Overview

overview

10

Static

static

3

Install.exe

windows10-2004-x64

10

Install.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    26s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2024 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Install.exe

  • Size

    954KB

  • MD5

    0252126bad05a1ea6ebe3042b1d177c2

  • SHA1

    9d98900389b76456817e149c779326a994538fae

  • SHA256

    6e25aee49ea9d544165f5d627f53cf0c6983200b2ccb5fa4497d3f32ca99c9dd

  • SHA512

    5fec36049fe76dc68ed5647142984512bbd394db2ba66dd326f6805e158e8814801bb5245cf9de46bc1cb916993813df811339ae3d3e7ed3f9f2bc98398446a5

  • SSDEEP

    24576:YU+9XNrenyktDLdYNtcdvQNC9wHAP5c1gfDrhKh:e5OVeyffXhC

Score
10/10
discordratdiscoveryexecutionpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI4OTg4NTE3MDM5MTk3Mzg5OQ.GznnVF.S0i0w8LmWps4VGMVMSSCViuDT3yKu23LSJGZ-c

  • server_id

    1289885435367002112

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Install.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Users\Admin\AppData\Roaming\Microsoft\Install1.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Install1.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4216
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4ACF.tmp\4AD0.tmp\4AE1.bat C:\Users\Admin\AppData\Roaming\Microsoft\Install1.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3512
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -command "powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\appdata""
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:656
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\appdata
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4740
    • C:\Users\Admin\AppData\Roaming\Microsoft\install.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\install.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1312
    • C:\Users\Admin\AppData\Roaming\Microsoft\Install2.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Install2.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4336
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\51F3.tmp\51F4.tmp\51F5.bat C:\Users\Admin\AppData\Roaming\Microsoft\Install2.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3648
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "WindowsSystem32" /tr C:\Users\Admin\AppData\Roaming\Microsoft\install.exe /sc onstart
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:624
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:8
    1⤵
      PID:2164

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      feadc4e1a70c13480ef147aca0c47bc0

      SHA1

      d7a5084c93842a290b24dacec0cd3904c2266819

      SHA256

      5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac

      SHA512

      c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\4ACF.tmp\4AD0.tmp\4AE1.bat
      Filesize

      172B

      MD5

      8a256c0fc1a0635b2b02efcbfb61c4f5

      SHA1

      031642509b162024186142705b1f8552d733c6e1

      SHA256

      6c2d5c39c697ef3fbeea92bd708680f9c2c3539405a66d7149627b1fb710cc36

      SHA512

      ac1566dfbe52db372cfecb35d7346937e33d028c366f3ec94f55ee38580c7f3a17350447b5b6c8a1bccfab0327901325ef9f0d8d29a2071715e66cc4db854403

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\51F3.tmp\51F4.tmp\51F5.bat
      Filesize

      128B

      MD5

      dc8f854187f22ffa2fb1b7233fe05c78

      SHA1

      1ac680c09fb40f005fd6f2bc5320bdf910cbbe35

      SHA256

      47134ba4d814e10b64f123bd4e4bb6807e41f72a214c25e657f492db4f673cc1

      SHA512

      3b8348bad8d1ef8421bad057bb2542241f1af79d4eba12a6c26bfccf7fa7f438543859629c8c946bb88146fe7396350ad5b15c2493577a609086c536f1779d3d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qgr3vmac.wel.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Install1.exe
      Filesize

      119KB

      MD5

      4e363799831f973a254e3e9cfe102bbd

      SHA1

      6c78fa37bf90554a78c651837f12121d326478c1

      SHA256

      f544b2bcffd9ea359e84d54b405ea99dd5568cfd476095e20ba10fbf70a1c3cb

      SHA512

      66196dc49d3ddd27b585273a441fafaa583f2d146019ffc5480f12acd7116450185c744668fd7b3b0b301063a938cd8d9b5798417a716c3b58f96bf0a867b3b0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Install2.exe
      Filesize

      119KB

      MD5

      374eac988a97adaa4c63c241c532be72

      SHA1

      8acb363196482e366aac360f683c9c23e85b3b81

      SHA256

      6b13045a1f24ea7b11e569c9f9b1684ee8f86b130522839147dc0b52c727d12b

      SHA512

      6161548d45ea7aee5618434eb1199ee64a3323c04bb0e477cb824deb454123061714821b65bf5c9c2cce7a029ccb3e5b553298eef0874708f053f3676bfea0b4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\install.exe
      Filesize

      78KB

      MD5

      62e531fc823331011e05a0e0139a8260

      SHA1

      159a6ac300d1e8fd8a86e1f51c4fa31fd515d29a

      SHA256

      e065ddbc2eb6c25079010487d32e517bbeb6caf00c8bfff2b6eee23cbccf1574

      SHA512

      0d45d3a6d4fd8bd5de0a7a740ab97a720a2e0fbcc153bdaa296596d438dfed70f803d21786c9e654c04718a2d1164ecf4594498086ff1f5beac9dfbb9ee47394

      Download Submit

    • memory/656-17-0x0000026D7BDF0000-0x0000026D7BE12000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1312-40-0x0000020A46500000-0x0000020A46518000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1312-41-0x0000020A60C60000-0x0000020A60E22000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1312-52-0x0000020A61460000-0x0000020A61988000-memory.dmp

      Filesize

      5.2MB

      Download