Overview

overview

10

Static

static

3

Kgcheat.exe

windows10-2004-x64

10

Resubmissions

29-10-2024 20:57

241029-zrvd8aymat 10

29-10-2024 20:55

241029-zqlexszejm 7

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 20:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Kgcheat.exe

  • Size

    1.1MB

  • MD5

    cfeee3c91e88223cdf73628e32aa0ac7

  • SHA1

    9aed5554df0198884824667b24f88f65a114c49b

  • SHA256

    d6677579355c01a07792d6ed3678b6e7711111e326f6147a3b447634b5cec5f4

  • SHA512

    60be26bafec0aa86c1487fa26210ec2328f86634a5a7037be47090b68a016c50a57130ebdd9a05b1a32465b49be99cdc60cb375080d51bccc4f7478be875d22c

  • SSDEEP

    24576:AuDXTIGaPhEYzUzA0YT9mf+g8Gd4HXdTbX5U2ZFskFzZ+0:vDjlabwz9YTkwGd43BX5U2Ykvx

Score
10/10
discordratdiscoverypersistenceratrootkitspywarestealerupx

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI5ODgxODUyMzk0NjI4NzEyNA.GpyuQB.QlHqnz-dbIht50cFUATJeGkye7tbkFnlRsHYAE

  • server_id

    1298864586409250888

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kgcheat.exe
    "C:\Users\Admin\AppData\Local\Temp\Kgcheat.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\samp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\samp.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:4912
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ghost.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ghost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ghost.exe
    Filesize

    78KB

    MD5

    c13e6463d6bf8b9df8224f3c0640e5e7

    SHA1

    821b72099e3f84a15692c516ff3936586eb1cf56

    SHA256

    410a7494b6c174e0b368bfa7689538e18b7906a3d741639f42163640a90fd139

    SHA512

    cb63eff819bcb3da1efc8d7c56cf26203905b9c6d09bafb938088260e7a9f9f6c5e1e9084bf8c2a9d34917f999cdac3ed22f0a4ad93ee2f96e8d5a8d5b08e451

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\samp.exe
    Filesize

    403KB

    MD5

    c1aedd9f2dac8a7f79ed40d264b4df6d

    SHA1

    6faebb34ab3dc53565a53affda48a7f7a2faf3ff

    SHA256

    f7c4372c8545121938230ae0c9f1d9bd297836e8ad37afa710ee93f2c4791ade

    SHA512

    d7ed34e9e97be609387b367463d559037f4c69ffa6d3a25943536d98f6a8f4cbe6353d838c47a9d7ee7d43c875d18a08ce19c36428cf37fc5b8a723ff34ecb36

    Download Submit

  • memory/4912-17-0x0000000000400000-0x0000000000525000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4912-13-0x0000000000400000-0x0000000000525000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4912-15-0x0000000000B40000-0x0000000000B41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4912-16-0x0000000000400000-0x0000000000525000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4912-12-0x0000000000B40000-0x0000000000B41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4912-18-0x0000000000400000-0x0000000000525000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4912-10-0x0000000000400000-0x0000000000525000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/5064-29-0x000001492DB00000-0x000001492DB18000-memory.dmp

    Filesize

    96KB

    Download

  • memory/5064-30-0x0000014948100000-0x00000149482C2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/5064-31-0x0000014949460000-0x0000014949988000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/5064-32-0x0000014949050000-0x00000149490C6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/5064-33-0x0000014948090000-0x00000149480A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5064-34-0x00000149480C0000-0x00000149480DE000-memory.dmp

    Filesize

    120KB

    Download