace08

          SHA256

          d23f2abab0eea1e14740e0078d326abfed01383db21a688d8367821b009c7491

          SHA512

          8669b6226a4f7b793fca207026e8c1cb27ced021c6f72c8688c37a96b7943c94a87605e9b13a78a6271a84e6f12006b149b054f7c293ebec86766a920f694694

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
          Filesize

          252B

          MD5

          af2427248b7e35101931d9ede5944280

          SHA1

          b208707c8fcea94714382f440a83aa4335347576

          SHA256

          3a78d84627e081ebce79f18ee9dd7a7d72c98d9d427169a5be92c95f5e88be7a

          SHA512

          bb7cf0b52812db2a9c498b1e638abd9ede1d628021ac5478934377483b42f922b969ee3fa72b1810d4b0486ddd21ba7ae9809b88291eec84d3c5cd4d6ef4f791

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
          Filesize

          2B

          MD5

          d751713988987e9331980363e24189ce

          SHA1

          97d170e1550eee4afc0af065b78cda302a97674c

          SHA256

          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

          SHA512

          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
          Filesize

          253B

          MD5

          76dc830e4dc457285b6e413d90664f6b

          SHA1

          c6a6282364e96292d1102f1b8da300eb424617fc

          SHA256

          58ab75f7006b0d6e1eddd53dab8612546150e85b54671f06819012a72bc2c187

          SHA512

          c2ce9cbdc29f53c80e659120cd6558afa000d52f22c24fa74ae50d131824c708a9c10eda1dc791ffd07badfced50d7f8df6314060e425701100a50a6aaef8b29

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
          Filesize

          2KB

          MD5

          404a3ec24e3ebf45be65e77f75990825

          SHA1

          1e05647cf0a74cedfdeabfa3e8ee33b919780a61

          SHA256

          cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

          SHA512

          a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
          Filesize

          224B

          MD5

          e66d36cbcfd69fdf8db6e5c649137ef1

          SHA1

          c1ce08cca33347fe58f95f78f61c31ac6501f511

          SHA256

          15376656ff62df570727bcac73caf451fbe0599729bb4bf648b5e65b3e97f5f4

          SHA512

          78a8c44885ce2f1a035a3075a50027d6eff5c1adbc4d4d134880b1aced5e5d0f70fb6ca8cb037327ec4890a392b3be84eb85c72f38d4cfac985afab64b7c81bc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp
          Filesize

          18KB

          MD5

          88abdfda6adcb8adc7bda2f1cd9feb02

          SHA1

          35952ec032424c4c8452ae95d62a30b004d46fa6

          SHA256

          f9d9ec58e179451c86b9f468f465aec3103dd252e061acfa63bb64bef3f35336

          SHA512

          6209fa832c5835e6170cce35f4a225309b577a185b1abf9dbd15565eb968608436c4a121436ec92836bd71511f5593cbe59dc77834eecd1c544d523e18a3767b

          Download Submit

        • C:\Users\Admin\Downloads\ReceiveUndo.zip
          Filesize

          421KB

          MD5

          b628e6dae4318591c99ae3be44c951c0

          SHA1

          4a59ee725301793c25073e940e62207ea2e37d58

          SHA256

          1aa3420e9a2bfc3fa221f0b602232febbbe14566d6c8efa940a743d1ff7f993a

          SHA512

          640f38b53638177c441dca7d3eadcaba944f0dec5c31eb395156b699a4ca6d991b584a2ee4d148e57d5e81c78f51623657c20b3d213e890b6946a23ddc809a20

          Download Submit

        • memory/200-4-0x00007FFA0A290000-0x00007FFA0AC7C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/200-8-0x00007FFA0A290000-0x00007FFA0AC7C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/200-7-0x00007FFA0A293000-0x00007FFA0A294000-memory.dmp

          Filesize

          4KB

          Download

        • memory/200-6-0x000001F5BE7A0000-0x000001F5BE8AE000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/200-5-0x000001F5BEBC0000-0x000001F5BF0E6000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/200-0-0x00007FFA0A293000-0x00007FFA0A294000-memory.dmp

          Filesize

          4KB

          Download

        • memory/200-3-0x000001F5BE120000-0x000001F5BE168000-memory.dmp

          Filesize

          288KB

          Download

        • memory/200-2-0x000001F5BE2F0000-0x000001F5BE4B2000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/200-1-0x000001F5A3CD0000-0x000001F5A3CE8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2948-92-0x00007FF9E3F30000-0x00007FF9E3F40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2948-88-0x00007FF9E7AA0000-0x00007FF9E7AB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2948-87-0x00007FF9E7AA0000-0x00007FF9E7AB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2948-353-0x00007FF9E7AA0000-0x00007FF9E7AB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2948-352-0x00007FF9E7AA0000-0x00007FF9E7AB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2948-351-0x00007FF9E7AA0000-0x00007FF9E7AB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2948-350-0x00007FF9E7AA0000-0x00007FF9E7AB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2948-85-0x00007FF9E7AA0000-0x00007FF9E7AB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2948-86-0x00007FF9E7AA0000-0x00007FF9E7AB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2948-91-0x00007FF9E3F30000-0x00007FF9E3F40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4612-363-0x00007FF9E7AA0000-0x00007FF9E7AB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4612-372-0x00007FF9E3F30000-0x00007FF9E3F40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4612-373-0x00007FF9E3F30000-0x00007FF9E3F40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4612-362-0x00007FF9E7AA0000-0x00007FF9E7AB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4612-361-0x00007FF9E7AA0000-0x00007FF9E7AB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4612-579-0x00007FF9E7AA0000-0x00007FF9E7AB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4612-581-0x00007FF9E7AA0000-0x00007FF9E7AB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4612-580-0x00007FF9E7AA0000-0x00007FF9E7AB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4612-578-0x00007FF9E7AA0000-0x00007FF9E7AB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4612-360-0x00007FF9E7AA0000-0x00007FF9E7AB0000-memory.dmp

          Filesize

          64KB

          Download