Analysis
-
max time kernel
139s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2024 04:22
Static task
static1
Behavioral task
behavioral1
Sample
celexcudeapito.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
celexcudeapito.exe
Resource
win11-20241007-en
General
-
Target
celexcudeapito.exe
-
Size
1.8MB
-
MD5
7a83c409d62508be138dc3f34388a9b9
-
SHA1
aa25aa410bebe70ebc198724ee6fcdb136c5b1c3
-
SHA256
c4bca7bc159f3acc7aa640e0e0e4af9628589ee3f883b599130fa7106084e890
-
SHA512
f0847f85eaff1134a9c0f7449d29cce42a36cfded599b6e16ee82188185da97451d3f2e6fe06ce9cf04a970fe980db5d039c27f972c7b45f26e726a74c092fe8
-
SSDEEP
49152:ADjlabwz9qwXGH9WlwRkRIVI9w9S0RhFLTqKr:Aqw9MN9VIb6Lr
Malware Config
Extracted
discordrat
-
discord_token
MTI5NjYzNTE3NjA0MTk3NTgxOA.Gk_FFl.rzX6LBdObHooYXuBei4jkvA7oRi8ecnVq0nMZE
-
server_id
1297012772168667258
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
celexcudeapito.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation celexcudeapito.exe -
Executes dropped EXE 2 IoCs
Processes:
vai se fuder roblox.exebackdoor.exepid Process 4040 vai se fuder roblox.exe 3264 backdoor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
Processes:
flow ioc 39 discord.com 42 discord.com 43 discord.com 60 discord.com 64 discord.com 34 discord.com 35 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
backdoor.exedescription pid Process Token: SeDebugPrivilege 3264 backdoor.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
celexcudeapito.exedescription pid Process procid_target PID 2084 wrote to memory of 4040 2084 celexcudeapito.exe 84 PID 2084 wrote to memory of 4040 2084 celexcudeapito.exe 84 PID 2084 wrote to memory of 3264 2084 celexcudeapito.exe 101 PID 2084 wrote to memory of 3264 2084 celexcudeapito.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\celexcudeapito.exe"C:\Users\Admin\AppData\Local\Temp\celexcudeapito.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vai se fuder roblox.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\vai se fuder roblox.exe"2⤵
- Executes dropped EXE
PID:4040
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5f7615a8c2c53d5df88f53c7ca1f970cd
SHA185ca41cc160bf72b8e0aac6130fe386b0c72ed94
SHA256104b5e98f3360cf01eca20384c828ff07ca8256191dbf2331919c49614a22fab
SHA512be36994146def7d9af634bacb931bbdabf0f63f6f963f0a935719aa924104381e65bc374d71314af90ca5a7126eb1e80a7d90eb5954f5e1ba47fee9e2fabe9ee
-
Filesize
2.2MB
MD5f16cf9f4ca1b3c6d78525a6b6decd80f
SHA129eaff2fd438c415931aae1b6846d195debade9b
SHA2560b8fe49d12a5077d652ea5ce99e6db3ac6239c1ac4df6888c45d3c5e0c32895a
SHA512034a003180fdafbd8304c28b8f465bd44218190c35a6e18a510df52a2bae25e16dc8e26945429fa2a9ccc1ca401f17cbcaa418b5339e6ddad921d46a9832c87d