Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-11-2024 14:55
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win11-20241007-en
windows11-21h2-x64
8 signatures
150 seconds
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
5294e84c734fbf9f34110e233b094b98
-
SHA1
2a2dc9fa78e3c80f7c425dc2d70daad6e0e2f6c2
-
SHA256
4abd3eb46f7ea1d4f698e5e35f6ce12cffbc131c994f842733aa4a4a6fc1654a
-
SHA512
ac67c08d7e1eb2d0c8b5f8928541c423d249094bbb72bf920a365f2afe9e3a034923c14cc9a667a899dcc4691b79c45b7eb352acd7f2e08a75bcbabe4cef2bcd
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+pPIC:5Zv5PDwbjNrmAE+ZIC
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTMwODc5Nzk2NTYxNTQ5NzM1Nw.GBpC5A.89Z5f6lFNt0ykOCJ3xjQcB6vyTHT36DHCa_Du0
-
server_id
1308798365948969031
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 1 discord.com 4 discord.com 6 discord.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1552 Client-built.exe Token: SeDebugPrivilege 4668 taskmgr.exe Token: SeSystemProfilePrivilege 4668 taskmgr.exe Token: SeCreateGlobalPrivilege 4668 taskmgr.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe 4668 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4668