discordrat | 728f6ef5853864664539cd562e33b81138f69609ff37cfcf622b901d2d9d81ff

Reason

Machine shutdown

General

Target

sisso.‮‮‮gpj.exe
Size

772KB
MD5

625bbdfe0046fffc786e7a0a27c10bef
SHA1

77795a62395bb6510057682415666f2f1e017031
SHA256

728f6ef5853864664539cd562e33b81138f69609ff37cfcf622b901d2d9d81ff
SHA512

640e062f7fac6cf5d9ce7200f827dd07c0ca9e48210fc35d165143e0ef318de734e818c58d557c077c6e5e270e0341546b8c86a60d37b339a04eb12667e02da6
SSDEEP

6144:ATouKrWBEu3/Z2lpGDHU3ykJy5UMwQ54zUOYwI9CmbkPryNyATXqF0Dp/frNpxb4:AToPWBv/cpGrU3yTiFb3bWXaiRfrJ4

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxODY2NzE5MzE0NzE5NTQ3Mg.GqTYsG.EFDdS3JA4JWiUR6BrjCsNy5QiB52-BMhHIV3cs
server_id
1242941368020766730

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	sisso.‮‮‮gpj.exe

Executes dropped EXE 1 IoCs

pid	Process
2812	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
56	discord.com
63	discord.com
65	discord.com
45	discord.com
55	discord.com
51	discord.com
52	discord.com
53	discord.com
57	discord.com
58	discord.com
64	discord.com
44	discord.com
48	discord.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sisso.‮‮‮gpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings	sisso.‮‮‮gpj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4000	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2584	mspaint.exe
2584	mspaint.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	Client-built.exe
Token: 33	880	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	880	AUDIODG.EXE
Token: SeShutdownPrivilege	2812	Client-built.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2584	mspaint.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2584	mspaint.exe
2584	mspaint.exe
2584	mspaint.exe
2584	mspaint.exe
2812	Client-built.exe
2812	Client-built.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2584	2300	sisso.‮‮‮gpj.exe	82
PID 2300 wrote to memory of 2584	2300	sisso.‮‮‮gpj.exe	82
PID 2300 wrote to memory of 2584	2300	sisso.‮‮‮gpj.exe	82
PID 2300 wrote to memory of 2812	2300	sisso.‮‮‮gpj.exe	88
PID 2300 wrote to memory of 2812	2300	sisso.‮‮‮gpj.exe	88
PID 2812 wrote to memory of 4000	2812	Client-built.exe	99
PID 2812 wrote to memory of 4000	2812	Client-built.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sisso.‮‮‮gpj.exe
"C:\Users\Admin\AppData\Local\Temp\sisso.‮‮‮gpj.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\th-_1_.jpg"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "$77Client-built.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x4b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
78KB

MD5
46cd65e5ff390ddaa6236f272839cc09

SHA1
18a0fd8cc58b4bf61f3bfc499886956cef8d7bd5

SHA256
3f373b012e2c89289a5c81cc78c3722123a7cb0062a0c00089eab6b84141f758

SHA512
f455f71f1d17b9ced82060af29642dc119b7919db0ca9ef9348d098a6a56d08205389a5cf9a07aa9a9a69b31836513e4cf4ca5c4d154be7ecd7ac0e595905db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\th-_1_.jpg

Filesize
51KB

MD5
6bc0a2737f32a599a8070932754eacc4

SHA1
a13f0d4ffd262c09b978233873b823ed4b835ffb

SHA256
4f15cb46a6c6a7799e1cfc07482954d009f8bd513126a80d2565842d6b924df1

SHA512
393269cb8e8ebe7b1987a97703ca18bcc2e3eb62f96924683fc59bdfaf348bdb93929408172a1b97ef3108864cd1d1b4f694bb729408874b902c7c7d43f9e6b1

Download Submit
memory/2812-26-0x0000011C6BF60000-0x0000011C6BF78000-memory.dmp

Filesize
96KB

Download
memory/2812-27-0x0000011C6E570000-0x0000011C6E732000-memory.dmp

Filesize
1.8MB

Download
memory/2812-28-0x0000011C6ED70000-0x0000011C6F298000-memory.dmp

Filesize
5.2MB

Download
memory/2812-29-0x0000011C6E9A0000-0x0000011C6EA4A000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads