Overview

overview

10

Static

static

3

toystorylogo-4k.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-02-2025 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    toystorylogo-4k.exe

  • Size

    524KB

  • MD5

    34ae0745931735f6af04adce8c1358d4

  • SHA1

    825aabac462d7cdf80cd864a37e52175b2b78c0c

  • SHA256

    4c56e50351c382dc82173c238228540ee12ecd399a8aab16d9bc49bfa4031e12

  • SHA512

    5dc2f74cd7baad445650c57332a4c46462323635b40360915bc07dabfa69d9a4419528c4e4fd73efae59e68aa9220083ce5cbbcaa06c742eafc47f7350acdc43

  • SSDEEP

    12288:3yveQB/fTHIGaPkKEYzURNAwbAg8j03rxuLrW:3uDXTIGaPhEYzUzA0qI3NuLrW

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMzNjA0MTEzNzYxNzc2NDUxNQ.GWUfuA.NHNO6tvAPM86NN4d9WM8wruyH3mk45GH-m19GM

  • server_id

    1336040095018520668

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 32 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\toystorylogo-4k.exe
    "C:\Users\Admin\AppData\Local\Temp\toystorylogo-4k.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5092
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xdbackdoor.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xdbackdoor.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2100
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xdbackdoor.exe
    Filesize

    78KB

    MD5

    2b0bb0b81b221965408bc75caf13f1e6

    SHA1

    3bf4b6917c1c6e943613507c8a15f2c0a504dd85

    SHA256

    5cdcda478e5966aecc8b166f7899cc82e423ec3ff5af27061d1814b2cbe6c23e

    SHA512

    2796ad2d3d5299df540684cc6b6c250915c5d7960e0015c506eac950c44cd6e0ebe8c1eef5f50badaa387f7f811c4ffb4179f19a6520ef2933becfd4480bf58a

    Download Submit

  • memory/2100-14-0x00007FF972E93000-0x00007FF972E95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2100-15-0x000001BC190F0000-0x000001BC19108000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2100-16-0x000001BC33900000-0x000001BC33AC2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2100-17-0x00007FF972E90000-0x00007FF973951000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2100-18-0x000001BC34100000-0x000001BC34628000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2100-33-0x00007FF972E90000-0x00007FF973951000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2100-32-0x00007FF972E93000-0x00007FF972E95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3916-21-0x00000172393D0000-0x00000172393D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3916-25-0x00000172393D0000-0x00000172393D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3916-31-0x00000172393D0000-0x00000172393D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3916-30-0x00000172393D0000-0x00000172393D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3916-29-0x00000172393D0000-0x00000172393D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3916-28-0x00000172393D0000-0x00000172393D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3916-27-0x00000172393D0000-0x00000172393D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3916-26-0x00000172393D0000-0x00000172393D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3916-20-0x00000172393D0000-0x00000172393D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3916-19-0x00000172393D0000-0x00000172393D1000-memory.dmp

    Filesize

    4KB

    Download