discordrat | 68a982b3a4546c50b7cbf49ae97e9ad5b34340331131e342ebf8663ad7ca94f5

Analysis

max time kernel
77s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/12/2024, 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MALWARE DONT RUN.exe
Size

78KB
MD5

67ecf78171011aafa55ad542aeb446f4
SHA1

f63949d3ea62224cf4dfbbad9c7366ce5662ad77
SHA256

68a982b3a4546c50b7cbf49ae97e9ad5b34340331131e342ebf8663ad7ca94f5
SHA512

aa4e5e31a99af901e06b7f253e05b598691ad9e867c3c34a4c2ea0f936cdc4964f6982ff4aa27c546666f5345e4ee2ae521ef0e2483c4371ee28ad481632fcb4
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+FPIC:5Zv5PDwbjNrmAE+VIC

Score

10^/10

discordrat persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxODMxNzY5MjIwNTI2OTA0Mw.GJ6Gzb.6ahR4c80H2mceTshl9pACIQdGhJ4AEZIOye_x0
server_id
1317445742540882003

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	MALWARE DONT RUN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
8	discord.com
30	discord.com
50	raw.githubusercontent.com
49	discord.com
51	raw.githubusercontent.com
53	discord.com
54	discord.com
55	discord.com
7	discord.com
16	discord.com
27	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "232"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4460	SCHTASKS.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
4168	Process not Found
3944	Process not Found
4936	Process not Found
3772	Process not Found
2992	Process not Found
2736	Process not Found
2396	Process not Found
4784	Process not Found
844	Process not Found
4172	Process not Found
1880	Process not Found
3748	Process not Found
5052	Process not Found
3372	Process not Found
4728	Process not Found
3056	Process not Found
4220	Process not Found
4304	Process not Found
4884	Process not Found
1404	Process not Found
3456	Process not Found
4212	Process not Found
4332	Process not Found
4836	Process not Found
3604	Process not Found
3328	Process not Found
2812	Process not Found
1004	Process not Found
3796	Process not Found
1440	Process not Found
2412	Process not Found
4340	Process not Found
3496	Process not Found
2380	Process not Found
1704	Process not Found
5116	Process not Found
4604	Process not Found
4632	Process not Found
3476	Process not Found
4488	Process not Found
2524	Process not Found
4468	Process not Found
1072	Process not Found
1316	Process not Found
1576	Process not Found
2316	Process not Found
5048	Process not Found
448	Process not Found
1320	Process not Found
1672	Process not Found
3264	Process not Found
5056	Process not Found
2452	Process not Found
4644	Process not Found
1248	Process not Found
1940	Process not Found
1284	Process not Found
4584	Process not Found
4120	Process not Found
3956	Process not Found
3904	Process not Found
4960	Process not Found
760	Process not Found
5060	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1244	MALWARE DONT RUN.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1244	MALWARE DONT RUN.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1936	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 4460	1244	MALWARE DONT RUN.exe	101
PID 1244 wrote to memory of 4460	1244	MALWARE DONT RUN.exe	101
PID 1244 wrote to memory of 1308	1244	MALWARE DONT RUN.exe	103
PID 1244 wrote to memory of 1308	1244	MALWARE DONT RUN.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MALWARE DONT RUN.exe
"C:\Users\Admin\AppData\Local\Temp\MALWARE DONT RUN.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SYSTEM32\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$77MALWARE DONT RUN.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\MALWARE DONT RUN.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4460
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /L
  2⤵
  PID:1308

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38cc855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1244-0-0x00007FFCCB7F3000-0x00007FFCCB7F5000-memory.dmp

Filesize
8KB

Download
memory/1244-1-0x0000027CCE670000-0x0000027CCE688000-memory.dmp

Filesize
96KB

Download
memory/1244-2-0x0000027CE8D20000-0x0000027CE8EE2000-memory.dmp

Filesize
1.8MB

Download
memory/1244-3-0x00007FFCCB7F0000-0x00007FFCCC2B1000-memory.dmp

Filesize
10.8MB

Download
memory/1244-4-0x0000027CE9520000-0x0000027CE9A48000-memory.dmp

Filesize
5.2MB

Download
memory/1244-5-0x00007FFCCB7F3000-0x00007FFCCB7F5000-memory.dmp

Filesize
8KB

Download
memory/1244-6-0x00007FFCCB7F0000-0x00007FFCCC2B1000-memory.dmp

Filesize
10.8MB

Download
memory/1244-7-0x0000027CEB6B0000-0x0000027CEB97A000-memory.dmp

Filesize
2.8MB

Download
memory/1244-8-0x00007FFCCB7F0000-0x00007FFCCC2B1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads