Overview

overview

10

Static

static

10

olduimatrix.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    873s
  • max time network
    888s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250217-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    22-02-2025 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    olduimatrix.exe

  • Size

    98KB

  • MD5

    9117f3f95888ab5de9da24ab2965cc5a

  • SHA1

    2df63c9abcf08e58bcc6fd3891cbf1be30ac1d6d

  • SHA256

    4828bdac5bb23ffcea7f6c51142e32157ac2ca80620d1e39b3170513e116b05e

  • SHA512

    18d02eb4de36d1c670a4eacdbbb269554b212a379013b17f2d990ea594ef1ec57e0b616985bc53f866dab051d5ce2499bea59340fc58f3d906c42082bcae0f36

  • SSDEEP

    1536:92WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+DPISWlKKBh0NjD3C+GlEQ:9Zv5PDwbjNrmAE+bISTbDVGaQ

Score
10/10
discordratpersistenceransomwareratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTM0MjkxNTYzNjA0NDYzMjE4MA.GLuN76.KEi91jZBbiW-Aa2A5gBlUy7tjno2DDMvendvrg

  • server_id

    1342915521502384308

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Downloads MZ/PE file 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 54 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
    ransomware
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\olduimatrix.exe
    "C:\Users\Admin\AppData\Local\Temp\olduimatrix.exe"
    1⤵
    • Downloads MZ/PE file
    • Sets desktop wallpaper using registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3384
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C whoami
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Windows\system32\whoami.exe
        whoami
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3808
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C systeminfo
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Windows\system32\systeminfo.exe
        systeminfo
        3⤵
        • Gathers system information
        PID:2080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3384-0-0x00007FF9063D3000-0x00007FF9063D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3384-1-0x000001C9F8D30000-0x000001C9F8D4C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3384-2-0x000001C9FB320000-0x000001C9FB4E2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3384-3-0x00007FF9063D0000-0x00007FF906E92000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3384-4-0x000001C9FBB20000-0x000001C9FC048000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3384-5-0x00007FF9063D3000-0x00007FF9063D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3384-6-0x00007FF9063D0000-0x00007FF906E92000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3384-7-0x000001C998000000-0x000001C99800E000-memory.dmp

    Filesize

    56KB

    Download