Overview

overview

10

Static

static

3

vison.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    25s
  • max time network
    28s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    11-11-2024 00:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vison.exe

  • Size

    708KB

  • MD5

    51d6819e3fb246c54b31fe8aff8627c0

  • SHA1

    d0b0790c2ec591684ae72588d0aa8d68642a1e4a

  • SHA256

    34bd1f86f1c5c37a2200160019e828a16b1d2efa333099814a6c51c075bfd349

  • SHA512

    c1db0d56c936a079b80cabfbbaec3fc042dea6b765283cb1481193dc05dc55ca313b71d1847935c741672d7bb63e9acef2bbbead4b5b9c5c389c6191ae71f080

  • SSDEEP

    12288:PLMEalqxXblqoRX5qbfphLxaOS3CPqv0Ra6CgLc4rvGSlEkK3dHsZix:DqaXNabfphLxaVSPqvca6COBlaldx

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMwNTIyNjM4MTE3MjY3MDQ5NA.GefVhh.4NM9q0Xf2sO6mHqumTUxU-PopzLhDvRYkm6O3A

  • server_id

    1290828168563003412

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vison.exe
    "C:\Users\Admin\AppData\Local\Temp\vison.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3948
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd" /c ipconfig /all
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3424
        • C:\Windows\system32\ipconfig.exe
          ipconfig /all
          4⤵
          • Gathers network information
          PID:4508
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4636
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1148
    • C:\Users\Admin\AppData\Local\Temp\das.exe
      "C:\Users\Admin\AppData\Local\Temp\das.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    Filesize

    800KB

    MD5

    2a4dcf20b82896be94eb538260c5fb93

    SHA1

    21f232c2fd8132f8677e53258562ad98b455e679

    SHA256

    ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

    SHA512

    4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\das.exe
    Filesize

    78KB

    MD5

    f6379c5a5f599cd11884f3c420a75997

    SHA1

    33ee58eea8581284232ddbb0cc348de644f31fb1

    SHA256

    cf5f4be75a9588bf186bf8b4a47238917edc9f42bb56499e22da90c7f5aa10d9

    SHA512

    f053ab33cc4a1d10fd0491fb87eec834b027b7bffc3b7ab7912d8adeed0c48495891596f923319d469783b591272131f03fb0999e8000f9cb6d753746732aae6

    Download Submit

  • memory/1300-33-0x000001DF8D870000-0x000001DF8D93E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/1300-37-0x000001DF8F5B0000-0x000001DF8F5D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1764-29-0x00007FFF5F583000-0x00007FFF5F585000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1764-30-0x000002928DF70000-0x000002928DF88000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1764-31-0x00000292A85A0000-0x00000292A8762000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1764-34-0x00007FFF5F580000-0x00007FFF60042000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1764-35-0x00000292A8EE0000-0x00000292A9408000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1764-38-0x00007FFF5F583000-0x00007FFF5F585000-memory.dmp

    Filesize

    8KB

    Download