Analysis
-
max time kernel
80s -
max time network
82s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 14:10
Behavioral task
behavioral1
Sample
bypasser/bypasser_final.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
bypasser/bypasser_final.exe
Resource
win10v2004-20240508-en
Errors
General
-
Target
bypasser/bypasser_final.exe
-
Size
135KB
-
MD5
a1288b1ec6fb4da4f55dc8fd53a6c4ce
-
SHA1
bead8a51b0c34f981a4b278681f63f3b88f9ad54
-
SHA256
f7dd8d7d380e311b86e9fb2d61b63eb212e70f5e8e51acdbf47a1dd4ed051891
-
SHA512
2fa5aa3a0d4daaa57854a9045a12b7e01a0f9864924cde12935646b25f172c787b120bdaac65be85ebe442476c2c1f45b51b737ddbbd2579cf6416e65ab038a2
-
SSDEEP
1536:2vdWSVRVDlOzjRzrksAOO2WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+pPICsov:2MSncRzAOOZv5PDwbjNrmAE+ZICsov
Malware Config
Extracted
discordrat
-
discord_token
MTI1MTMwNDM5NDkzNTUwNTA4Nw.GXLWWL.r7OUns0sCMr5I9ra_FffjxEK2E7LukBojfJIT8
-
server_id
1256804931839459358
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bypasser_final.exeCLIENT-BUILT.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation bypasser_final.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation CLIENT-BUILT.EXE -
Executes dropped EXE 1 IoCs
Processes:
CLIENT-BUILT.EXEpid process 2528 CLIENT-BUILT.EXE -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
Processes:
flow ioc 12 discord.com 22 discord.com 51 discord.com 53 discord.com 54 discord.com 55 discord.com 59 discord.com 11 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Modifies registry class 2 IoCs
Processes:
bypasser_final.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings bypasser_final.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
CLIENT-BUILT.EXEshutdown.exedescription pid process Token: SeDebugPrivilege 2528 CLIENT-BUILT.EXE Token: SeShutdownPrivilege 1788 shutdown.exe Token: SeRemoteShutdownPrivilege 1788 shutdown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
OpenWith.exeLogonUI.exepid process 1420 OpenWith.exe 3028 LogonUI.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bypasser_final.exeCLIENT-BUILT.EXEdescription pid process target process PID 1720 wrote to memory of 2528 1720 bypasser_final.exe CLIENT-BUILT.EXE PID 1720 wrote to memory of 2528 1720 bypasser_final.exe CLIENT-BUILT.EXE PID 2528 wrote to memory of 1788 2528 CLIENT-BUILT.EXE shutdown.exe PID 2528 wrote to memory of 1788 2528 CLIENT-BUILT.EXE shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bypasser\bypasser_final.exe"C:\Users\Admin\AppData\Local\Temp\bypasser\bypasser_final.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39a0055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXEFilesize
78KB
MD5a654392da078edaa1e15edf5037892af
SHA17e46cf31017813ef3965ee4b0b4dc1cb8467eaf5
SHA256e8c4b3c1bf31627789ae496bda5014524cc6304c2f0b31f592cb4ce82703269c
SHA5123caf159430d00b513cfe2c1221f39643f00b018c0af7952c9a3c0fee43c9aacf3b0c55846ef137c66fa6c8c5c9b007d3f87c013d1de61811da22a9ad7d66d9dc
-
memory/2528-13-0x00007FFF04093000-0x00007FFF04095000-memory.dmpFilesize
8KB
-
memory/2528-12-0x0000015D78560000-0x0000015D78578000-memory.dmpFilesize
96KB
-
memory/2528-15-0x0000015D7AC60000-0x0000015D7AE22000-memory.dmpFilesize
1.8MB
-
memory/2528-16-0x00007FFF04090000-0x00007FFF04B51000-memory.dmpFilesize
10.8MB
-
memory/2528-17-0x0000015D7B540000-0x0000015D7BA68000-memory.dmpFilesize
5.2MB
-
memory/2528-18-0x00007FFF04093000-0x00007FFF04095000-memory.dmpFilesize
8KB
-
memory/2528-19-0x00007FFF04090000-0x00007FFF04B51000-memory.dmpFilesize
10.8MB
-
memory/2528-20-0x00007FFF04090000-0x00007FFF04B51000-memory.dmpFilesize
10.8MB