Resubmissions
08-07-2024 06:23
240708-g5mmesycqh 1008-07-2024 06:21
240708-g4vlmswfnk 1008-07-2024 06:20
240708-g351zsycka 1008-07-2024 06:17
240708-g2bezsybmf 10Analysis
-
max time kernel
149s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 06:21
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win10v2004-20240508-en
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
8cce5e63c8cefaf423b2f34978fe67ed
-
SHA1
dfff7fc992ea0c6e765210fb58983ee833cb2177
-
SHA256
3eda8de3fca606c90d36e6f1148b0c78eac42ed532c182dfe3c5214bd03da032
-
SHA512
5f8392106cb5b4e59aa0ce5ce4cb8227f682df7afdb6fa288e876a0954dfe6452a75e1adc78d5f6a9a093949f05b6606e88c5cbfcfca93037e2433dc18ab0371
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+8PIC:5Zv5PDwbjNrmAE+wIC
Malware Config
Extracted
discordrat
-
discord_token
MTI1OTc1MzM2OTYwNjU1Nzc4Nw.GoiytD.R0INqYQ4iYfEi_aMf5nQz0adqWU9PKjBfAUqaM
-
server_id
1259753103436156978
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 764 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4404 Client-built.exe Token: SeDebugPrivilege 764 taskmgr.exe Token: SeSystemProfilePrivilege 764 taskmgr.exe Token: SeCreateGlobalPrivilege 764 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe 764 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:764