Analysis

  • max time kernel
    19s
  • max time network
    20s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 09:14

General

  • Target

    Veno.exe

  • Size

    5.2MB

  • MD5

    1fd54055c3703fba5e110b0e68fd434b

  • SHA1

    26845bbcd373bb281891699f49541454598edfcf

  • SHA256

    c74979f0e2b603d690941c512cf4aa6824aea56aa6de9c333d2be13f4dde65f6

  • SHA512

    50f5688c5a97de64f8f78cd767a18e52fe830ec1321744535f3dc84d2f6a7a68af247171a5d7e0b6b8528c098aaaae09cde1b70a896838a82ef580064e81722b

  • SSDEEP

    98304:Aqw6Y+PiWjIOMLRqWqZD0ofvE7TY5kGdRUy4bz6cCMHps/KHNNiVakHoxdy:Aqw65PhVM83nEaLRU9z3CeaK0V4xI

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMxNzcyMDg5MTkzMjY3NjEyNw.GR4BZy.jjTYOTYEIjYBpgSrr1GXK-BhAoku0-amSnOglA

  • server_id

    1317719739920810024

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Discordrat family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Veno.exe
    "C:\Users\Admin\AppData\Local\Temp\Veno.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (2).exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (2).exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (2).exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3548
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (2).exe" MD5
          4⤵
            PID:2236
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            4⤵
              PID:4268
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              4⤵
                PID:1772
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (1).exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (1).exe"
            2⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of AdjustPrivilegeToken
            PID:4924

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (1).exe

          Filesize

          4.2MB

          MD5

          c0d825abe1d07e86d7b5eca9d2097fdb

          SHA1

          db2a8ae778689500f8293fc0a0e341961317875c

          SHA256

          b261b1c42f321c0459f59f11a68a427c73ea93871c0979c030e1e11b786a75e4

          SHA512

          a2ef1f01b4842f2d20a6894047c6daa32e315e1e8b44861d8c3afcbea7c0178a7fe613634e40b9c331a29a9da56d20ffb851395244d7ec96dc26aa91ddb07180

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (2).exe

          Filesize

          935KB

          MD5

          f4c5c039bc56bba0de398c4ac3641d3c

          SHA1

          2e173c4e3013da53126d8c276041d1e1174ec349

          SHA256

          3afa2e021f7b236a7584d401346dd2340c9d93ef5dd931692bb2f1133d4a3a38

          SHA512

          709e8ba1e290b9361e81b7127593b3b02a5b12fedb020455552f681eeaeef1f021f879f21cb6d3049982c4c847c4d3b67423ead294449706b3c16ed4befc2519

        • memory/4924-24-0x00007FF701090000-0x00007FF701BD6000-memory.dmp

          Filesize

          11.3MB

        • memory/4924-26-0x00007FF701090000-0x00007FF701BD6000-memory.dmp

          Filesize

          11.3MB

        • memory/4924-27-0x00007FF701090000-0x00007FF701BD6000-memory.dmp

          Filesize

          11.3MB

        • memory/4924-28-0x000002D8B8000000-0x000002D8B81C2000-memory.dmp

          Filesize

          1.8MB

        • memory/4924-29-0x000002D8B8800000-0x000002D8B8D28000-memory.dmp

          Filesize

          5.2MB