Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://cdn.discorda...

windows10-1703-x64

10

Analysis

  • max time kernel
    20s
  • max time network
    42s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-08-2024 12:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://cdn.discordapp.com/attachments/1252285021377527923/1252285096434729011/160107100400-monkey-selfie.exe?ex=66b199a1&is=66b04821&hm=8de011afe0076b39ffe8a1e1418109bacccc9251ad7930633dc1a00bbc11ce9b&

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIwNTMzOTUzNjEwMDY5NjA3NA.GE6gMg.mfWLL6-p2ZTIG_q9R9EM57japDdbe-TVG83A5E

  • server_id

    1205339412481704017

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Downloads MZ/PE file
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://cdn.discordapp.com/attachments/1252285021377527923/1252285096434729011/160107100400-monkey-selfie.exe?ex=66b199a1&is=66b04821&hm=8de011afe0076b39ffe8a1e1418109bacccc9251ad7930633dc1a00bbc11ce9b&"
    1⤵
      PID:4488
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2552
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • NTFS ADS
      PID:3800
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\160107100400-monkey-selfie.exe
        "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\160107100400-monkey-selfie.exe"
        2⤵
          PID:60
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SHELLSHOCK V4 BETA.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SHELLSHOCK V4 BETA.exe"
            3⤵
              PID:4844
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Modifies registry class
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2084
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:852
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Drops file in Windows directory
          • Modifies registry class
          PID:1252
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:2604
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Drops file in Windows directory
          • Modifies registry class
          PID:3224
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Drops file in Windows directory
          • Modifies registry class
          PID:4404
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
            PID:2032
          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
            1⤵
              PID:4332

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CVI7P92B\160107100400-monkey-selfie[1].exe
              Filesize

              1.2MB

              MD5

              a4880b8dead5dd953df4c7e3f1afef44

              SHA1

              e9a098cf38d19999153b7a13e13dce9d80ba311f

              SHA256

              f22d8d5aac00f66414ca8b74b0c023f8adbef57698e9b64532d6fdaa1b41693b

              SHA512

              6b46d687b2a96c36580a5993cb1585a77f61cc42da459aef8665220b2c77f5e9934bb659c1bd909e36cbcb7e4399904a09fe2819e2ed9da068fd99286eca0177

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF19CB071696ADBEBE.TMP
              Filesize

              16KB

              MD5

              6eaa28718d7d44edb6381fc08bd352db

              SHA1

              407de7fc15ac284cbc9e9f1284af26c650621f7a

              SHA256

              c853e8e41c40736faf0550d1565e9d5dd998b26ec7249eeb84a7e9ca9844db36

              SHA512

              e99244e205ec3761d13a198cdad24047a777a96f8ec02ae11be77ff48a67e4fa8852d275aa6e7ca6d56350fa5126260a1015483dc8351f705794a7b290b7a36b

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CVI7P92B\160107100400-monkey-selfie[1].exe
              Filesize

              941KB

              MD5

              a8bd702a532ca5f61eb1ad56b66446a8

              SHA1

              1f0db8a5eaf8236620c8c952d4c91fe77d3e0cc5

              SHA256

              7cb08322105c9a9b76b4bd126fcaa667a151203776e08c3f730a646d2dd07351

              SHA512

              801b23a7977c23b218c7cfcebd7b99f48cdffd4d11f6805b764da1bbf8d20a487965d09af27422b5dcd699a241b12869ed34a93f718a8ec9f4478cf9a097a90b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SHELLSHOCK V4 BETA.exe
              Filesize

              78KB

              MD5

              29d38362cbd41b5e1a5e59430703ceec

              SHA1

              8295e65a9b50f5e547cbee60d1824941dceb2390

              SHA256

              5f66c734a143d42ceb199d3fde28309147c8d1f289397bb4c72e5788976c0874

              SHA512

              bf53878035431a91ffcb87445fccd6b0623100acbff64219f6fb99cc38f0f59c77a5df25cee119cbeb47350b49b1ce1e187d5be287beca90e0c9652abd389a70

              Download Submit

            • memory/852-44-0x00000221F6840000-0x00000221F6940000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2552-16-0x00000236A6320000-0x00000236A6330000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2552-35-0x00000236A36B0000-0x00000236A36B2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2552-137-0x00000236A54F0000-0x00000236A54F2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2552-144-0x00000236A36A0000-0x00000236A36A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2552-140-0x00000236A36E0000-0x00000236A36E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2552-0-0x00000236A6220000-0x00000236A6230000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3224-64-0x000001D9EA420000-0x000001D9EA422000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3224-67-0x000001D9EA450000-0x000001D9EA452000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3224-69-0x000001D9EA470000-0x000001D9EA472000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3224-61-0x000001D9EA200000-0x000001D9EA300000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4404-72-0x00000166F76C0000-0x00000166F77C0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4844-110-0x00000208DEB70000-0x00000208DEB88000-memory.dmp

              Filesize

              96KB

              Download

            • memory/4844-111-0x00000208F9150000-0x00000208F9312000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/4844-112-0x00000208F9950000-0x00000208F9E76000-memory.dmp

              Filesize

              5.1MB

              Download