Analysis

  • max time kernel
    94s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 03:39

General

  • Target

    Dog.exe

  • Size

    856KB

  • MD5

    6ef38551bf3cc30999def9436bb4b3bc

  • SHA1

    5276746250c405cccc05223efb6a5310da176369

  • SHA256

    244a73e853d1e90dd78423fe0bc098e9623b9c875b28fdf84ae18bbdd81ecfd3

  • SHA512

    2e978a64af603d84b506d375bfaf29a5cbc1a615a8184050bf36e44fce283919be39bf0c12d551848989a147a77d2614e845f7e73ad1583bf1d2cb1057fe3067

  • SSDEEP

    12288:syveQB/fTHIGaPkKEYzURNAwbAgFp+r/aQLEc50eBPrabPo9/ToGOLK7B:suDXTIGaPhEYzUzA0nk5NTazw/ToGOLg

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMwOTAwNDI2MDkzNTIwOTAwMg.G34c8h.6Zg2Y0V10sZUSneIGxEx-JKksXx1gmubJztk3w

  • server_id

    1300826072195006494

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Discordrat family
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dog.exe
    "C:\Users\Admin\AppData\Local\Temp\Dog.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\3.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\SYSTEM32\SCHTASKS.exe
        "SCHTASKS.exe" /create /tn "$773.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\RarSFX0\3.exe'" /sc onlogon /rl HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\3.exe

    Filesize

    78KB

    MD5

    94a29bdb54091972580f2673bd4738ae

    SHA1

    a51549db787f2bf8f1fea1678e92e8e4a1f1ddb4

    SHA256

    b68688756c4768ffb1baadbaadd251f2761bac3174145472830ccc73750b6f3c

    SHA512

    01dbacd953037d8497949c3077bd0a1a099880435cfef3b24a1465349c93c47a298a3dc77c389309caed496e7ff12da4976b429b4160225577a3861757f1f7f4

  • memory/2924-14-0x00007FFE83F73000-0x00007FFE83F75000-memory.dmp

    Filesize

    8KB

  • memory/2924-15-0x000002930C710000-0x000002930C728000-memory.dmp

    Filesize

    96KB

  • memory/2924-16-0x0000029326ED0000-0x0000029327092000-memory.dmp

    Filesize

    1.8MB

  • memory/2924-17-0x00007FFE83F70000-0x00007FFE84A31000-memory.dmp

    Filesize

    10.8MB

  • memory/2924-18-0x00000293275D0000-0x0000029327AF8000-memory.dmp

    Filesize

    5.2MB

  • memory/2924-19-0x00007FFE83F73000-0x00007FFE83F75000-memory.dmp

    Filesize

    8KB

  • memory/2924-20-0x00007FFE83F70000-0x00007FFE84A31000-memory.dmp

    Filesize

    10.8MB

  • memory/2924-21-0x000002930CBC0000-0x000002930CBCE000-memory.dmp

    Filesize

    56KB

  • memory/2924-22-0x00000293271B0000-0x000002932747A000-memory.dmp

    Filesize

    2.8MB