Analysis
-
max time kernel
14s -
max time network
3s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 03:39
Static task
static1
Behavioral task
behavioral1
Sample
Dog.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Dog.exe
Resource
win10v2004-20241007-en
General
-
Target
Dog.exe
-
Size
856KB
-
MD5
6ef38551bf3cc30999def9436bb4b3bc
-
SHA1
5276746250c405cccc05223efb6a5310da176369
-
SHA256
244a73e853d1e90dd78423fe0bc098e9623b9c875b28fdf84ae18bbdd81ecfd3
-
SHA512
2e978a64af603d84b506d375bfaf29a5cbc1a615a8184050bf36e44fce283919be39bf0c12d551848989a147a77d2614e845f7e73ad1583bf1d2cb1057fe3067
-
SSDEEP
12288:syveQB/fTHIGaPkKEYzURNAwbAgFp+r/aQLEc50eBPrabPo9/ToGOLK7B:suDXTIGaPhEYzUzA0nk5NTazw/ToGOLg
Malware Config
Extracted
discordrat
-
discord_token
MTMwOTAwNDI2MDkzNTIwOTAwMg.G34c8h.6Zg2Y0V10sZUSneIGxEx-JKksXx1gmubJztk3w
-
server_id
1300826072195006494
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Executes dropped EXE 1 IoCs
pid Process 2100 3.exe -
Loads dropped DLL 6 IoCs
pid Process 2220 Dog.exe 2892 WerFault.exe 2892 WerFault.exe 2892 WerFault.exe 2892 WerFault.exe 2892 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2100 2220 Dog.exe 30 PID 2220 wrote to memory of 2100 2220 Dog.exe 30 PID 2220 wrote to memory of 2100 2220 Dog.exe 30 PID 2100 wrote to memory of 2892 2100 3.exe 31 PID 2100 wrote to memory of 2892 2100 3.exe 31 PID 2100 wrote to memory of 2892 2100 3.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dog.exe"C:\Users\Admin\AppData\Local\Temp\Dog.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\3.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\3.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2100 -s 6003⤵
- Loads dropped DLL
PID:2892
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD594a29bdb54091972580f2673bd4738ae
SHA1a51549db787f2bf8f1fea1678e92e8e4a1f1ddb4
SHA256b68688756c4768ffb1baadbaadd251f2761bac3174145472830ccc73750b6f3c
SHA51201dbacd953037d8497949c3077bd0a1a099880435cfef3b24a1465349c93c47a298a3dc77c389309caed496e7ff12da4976b429b4160225577a3861757f1f7f4