Overview

overview

10

Static

static

3

Nitropics�...��.exe

windows7-x64

10

Nitropics�...��.exe

windows10-2004-x64

Analysis

  • max time kernel
    839s
  • max time network
    839s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10-12-2024 03:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nitropics‮gpj‮.exe

  • Size

    465KB

  • MD5

    ae0671278c558993251145b11d811451

  • SHA1

    509817db1f651ceb1e8a51f6fa15a244b1a31530

  • SHA256

    09c5a6d42c50ec674dc6deacdf2e0a3d2767ea36a6b57f0f4dd70fe8aab84b66

  • SHA512

    f23cb25ea577743fbbc7d14c5265ae90b1cd1ee6dbba3694e8274be6c188c2571d83c362984e22deb6ff9e902cdd3b8b251becafe1e19afb05cfcfe18fe2819f

  • SSDEEP

    12288:bBdlwHRn+WlYV+5XQwmV4gxO+WH7YKkVnF:bBkVdlYA5gwmV4gxO+WH0FnF

Score
10/10
discordratdiscoverypersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMxNTg2OTM0MzczMjQ2NTY5NA.GkK745.9MtESkOseU77lQKPBYHDluyVKPE-w0i6qkwHOo

  • server_id

    1315868996016275477

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nitropics‮gpj‮.exe
    "C:\Users\Admin\AppData\Local\Temp\Nitropics‮gpj‮.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Backdoor.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Backdoor.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1780 -s 596
        3⤵
        • Loads dropped DLL
        PID:2968
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:2496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\hq720.jpg
    Filesize

    23KB

    MD5

    25f8fbe6b5fdbbba848ae86b558e38f6

    SHA1

    f57a36422275e212839c12647f37cb5b5f019e69

    SHA256

    07cebe4e515855cd605205b113ec1e7f5122f84d24129572fe05f7885541e396

    SHA512

    7eba3fff3d2b2d50dd7a4c3b5abd23318eac6d0ccf4fa8bfc920728db019f6da17750dc31f15d2b6142d5be36c759c738c1ec337993b26557e3ecd634955f4a4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\Backdoor.exe
    Filesize

    78KB

    MD5

    7b9ea3b553fb5a689c1ba4e634c40943

    SHA1

    2d0b6dcfd0e0bdad725271e58d1771bad3e95a88

    SHA256

    8618a4c62725911d760713dcbf33694ae26cd177aaac27cf38b495c638a40f4f

    SHA512

    c92cc36f24d09d0f856c5d9bd23321168c2e34b63bf9b18cd3205a0301c05e054112b85483be8d5c0dc35dd23d6aca3c39d202a6f44c283f1829db29702c399e

    Download Submit

  • memory/1780-15-0x000000013FD90000-0x000000013FDA8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2496-7-0x0000000000100000-0x0000000000102000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2496-8-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2496-22-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-6-0x0000000000450000-0x0000000000452000-memory.dmp

    Filesize

    8KB

    Download