Overview

overview

10

Static

static

3

1324648543..._1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 08:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1324648543721361449-1324648543402725396-Imagen-loro_1.exe

  • Size

    709KB

  • MD5

    9141efe15618fa406c09c030e5595f9e

  • SHA1

    9cef69b36e557260b20298f48d11148cc9b83230

  • SHA256

    c41c0a3aff41ec17de75cd8f31f268f5063693743eb4639c907042574b3724ca

  • SHA512

    4a23ca9a5d35b289d9b3db7433ed9d7345ab4154e49f5bb8a0df995f28fa3ac75d25114c2ee0ba6352d80b779c9e0e50b2644e31f801a71ec8075fdb32e668ef

  • SSDEEP

    12288:zyveQB/fTHIGaPkKEYzURNAwbAgXJEOcCqcko1q+tKMm1CMyo:zuDXTIGaPhEYzUzA0jyFo1e1gbo

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMyNDU1MTY2MzgxNzU5MjgzMg.Gsv4Af.87VMMw-6giEs1pl29CsssUr3cLvco6RhvCUymA

  • server_id

    1324552691812405278

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1324648543721361449-1324648543402725396-Imagen-loro_1.exe
    "C:\Users\Admin\AppData\Local\Temp\1324648543721361449-1324648543402725396-Imagen-loro_1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:116
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3068
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4012
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1980
    • C:\Users\Admin\AppData\Local\Temp\1324648543721361449-1324648543402725396-Imagen-loro_1.exe
      "C:\Users\Admin\AppData\Local\Temp\1324648543721361449-1324648543402725396-Imagen-loro_1.exe"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3348
      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\backdoor.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\backdoor.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3136

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
      Filesize

      78KB

      MD5

      dfdb4e31afcca54bbd536d1ff9f378c3

      SHA1

      88f973a381b342cb4bfd0952cd4985d83f0032d1

      SHA256

      9faf3b2adc648c52ed8f3930475cd2e75b5b415d50fb1b5d865c3ef15c77fc02

      SHA512

      f26d29f9c7433e82bbb3e99b41581689e9b487ea0ed61ae663f65bc28b705a7c1051a766c405394ee0d4a056d3a02a0c84fdebb307ac232d765c7e710dfaf207

      Download Submit

    • memory/3068-14-0x00007FFD30C53000-0x00007FFD30C55000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3068-15-0x000002E1D13E0000-0x000002E1D13F8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3068-16-0x000002E1EBAA0000-0x000002E1EBC62000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3068-17-0x00007FFD30C50000-0x00007FFD31711000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3068-18-0x000002E1EC2A0000-0x000002E1EC7C8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3068-33-0x00007FFD30C50000-0x00007FFD31711000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3068-32-0x00007FFD30C53000-0x00007FFD30C55000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4012-19-0x0000018F0EB10000-0x0000018F0EB11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4012-31-0x0000018F0EB10000-0x0000018F0EB11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4012-30-0x0000018F0EB10000-0x0000018F0EB11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4012-29-0x0000018F0EB10000-0x0000018F0EB11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4012-28-0x0000018F0EB10000-0x0000018F0EB11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4012-27-0x0000018F0EB10000-0x0000018F0EB11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4012-26-0x0000018F0EB10000-0x0000018F0EB11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4012-25-0x0000018F0EB10000-0x0000018F0EB11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4012-21-0x0000018F0EB10000-0x0000018F0EB11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4012-20-0x0000018F0EB10000-0x0000018F0EB11000-memory.dmp

      Filesize

      4KB

      Download