Overview

overview

10

Static

static

10

StupidMonkey.exe

windows7-x64

10

StupidMonkey.exe

windows10-2004-x64

10

Resubmissions

24-01-2025 19:14

250124-xxql4stmey 10

24-01-2025 09:33

250124-lh9wnasrhn 10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2025 09:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    StupidMonkey.exe

  • Size

    70KB

  • MD5

    4c785ba0487bfec51faf4788d564ee9f

  • SHA1

    786fdc994a71d7e02a556e3f720b41a096a789f5

  • SHA256

    c81ae973db641e3c60912166be8979a60b95253ae290c145b9a2133ad7a2ebb8

  • SHA512

    b6b7fbd58e1c3657a81d17a974fc609c1af29dab6489685d2eea5e1397e12853c17086a537f7607aef6833f358965788adc961b44eeff21530ff89f9776eee06

  • SSDEEP

    1536:X7eLuJn1XH70d76kbDD0k2jF16K7HmTzOt5YP:X79hpb0YkbDLE57HmTzOts

Score
10/10
discordratxwormdiscoveryexecutionpersistenceratrootkitstealertrojan

Malware Config

Extracted

Family

xworm

C2

wood-matches.gl.at.ply.gg:23086

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMzMDMyNzc3MjM3NTAyNzgxMg.GWNm0N.hjhDXtec3jd5n3sEjWHGfGyOO28kBaPWiS-HPA

  • server_id

    1330267614202560512

Signatures

  • Detect Xworm Payload 1 IoCs
  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\StupidMonkey.exe
    "C:\Users\Admin\AppData\Local\Temp\StupidMonkey.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\StupidMonkey.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2800
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'StupidMonkey.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Client Server Runtime Process'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client Server Runtime Process'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1976
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client Server Runtime Process" /tr "C:\ProgramData\Client Server Runtime Process"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2900
    • C:\Users\Admin\AppData\Local\Temp\nwoakg.exe
      "C:\Users\Admin\AppData\Local\Temp\nwoakg.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:296
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 296 -s 596
        3⤵
        • Loads dropped DLL
        PID:1904
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {27D23627-06BC-4107-8D63-8E501E40B2B1} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
    1⤵
      PID:1736
    • C:\Windows\system32\calc.exe
      "C:\Windows\system32\calc.exe"
      1⤵
        PID:2368
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        1⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7809758,0x7fef7809768,0x7fef7809778
          2⤵
            PID:2860
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1372,i,14139531165181368329,17435106598051674432,131072 /prefetch:2
            2⤵
              PID:1776
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1372,i,14139531165181368329,17435106598051674432,131072 /prefetch:8
              2⤵
                PID:1052
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1372,i,14139531165181368329,17435106598051674432,131072 /prefetch:8
                2⤵
                  PID:3056
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2320 --field-trial-handle=1372,i,14139531165181368329,17435106598051674432,131072 /prefetch:1
                  2⤵
                    PID:320
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2328 --field-trial-handle=1372,i,14139531165181368329,17435106598051674432,131072 /prefetch:1
                    2⤵
                      PID:2504
                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                    1⤵
                      PID:300

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
                      Filesize

                      16B

                      MD5

                      18e723571b00fb1694a3bad6c78e4054

                      SHA1

                      afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                      SHA256

                      8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                      SHA512

                      43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1UAIIXJ0CT2EWD6IU6MH.temp
                      Filesize

                      7KB

                      MD5

                      d12ffe4ff8697354bc03a6714072275b

                      SHA1

                      0ec53b27c31d247d2048a7addd64002e9f67b65c

                      SHA256

                      0e97844839663bfb3142bff6d1de90df9be4147b2b13269b9420c00a2146eb31

                      SHA512

                      4549e980dc08ee6a39a07a22f910e4b796d8aac07f2c77899138e58eea73846ecc560614ebe7b22f0f82ae432c39a5df60fb74bf3893a1f2eb043ec295d01100

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\nwoakg.exe
                      Filesize

                      78KB

                      MD5

                      24b361200a5fc61a62657c8ef7886d1f

                      SHA1

                      a6e4602b47f50e943603c5164bd6750e3b58a5ef

                      SHA256

                      7f4b62dd5a02a17056e390f59bca7a314d40bc3e8928307a56b558033dd58bb7

                      SHA512

                      a1081da6c801dbe649b25c7bc7fce26a20d22b574df0b9b0050ec8089acc29f86f28f77bdbd3610210452255162939832c7a7e35344a9335981e0fef4cd4542a

                      Download Submit

                    • memory/296-38-0x000000013FDF0000-0x000000013FE08000-memory.dmp

                      Filesize

                      96KB

                      Download

                    • memory/1972-2-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/1972-0-0x000007FEF6643000-0x000007FEF6644000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1972-31-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/1972-45-0x0000000001FD0000-0x0000000001FDC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/1972-1-0x0000000000AA0000-0x0000000000AB8000-memory.dmp

                      Filesize

                      96KB

                      Download

                    • memory/2720-15-0x000000001B780000-0x000000001BA62000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/2720-16-0x0000000002340000-0x0000000002348000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2800-7-0x0000000002D90000-0x0000000002E10000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/2800-8-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/2800-9-0x0000000002790000-0x0000000002798000-memory.dmp

                      Filesize

                      32KB

                      Download