Overview

overview

10

Static

static

10

keep safe.exe

windows10-2004-x64

10

Resubmissions

03-07-2024 18:30

240703-w5swrstene 10

03-07-2024 17:15

240703-vs16yazcmr 10

03-07-2024 17:09

240703-vn4fhazblk 10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 18:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    keep safe.exe

  • Size

    78KB

  • MD5

    161e7e7c7c33737fa13cf299f5de7bf8

  • SHA1

    c159f9f2822c45e4f79de8fb59bb19e7e8ee36b1

  • SHA256

    575eda3b9431c8a303be6c734aa85e4bc1b27d547b3f758f71f937d96ef3a50d

  • SHA512

    01ad7f71e02da53088f58f0ee6c02a0d378d9dcd6a0ff61f4f27910681ef8de1a2641e70716e4b77c79ab2a313bcc1afdca0d1bf36e4e2bfe1d0e13fb5ae8f8d

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+KPIC:5Zv5PDwbjNrmAE+WIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIzNDIwMzg4MDI0MjU0ODc4OQ.GnCtHh.ILBrbeZaD2WcnKYL9n7q5C3RNZnunVB1vxbYdM

  • server_id

    1249930029291536444

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\keep safe.exe
    "C:\Users\Admin\AppData\Local\Temp\keep safe.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2388
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3744,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8
    1⤵
      PID:1996
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3648
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /7
        1⤵
        • Checks SCSI registry key(s)
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:896
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        1⤵
          PID:3008
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4188,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5108 /prefetch:1
          1⤵
            PID:1684
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3472,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5276 /prefetch:1
            1⤵
              PID:2736
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5256,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5400 /prefetch:1
              1⤵
                PID:2440
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5660,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5712 /prefetch:8
                1⤵
                  PID:4816
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6012,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6040 /prefetch:1
                  1⤵
                    PID:3936
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5428,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5680 /prefetch:1
                    1⤵
                      PID:3216
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5388,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:1
                      1⤵
                        PID:1072
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5564,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6064 /prefetch:8
                        1⤵
                          PID:3996
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3900,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6044 /prefetch:8
                          1⤵
                            PID:4552
                          • C:\Windows\system32\AUDIODG.EXE
                            C:\Windows\system32\AUDIODG.EXE 0x4f0 0x508
                            1⤵
                              PID:1552
                            • C:\Users\Admin\AppData\Local\Temp\keep safe.exe
                              "C:\Users\Admin\AppData\Local\Temp\keep safe.exe"
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5264
                            • C:\Users\Admin\AppData\Local\Temp\keep safe.exe
                              "C:\Users\Admin\AppData\Local\Temp\keep safe.exe"
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5404
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6452,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6588 /prefetch:8
                              1⤵
                                PID:5648
                              • C:\Windows\system32\netplwiz.exe
                                "C:\Windows\system32\netplwiz.exe"
                                1⤵
                                  PID:5864
                                • C:\Users\Admin\AppData\Local\Temp\keep safe.exe
                                  "C:\Users\Admin\AppData\Local\Temp\keep safe.exe"
                                  1⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5972
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=6472,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6712 /prefetch:8
                                  1⤵
                                    PID:6068
                                  • C:\Users\Admin\AppData\Local\Temp\keep safe.exe
                                    "C:\Users\Admin\AppData\Local\Temp\keep safe.exe"
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5212
                                  • C:\Users\Admin\AppData\Local\Temp\keep safe.exe
                                    "C:\Users\Admin\AppData\Local\Temp\keep safe.exe"
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2396
                                  • C:\Users\Admin\AppData\Local\Temp\keep safe.exe
                                    "C:\Users\Admin\AppData\Local\Temp\keep safe.exe"
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5364
                                  • C:\Users\Admin\AppData\Local\Temp\keep safe.exe
                                    "C:\Users\Admin\AppData\Local\Temp\keep safe.exe"
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1488
                                  • C:\Users\Admin\AppData\Local\Temp\keep safe.exe
                                    "C:\Users\Admin\AppData\Local\Temp\keep safe.exe"
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4892
                                  • C:\Users\Admin\AppData\Local\Temp\keep safe.exe
                                    "C:\Users\Admin\AppData\Local\Temp\keep safe.exe"
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4532
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=6568,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6808 /prefetch:8
                                    1⤵
                                      PID:5140

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • memory/896-14-0x000002893A0D0000-0x000002893A0D1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/896-6-0x000002893A0D0000-0x000002893A0D1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/896-12-0x000002893A0D0000-0x000002893A0D1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/896-13-0x000002893A0D0000-0x000002893A0D1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/896-11-0x000002893A0D0000-0x000002893A0D1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/896-7-0x000002893A0D0000-0x000002893A0D1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/896-15-0x000002893A0D0000-0x000002893A0D1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/896-5-0x000002893A0D0000-0x000002893A0D1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/896-16-0x000002893A0D0000-0x000002893A0D1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/896-17-0x000002893A0D0000-0x000002893A0D1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/2388-4-0x000001C6BA890000-0x000001C6BADB8000-memory.dmp

                                      Filesize

                                      5.2MB

                                      Download

                                    • memory/2388-1-0x00007FFF759E3000-0x00007FFF759E5000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/2388-0-0x000001C69FB00000-0x000001C69FB18000-memory.dmp

                                      Filesize

                                      96KB

                                      Download

                                    • memory/2388-3-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp

                                      Filesize

                                      10.8MB

                                      Download

                                    • memory/2388-2-0x000001C6BA090000-0x000001C6BA252000-memory.dmp

                                      Filesize

                                      1.8MB

                                      Download

                                    • memory/2388-18-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp

                                      Filesize

                                      10.8MB

                                      Download