Overview

overview

10

Static

static

10

FmGK3vMA.exe

windows10-1703-x64

Analysis

  • max time kernel
    287s
  • max time network
    289s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28/09/2024, 12:49

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    FmGK3vMA.exe

  • Size

    78KB

  • MD5

    dc5f1fccad4fa6b8fb8840867fb985b5

  • SHA1

    decc0e0c8d74c9e951d621a1cd567c706895af10

  • SHA256

    8f7a75b9ed72bf95c31d73a4629ff6e3861e205d7ac2c16270c974cba91026b4

  • SHA512

    00481b98282776f25048f0c65d79a9532059a4526f4789a2e079c20066d3bbe1f6dc6cf5d45de6e7e48f1e7e9b15b36775a2623ed117f27901c99b62d4e6cce3

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+5PIC:5Zv5PDwbjNrmAE+JIC

Score
10/10
discordratpersistenceransomwareratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI4OTU2Nzg1NDMyODI4NzM4Mw.GiEcx6.8LXjTQUC76tpQ1hPaelq3PbcPVWeHZCfxWaz5E

  • server_id

    1289568050286432317

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Downloads MZ/PE file
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 28 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FmGK3vMA.exe
    "C:\Users\Admin\AppData\Local\Temp\FmGK3vMA.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C C:\Windows\System32
      2⤵
        PID:4752
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C C:\Windows\System32 del /f
        2⤵
          PID:4544
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /C
          2⤵
            PID:4360
          • C:\Windows\System32\shutdown.exe
            "C:\Windows\System32\shutdown.exe" /r /t 0
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:820
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x390
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3240
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x0 /state0:0xa3af2055 /state1:0x41c64e6d
          1⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:4428

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_7E669E84332F4D6D89356A2763BF75F0.dat
          Filesize

          940B

          MD5

          fb980a8df619ccdeee0b4332252bc1ce

          SHA1

          d2b154a58a88ee5c04dfa11fe6a592a1924be29d

          SHA256

          7b17cf71702e10ffa2474d9152a55e8cd79fdd407449c1bd1f0f38ef63c59836

          SHA512

          63a83422a4ab3db72c71487016bf4d151c0bd4598278a7e8e9683facd4474710c2cd7b990177064b4c33c1fc63af8621bd29d2d4f32f78bdad3292b0646789ea

          Download Submit

        • memory/2268-3-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2268-2-0x000001CD5EC70000-0x000001CD5EE32000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2268-0-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2268-4-0x000001CD5F5A0000-0x000001CD5FAC6000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/2268-5-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2268-6-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2268-7-0x000001CD5EB90000-0x000001CD5EC3A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2268-8-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2268-1-0x000001CD446B0000-0x000001CD446C8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2268-16-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2268-17-0x000001CD5EC60000-0x000001CD5EC6E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2268-22-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

          Filesize

          9.9MB

          Download