Analysis
-
max time kernel
92s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 11:05
Static task
static1
Behavioral task
behavioral1
Sample
badassfuckingtien.exe
Resource
win10v2004-20241007-en
General
-
Target
badassfuckingtien.exe
-
Size
840KB
-
MD5
264db47eec711ef618870219832e5dfe
-
SHA1
116d2ff601d6640d3fe24fb67492ca2c82d9bbd9
-
SHA256
5c8b1d9c70780e1e669b4b34b0e190f6a691b8ada42179e248513feafe5b9ee5
-
SHA512
1672cbd9273987fd2d3cb1f843e2e28bb4c107913e0d1562ce6cdd7a403ba40e1bdd05647f3d89b0b00a8dff8328c9fad342f1b771ee391990db6d4855d8ad56
-
SSDEEP
24576:9uDXTIGaPhEYzUzA0q5VR0cNnns+UrZtb5jpXw86qh:gDjlabwz9iVR0WnQZ5xpA86qh
Malware Config
Extracted
discordrat
-
discord_token
MTMxMzYwMzQzNTY5MzYwOTEwMg.G0k280.tlujv7Qu1u6uHZMDdDCuyzSTaLQITkGmfU0u3s
-
server_id
1312325986385264681
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
badassfuckingtien.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation badassfuckingtien.exe -
Executes dropped EXE 1 IoCs
Processes:
backdoor.exepid Process 2176 backdoor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
backdoor.exedescription pid Process Token: SeDebugPrivilege 2176 backdoor.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
badassfuckingtien.exedescription pid Process procid_target PID 4988 wrote to memory of 2176 4988 badassfuckingtien.exe 92 PID 4988 wrote to memory of 2176 4988 badassfuckingtien.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\badassfuckingtien.exe"C:\Users\Admin\AppData\Local\Temp\badassfuckingtien.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD583584a62c33baae3be8b48c32ae4acb6
SHA19bb68ea8bb9f2c2e54d9a0efff4a66a512ac90b5
SHA25656bc5859994282eb5b672c9b27c2ef7cad232af34c9033077a949b04d6c55c58
SHA512554caabadea24ad0c2f0e1c55632d76b12e2f19ce506f5dffa39f841e35d263bffb001e2f6ebab043070794f97f988802e3db086092e28f262b36569ed8c7d79