Overview

overview

10

Static

static

10

WinSysUpdater.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1593s
  • max time network
    1798s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-11-2024 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WinSysUpdater.exe

  • Size

    78KB

  • MD5

    3a7ba5dc9dc4440dfda51f6b896bf8d4

  • SHA1

    e9b9929636b6956123d9c5e3b97e794c34ee144d

  • SHA256

    ec705050788da27ba95d24a7193bba431a2c269e76a8d43de1fc7fc4de49a833

  • SHA512

    9f53d5798955422148461c375cbc5eed9c84be71576fb93e0a07c3a0a5c35e89608d248d2c516903a0fce8b79106042b0046147dd6f13cafdcd86928219e766c

  • SSDEEP

    1536:c2WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+6PIm:cZv5PDwbjNrmAE+mIm

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMwMjgzMDcxMjAxNzM4NzU3Mg.GyQnUS.SxpKuBXZ9K_mg_8_GUInFqHsiwyeBPIua6YOAA

  • server_id

    1302293783269867540

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WinSysUpdater.exe
    "C:\Users\Admin\AppData\Local\Temp\WinSysUpdater.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1084
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /0
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\system32\winver.exe
      "C:\Windows\system32\winver.exe"
      2⤵
        PID:4996
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:4024

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\bc8ab9ca-159e-439b-89c4-405e14cc26f4.down_data
      Filesize

      555KB

      MD5

      5683c0028832cae4ef93ca39c8ac5029

      SHA1

      248755e4e1db552e0b6f8651b04ca6d1b31a86fb

      SHA256

      855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

      SHA512

      aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

      Download Submit

    • memory/1084-0-0x00007FFA9E893000-0x00007FFA9E895000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1084-1-0x000001AE0C710000-0x000001AE0C728000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1084-2-0x000001AE26ED0000-0x000001AE27092000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1084-3-0x00007FFA9E890000-0x00007FFA9F352000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1084-4-0x000001AE28240000-0x000001AE28768000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1084-5-0x00007FFA9E893000-0x00007FFA9E895000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1084-6-0x00007FFA9E890000-0x00007FFA9F352000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2384-8-0x000001FF6E090000-0x000001FF6E091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2384-9-0x000001FF6E090000-0x000001FF6E091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2384-13-0x000001FF6E090000-0x000001FF6E091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2384-14-0x000001FF6E090000-0x000001FF6E091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2384-18-0x000001FF6E090000-0x000001FF6E091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2384-17-0x000001FF6E090000-0x000001FF6E091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2384-19-0x000001FF6E090000-0x000001FF6E091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2384-16-0x000001FF6E090000-0x000001FF6E091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2384-15-0x000001FF6E090000-0x000001FF6E091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2384-7-0x000001FF6E090000-0x000001FF6E091000-memory.dmp

      Filesize

      4KB

      Download