Overview

overview

10

Static

static

10

do not dow...un.exe

windows7-x64

10

do not dow...un.exe

windows10-2004-x64

10

Resubmissions

03-11-2024 00:29

241103-atdf2syray 10

03-11-2024 00:27

241103-art11syqfv 10

03-11-2024 00:23

241103-aptmgayqbt 10

03-11-2024 00:19

241103-amd41asmhq 10

03-11-2024 00:16

241103-akx44asmfm 10

03-11-2024 00:11

241103-ag1qtaynft 10

Analysis

  • max time kernel
    127s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 00:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    do not download and run.exe

  • Size

    78KB

  • MD5

    f2c5e50d71723a255faafb127396b119

  • SHA1

    5784b322726fe05abae13b8dde3c6bcb10eaf83f

  • SHA256

    9da14eafeaff261c893fe5e252ecee52465c403325b9c3ba761e5d80ca76866a

  • SHA512

    5a955fca58d1f105d5ffe6004b18e013f69dbf0a06538d5c6192e9964e7249a7cbb8335411b263d56cb8108bf610f29f4c848c0d38f0c68bcfac73bb0a341259

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+APIC:5Zv5PDwbjNrmAE+kIC

Score
10/10
discordratpersistenceransomwareratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMwMjMwNTMyNzY2MzkzOTcyNg.GkZ69I.EmDu656kW3-o_fxbEajqbFdrqzR7r2g-hNmbM0

  • server_id

    1302304456985149450

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\do not download and run.exe
    "C:\Users\Admin\AppData\Local\Temp\do not download and run.exe"
    1⤵
    • Checks computer location settings
    • Sets desktop wallpaper using registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Windows\System32\shutdown.exe
      "C:\Windows\System32\shutdown.exe" /L
      2⤵
        PID:4428
    • C:\Windows\system32\notepad.exe
      "C:\Windows\system32\notepad.exe"
      1⤵
        PID:3308
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x4 /state0:0xa3934855 /state1:0x41c64e6d
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:4188

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2608-0-0x00007FFC53833000-0x00007FFC53835000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2608-1-0x000002395E6F0000-0x000002395E708000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2608-2-0x0000023978D80000-0x0000023978F42000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2608-3-0x00007FFC53830000-0x00007FFC542F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2608-4-0x0000023979580000-0x0000023979AA8000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2608-5-0x00007FFC53833000-0x00007FFC53835000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2608-6-0x00007FFC53830000-0x00007FFC542F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2608-9-0x00007FFC53830000-0x00007FFC542F1000-memory.dmp

        Filesize

        10.8MB

        Download