Resubmissions
01-12-2024 22:55
241201-2wf4hawlgz 1001-12-2024 15:41
241201-s4269svncx 1001-12-2024 15:38
241201-s23p1szkbp 1001-12-2024 15:30
241201-sxv5dazjcl 10Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-12-2024 15:30
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240729-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
150 seconds
Behavioral task
behavioral3
Sample
Client-built.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
4 signatures
150 seconds
Behavioral task
behavioral4
Sample
Client-built.exe
Resource
win11-20241007-en
windows11-21h2-x64
9 signatures
150 seconds
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
e8ff8d278de10cc2f7255b156ae2d252
-
SHA1
c91554ef849852360499b82579ca0c41c9dfde21
-
SHA256
08d4d8a882d74fa4d9525a5c78351bb3eba95f1c7d78f75c2f5d606715059e90
-
SHA512
c9eb226331c00b915c5ff5b2b407aa6f31536b671bff1cf11aa512d3cd4a60d0c9db14e5e4aee554e74259fcd755e9d835a960838d679e389943be0f20f65952
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+tPIC:5Zv5PDwbjNrmAE+9IC
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTMxMjc5OTI3NDI3NDEyNzkyMg.GOuWiR.FNWWDzhiZI-BJlCUAsWOf3Q5avMNCiFtgUWBSQ
-
server_id
1307914676973076521
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 13 discord.com 14 discord.com 4 discord.com 7 discord.com 8 discord.com 9 discord.com 10 discord.com 3 discord.com 11 discord.com 12 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "55" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 4136 Process not Found 1948 Process not Found 2328 Process not Found 1624 Process not Found 2364 Process not Found 4360 Process not Found 2436 Process not Found 1980 Process not Found 4276 Process not Found 3900 Process not Found 3924 Process not Found 1084 Process not Found 1356 Process not Found 4412 Process not Found 1720 Process not Found 1092 Process not Found 2604 Process not Found 3908 Process not Found 4324 Process not Found 3484 Process not Found 3772 Process not Found 792 Process not Found 2760 Process not Found 3108 Process not Found 2612 Process not Found 4972 Process not Found 4748 Process not Found 2156 Process not Found 3512 Process not Found 3952 Process not Found 4240 Process not Found 2792 Process not Found 3768 Process not Found 996 Process not Found 2308 Process not Found 4416 Process not Found 2056 Process not Found 1896 Process not Found 2588 Process not Found 2860 Process not Found 4712 Process not Found 1276 Process not Found 2540 Process not Found 4592 Process not Found 3824 Process not Found 3488 Process not Found 3020 Process not Found 4888 Process not Found 4616 Process not Found 4464 Process not Found 1008 Process not Found 3080 Process not Found 2080 Process not Found 1656 Process not Found 1968 Process not Found 1816 Process not Found 1912 Process not Found 2236 Process not Found 2544 Process not Found 4572 Process not Found 2496 Process not Found 860 Process not Found 4384 Process not Found 3364 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1960 Client-built.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3812 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2184 1960 Client-built.exe 77 PID 1960 wrote to memory of 2184 1960 Client-built.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /L2⤵PID:2184
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a04855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3812