Analysis Overview
SHA256
6b6c92ccb9752329a838ad2a79484bc1bb83e94fb997712808108340bb3617c9
Threat Level: Known bad
The file Roblox nice wallpaper PC 4Kgpj.exe was found to be: Known bad.
Malicious Activity Summary
Discord RAT
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-30 19:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-30 19:46
Reported
2024-08-30 19:47
Platform
win11-20240802-en
Max time kernel
14s
Max time network
26s
Command Line
Signatures
Discord RAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox nice wallpaper PC 4K.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox nice wallpaper PC 4K.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3496 wrote to memory of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox nice wallpaper PC 4Kgpj.exe | C:\Users\Admin\AppData\Local\Temp\Roblox nice wallpaper PC 4K.exe |
| PID 3496 wrote to memory of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox nice wallpaper PC 4Kgpj.exe | C:\Users\Admin\AppData\Local\Temp\Roblox nice wallpaper PC 4K.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Roblox nice wallpaper PC 4Kgpj.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox nice wallpaper PC 4Kgpj.exe"
C:\Users\Admin\AppData\Local\Temp\Roblox nice wallpaper PC 4K.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox nice wallpaper PC 4K.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.136.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 234.136.159.162.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Roblox nice wallpaper PC 4K.exe
| MD5 | ba416f6d574b900d390ebe54d2534d62 |
| SHA1 | 5c2b419426e7ee98de2542d02ccbda2bfcd8db13 |
| SHA256 | d379e9094225a79ff41971d62fdba48524f60e76e36a878a6268c61096b3514c |
| SHA512 | 48568ea8a7b10579f87df74bec88ed33fee3d0c410b5005b32f87b19db657c71ac326bb8ef4af1f9af4bdf8e0c230ed7bc60d8ac3b7edcf8a4348e528d3edb19 |
memory/2800-12-0x00007FFB5A033000-0x00007FFB5A035000-memory.dmp
memory/2800-13-0x000001BF8F010000-0x000001BF8F028000-memory.dmp
memory/2800-14-0x000001BFA9670000-0x000001BFA9832000-memory.dmp
memory/2800-15-0x00007FFB5A030000-0x00007FFB5AAF2000-memory.dmp
memory/2800-16-0x000001BFAAA40000-0x000001BFAAF68000-memory.dmp
memory/2800-17-0x00007FFB5A033000-0x00007FFB5A035000-memory.dmp
memory/2800-18-0x00007FFB5A030000-0x00007FFB5AAF2000-memory.dmp