Overview

overview

10

Static

static

10

ezyzip.zip

windows10-1703-x64

10

Analysis

  • max time kernel
    235s
  • max time network
    225s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15-10-2024 12:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ezyzip.zip

  • Size

    444KB

  • MD5

    97d6d15d4a781914c9f43aea5a1dec81

  • SHA1

    da259b67f2ab08a096d905f3eccf1d329d38d958

  • SHA256

    9905bca893c593653c9e0ce81d7c3210e72e2ff0aa4ee8add2acb8b232588d2c

  • SHA512

    25720508072b8f3d31a9f40cd950c35c3a284a7bf30d82f75256b6c7f597b78d5ec5d8fb378733b327c9f01007ff4deea2aaa80888cac17ddc3e7a54bc2eec27

  • SSDEEP

    12288:4ThcCVRKuZih6p8mbIhq/6mwI6rim6CaStHub+wZKUGJ6PaS:4ThcCVR1Zihgk3mwrtHxiCYPaS

Score
10/10
discordratdiscoverypersistenceratrootkitstealer

Malware Config

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ezyzip.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1580
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:424
    • C:\Users\Admin\Desktop\test\builder.exe
      "C:\Users\Admin\Desktop\test\builder.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4920
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\test\Nyt tekstdokument.txt
      1⤵
        PID:3520
      • C:\Users\Admin\Desktop\test\test.exe
        "C:\Users\Admin\Desktop\test\test.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2624
      • C:\Users\Admin\Desktop\test\test.exe
        "C:\Users\Admin\Desktop\test\test.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5116
      • C:\Users\Admin\Desktop\test\test.exe
        "C:\Users\Admin\Desktop\test\test.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1996
      • C:\Users\Admin\Desktop\test\Release\Discord rat.exe
        "C:\Users\Admin\Desktop\test\Release\Discord rat.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4108
      • C:\Users\Admin\Desktop\test\builder.exe
        "C:\Users\Admin\Desktop\test\builder.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4540
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\test\Nyt tekstdokument.txt
        1⤵
          PID:4948
        • C:\Users\Admin\Desktop\test\Client-built.exe
          "C:\Users\Admin\Desktop\test\Client-built.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2364
        • C:\Users\Admin\Desktop\test\Client-built.exe
          "C:\Users\Admin\Desktop\test\Client-built.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4812
        • C:\Users\Admin\Desktop\test\Client-built.exe
          "C:\Users\Admin\Desktop\test\Client-built.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2900
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3592

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\builder.exe.log
          Filesize

          1KB

          MD5

          9e7845217df4a635ec4341c3d52ed685

          SHA1

          d65cb39d37392975b038ce503a585adadb805da5

          SHA256

          d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b

          SHA512

          307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

          Download Submit

        • C:\Users\Admin\Desktop\test\Nyt tekstdokument.txt
          Filesize

          97B

          MD5

          8bf82f73efd82977a153b2049c305288

          SHA1

          8d7f55d2ba7cff6b7e2b29199bfaab7b52bd8f78

          SHA256

          c0923b1f91298bc33b6a30029a606a9e8fb2c93c3d01faf08c0d986861cb75b6

          SHA512

          c5921a83a857fdccd5a583e2e3b60d126f4f14cf93bd7891d0663249356031b961bb6afebcf8866b3a21bcd368b29e05bb807d641052cb1794ab6624a5ce181c

          Download Submit

        • C:\Users\Admin\Desktop\test\Release\Discord rat.exe
          Filesize

          79KB

          MD5

          d13905e018eb965ded2e28ba0ab257b5

          SHA1

          6d7fe69566fddc69b33d698591c9a2c70d834858

          SHA256

          2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

          SHA512

          b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

          Download Submit

        • C:\Users\Admin\Desktop\test\builder.exe
          Filesize

          10KB

          MD5

          4f04f0e1ff050abf6f1696be1e8bb039

          SHA1

          bebf3088fff4595bfb53aea6af11741946bbd9ce

          SHA256

          ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa

          SHA512

          94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12

          Download Submit

        • C:\Users\Admin\Desktop\test\dnlib.dll
          Filesize

          1.1MB

          MD5

          508ccde8bc7003696f32af7054ca3d97

          SHA1

          1f6a0303c5ae5dc95853ec92fd8b979683c3f356

          SHA256

          4758c7c39522e17bf93b3993ada4a1f7dd42bb63331bac0dcd729885e1ba062a

          SHA512

          92a59a2e1f6bf0ce512d21cf4148fe027b3a98ed6da46925169a4d0d9835a7a4b1374ba0be84e576d9a8d4e45cb9c2336e1f5bd1ea53e39f0d8553db264e746d

          Download Submit

        • C:\Users\Admin\Desktop\test\test.exe
          Filesize

          78KB

          MD5

          10b0f9d5cdafe05d8860304d0023729a

          SHA1

          823e3ae8bd7170cbaeb09a6d20b9e0beb83f2a9d

          SHA256

          fd1d504d3fc79da2c31d2238d3ad69050e34bcc3126972ee1adad881ee69f3dc

          SHA512

          df32a0adebbcccdd062cee34fecf370a1cb830fd6f2525c755ecba02f6ea0bd611183d26ea9a7e10af9efad4811232d0ac6c53d7693fd0cff7b9ee3ec26dd71d

          Download Submit

        • memory/2624-24-0x0000021E6BF00000-0x0000021E6BF18000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2624-25-0x0000021E6E4D0000-0x0000021E6E692000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2624-26-0x0000021E6ECD0000-0x0000021E6F1F6000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/4108-30-0x00000244730E0000-0x00000244730F8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4920-13-0x0000000004F90000-0x0000000004F9A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4920-18-0x0000000006080000-0x00000000061A2000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4920-12-0x0000000004E10000-0x0000000004EA2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4920-11-0x0000000005270000-0x000000000576E000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/4920-10-0x00000000005C0000-0x00000000005C8000-memory.dmp

          Filesize

          32KB

          Download