Analysis
-
max time kernel
94s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 03:39
Static task
static1
Behavioral task
behavioral1
Sample
Dog.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Dog.exe
Resource
win10v2004-20241007-en
General
-
Target
Dog.exe
-
Size
856KB
-
MD5
6ef38551bf3cc30999def9436bb4b3bc
-
SHA1
5276746250c405cccc05223efb6a5310da176369
-
SHA256
244a73e853d1e90dd78423fe0bc098e9623b9c875b28fdf84ae18bbdd81ecfd3
-
SHA512
2e978a64af603d84b506d375bfaf29a5cbc1a615a8184050bf36e44fce283919be39bf0c12d551848989a147a77d2614e845f7e73ad1583bf1d2cb1057fe3067
-
SSDEEP
12288:syveQB/fTHIGaPkKEYzURNAwbAgFp+r/aQLEc50eBPrabPo9/ToGOLK7B:suDXTIGaPhEYzUzA0nk5NTazw/ToGOLg
Malware Config
Extracted
discordrat
-
discord_token
MTMwOTAwNDI2MDkzNTIwOTAwMg.G34c8h.6Zg2Y0V10sZUSneIGxEx-JKksXx1gmubJztk3w
-
server_id
1300826072195006494
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Dog.exe -
Executes dropped EXE 1 IoCs
pid Process 2924 3.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 18 IoCs
flow ioc 41 discord.com 46 raw.githubusercontent.com 47 raw.githubusercontent.com 57 discord.com 21 discord.com 49 discord.com 17 discord.com 42 discord.com 43 discord.com 48 discord.com 53 discord.com 63 discord.com 18 discord.com 54 discord.com 55 discord.com 56 discord.com 64 discord.com 52 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2056 SCHTASKS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2924 3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4176 wrote to memory of 2924 4176 Dog.exe 86 PID 4176 wrote to memory of 2924 4176 Dog.exe 86 PID 2924 wrote to memory of 2056 2924 3.exe 93 PID 2924 wrote to memory of 2056 2924 3.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dog.exe"C:\Users\Admin\AppData\Local\Temp\Dog.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\3.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\3.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$773.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\RarSFX0\3.exe'" /sc onlogon /rl HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:2056
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD594a29bdb54091972580f2673bd4738ae
SHA1a51549db787f2bf8f1fea1678e92e8e4a1f1ddb4
SHA256b68688756c4768ffb1baadbaadd251f2761bac3174145472830ccc73750b6f3c
SHA51201dbacd953037d8497949c3077bd0a1a099880435cfef3b24a1465349c93c47a298a3dc77c389309caed496e7ff12da4976b429b4160225577a3861757f1f7f4