Overview

overview

10

Static

static

3

BfIgOz7.exe

windows10-2004-x64

BfIgOz7.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    37s
  • max time network
    48s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 03:38

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    BfIgOz7.exe

  • Size

    6.8MB

  • MD5

    29daf7a58aacdc2459d9145039474754

  • SHA1

    df7807760855e648920c85c29b12e2e817930729

  • SHA256

    73ffdb5bc29185f6c68ea22d571859218635a17bad466d4c5aee1b4a3421dfb1

  • SHA512

    e1db029d471eede7cfcecf5428b8d7669c4655b5d4a7c854fd952894c9e5d3c0497cd741235a9c312cc08c8fb811f051d1756264b585ec4e0f98a982d65f803e

  • SSDEEP

    98304:o1kTd/1SqRWF/A0E/CoSMWjILQjMhAjUc7DL5s:WkTd7RWF/I/ZWjsjajUc72

Score
10/10
discordratdefense_evasionexecutionpersistenceprivilege_escalationratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI4NDY3NDQ5OTc5ODc2NTczOA.GRsRSd.UW5uwQ1usFhHH7EewkpyCqw589sAshmfAmxuZg

  • server_id

    1284674413421133905

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
    defense_evasionprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BfIgOz7.exe
    "C:\Users\Admin\AppData\Local\Temp\BfIgOz7.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process cmd -ArgumentList '/c powershell Add-MpPreference -ExclusionPath 'C:\'' -Verb runAs"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1424
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process cmd -ArgumentList '/c powershell Start-Process roblox.exe -Verb runAs' -Verb runAs"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c powershell Start-Process roblox.exe -Verb runAs
        3⤵
        • Access Token Manipulation: Create Process with Token
        • Suspicious use of WriteProcessMemory
        PID:440
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Start-Process roblox.exe -Verb runAs
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3212
          • C:\Users\Admin\AppData\Local\Temp\roblox.exe
            "C:\Users\Admin\AppData\Local\Temp\roblox.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:4548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    6cf293cb4d80be23433eecf74ddb5503

    SHA1

    24fe4752df102c2ef492954d6b046cb5512ad408

    SHA256

    b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

    SHA512

    0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    276798eeb29a49dc6e199768bc9c2e71

    SHA1

    5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

    SHA256

    cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

    SHA512

    0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    d12962669ba48beb2b60419a082d95a0

    SHA1

    4bf0ae0a2cf064013bc040d4e622723bd8b0afc0

    SHA256

    1b91396bdcf8980a38f583b3f35ae16b1597d43828f7b9cfad78dcffe4c1cb79

    SHA512

    641428e839eac84afbb0eae184efd41b1066c39dcfaab41127262bf5adcf03781c3130f33f1526baa915486469e59e35675516d5f95325cace414ba6f7c2ac08

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4vgds44r.51h.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\roblox.exe
    Filesize

    90KB

    MD5

    c7bbc27d3f6c8f80047184a0dd5423c2

    SHA1

    9f0600f25fc175508dffe189bae5d0bdb6fcce10

    SHA256

    8456684a9df4033f3199029c67246c264bccdd12a6e5d720521aff7f0ca59364

    SHA512

    413d2d7be16560b37a2df6aa438dfc3f57544c656a9965ffa3d0ccc2b799e9b14f0d36e106e577bd22157f96b6f450e2640a2ecb5e1a6175532ea431ed8ba80b

    Download Submit

  • memory/1424-16-0x00007FFCECE20000-0x00007FFCED8E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1424-15-0x00007FFCECE20000-0x00007FFCED8E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1424-12-0x00007FFCECE20000-0x00007FFCED8E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1424-0-0x00007FFCECE23000-0x00007FFCECE25000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1424-11-0x00007FFCECE20000-0x00007FFCED8E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1424-10-0x0000020EEFE80000-0x0000020EEFEA2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4548-49-0x000001BB49C20000-0x000001BB4A148000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4548-48-0x000001BB49420000-0x000001BB495E2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4548-47-0x000001BB2EDD0000-0x000001BB2EDEA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4984-19-0x00007FFCECA00000-0x00007FFCED4C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4984-33-0x00007FFCECA00000-0x00007FFCED4C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4984-21-0x00007FFCECA00000-0x00007FFCED4C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4984-20-0x00007FFCECA00000-0x00007FFCED4C1000-memory.dmp

    Filesize

    10.8MB

    Download