Overview

overview

10

Static

static

1

Custom Theme.msi

windows7-x64

6

Custom Theme.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-07-2024 16:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Custom Theme.msi

  • Size

    1.9MB

  • MD5

    3a6d228f64408b62459124daf05bb83f

  • SHA1

    a0c43230ae4eb0611052b78053214a5e8898a9a4

  • SHA256

    90673e8a84408b0bf7c029cf6b3c1394a52bb32f318770a0328d7904256e7643

  • SHA512

    1cfc629d234cb97a40c154a3beeef2f822bbf86c6d90c8df026cf249afd6b7b062ce7a0f6f1b8e787a3972848b42b5320c1ed7ff99c91e00c1d494d412c52c13

  • SSDEEP

    24576:IxoNa2uPYAGxUherZNh0lhSMXlrI5s2JK5kmwy0CfKAe7:9GP5Ferq7I5RJK5k1jCfKAe7

Score
10/10
discordratpersistenceratrootkitspywarestealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1ODA5NjQzNzA2MjAwOTA2NQ.GhJzhd.kk9R2GDudIgunSijVjaWQD6sIwY3-Lvdx3K_jA

  • server_id

    1258096259378577508

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Downloads MZ/PE file
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 13 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Custom Theme.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1496
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:516
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2C36C6130EA1A26774C9656053E175BF C
      2⤵
      • Loads dropped DLL
      PID:1736
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding CB8A4D3F89D56F2B79C2BF01A2E5062F
      2⤵
      • Loads dropped DLL
      PID:4320
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1296
    • C:\Program Files (x86)\Custom Theme Group\Custom Theme\MSI Setup.exe
      "C:\Program Files (x86)\Custom Theme Group\Custom Theme\MSI Setup.exe"
      1⤵
      • Executes dropped EXE
      PID:4884

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e587a7b.rbs
      Filesize

      9KB

      MD5

      c4dd8bf368cebdf2297d329edeaec3d7

      SHA1

      35f3c5225107fcde769f402a8e4e41a1571d6e87

      SHA256

      c119c370b45a68c4633b200142643f384ce4e8b24157c993cb5f399d2ae612ae

      SHA512

      1a052f1ffb7781ff46713eff71a39fe9c1e3239bfd3a7901cd51f32b88a05843122a5dd9ced36dbd99089e4faebb2f4ecc528d935d374abe23ce7721752b6869

      Download Submit

    • C:\Program Files (x86)\Custom Theme Group\Custom Theme\MSI Setup.exe
      Filesize

      78KB

      MD5

      a5d78ceca0d1cf4f7c01570f52c87eba

      SHA1

      79a51625c12e3dc18f0df104e4b69c390780642a

      SHA256

      9bcaf3dbe98611f6cda0aa2e225777401746a802e53bd4b48f3d11637ed19c1a

      SHA512

      ce2fa48229eae4ee7ea6e707de5c244b9a645735731d2c9174bb65e272380b109ea709eac1c20fc5b5e004af0e340c44827a488b217ac14787ef4cc33a3cbc3f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI7BD7.tmp
      Filesize

      904KB

      MD5

      421643ee7bb89e6df092bc4b18a40ff8

      SHA1

      e801582a6dd358060a699c9c5cde31cd07ee49ab

      SHA256

      d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da

      SHA512

      d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023

      Download Submit

    • C:\Windows\Installer\e587a7a.msi
      Filesize

      1.9MB

      MD5

      3a6d228f64408b62459124daf05bb83f

      SHA1

      a0c43230ae4eb0611052b78053214a5e8898a9a4

      SHA256

      90673e8a84408b0bf7c029cf6b3c1394a52bb32f318770a0328d7904256e7643

      SHA512

      1cfc629d234cb97a40c154a3beeef2f822bbf86c6d90c8df026cf249afd6b7b062ce7a0f6f1b8e787a3972848b42b5320c1ed7ff99c91e00c1d494d412c52c13

      Download Submit

    • memory/4884-69-0x00000285AEBA0000-0x00000285AEBB8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4884-70-0x00000285C9280000-0x00000285C9442000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4884-71-0x00000285CA410000-0x00000285CA938000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4884-72-0x00000285C9EE0000-0x00000285CA1AA000-memory.dmp

      Filesize

      2.8MB

      Download