Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-12-2024 06:13

General

  • Target

    e065095e64a2740805f1bd204910ddd3984140db6e0287a6896ba14f7b478370.exe

  • Size

    653KB

  • MD5

    b29ea93cfaae2ba95253379ed104b887

  • SHA1

    1bbc44a5be1b47fa810932e23f89c561699b12a0

  • SHA256

    e065095e64a2740805f1bd204910ddd3984140db6e0287a6896ba14f7b478370

  • SHA512

    de1efd1015123415f7f701467e7d44b272588a0a6d0f8cef7fe3cdaa07edabb58e3ffa54af13f57fd46aad0094dfdd80e34eee963e280d4e12d7a6260029cb86

  • SSDEEP

    12288:EyveQB/fTHIGaPkKEYzURNAwbAg1UlzC/OrE0lv71l:EuDXTIGaPhEYzUzA0BOrFx

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMxNzIxMzAwMzgxNjUwMTI1OA.GOxde6.qvLdHYSl6XVCI4Rb82L89AZW9W2eFIIV3Bv2gA

  • server_id

    1317212558100267051

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Discordrat family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e065095e64a2740805f1bd204910ddd3984140db6e0287a6896ba14f7b478370.exe
    "C:\Users\Admin\AppData\Local\Temp\e065095e64a2740805f1bd204910ddd3984140db6e0287a6896ba14f7b478370.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Puerta.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Puerta.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Puerta.exe

    Filesize

    78KB

    MD5

    5e62e33541e261796757002568244d4c

    SHA1

    f63410ad05a494e2eda0ccc0c4723112968438f0

    SHA256

    3f49b5258d58f497c3090a8e480e2945c19bd95cbd5e190689eff4d7d79b70b2

    SHA512

    35b24160a0d3e3061ca4a85fa4d384814639981c9cbc28c0cbab4700ab4c41811a42a447da9e839eaaad50a05ac3d7ad5eb127d45dd774b320cecaf7990892b6

  • memory/1460-14-0x00007FFBAD013000-0x00007FFBAD015000-memory.dmp

    Filesize

    8KB

  • memory/1460-15-0x000001CAC2700000-0x000001CAC2718000-memory.dmp

    Filesize

    96KB

  • memory/1460-16-0x000001CADCCF0000-0x000001CADCEB2000-memory.dmp

    Filesize

    1.8MB

  • memory/1460-17-0x00007FFBAD010000-0x00007FFBADAD1000-memory.dmp

    Filesize

    10.8MB

  • memory/1460-18-0x000001CADD5F0000-0x000001CADDB18000-memory.dmp

    Filesize

    5.2MB

  • memory/1460-19-0x00007FFBAD013000-0x00007FFBAD015000-memory.dmp

    Filesize

    8KB

  • memory/1460-20-0x00007FFBAD010000-0x00007FFBADAD1000-memory.dmp

    Filesize

    10.8MB