Analysis Overview
SHA256
c1e6b4a0fbc8a4847fb5d8407153a88ab855de8b3ce5ae90d9b4fa3b5d357df9
Threat Level: Known bad
The file svc_host.exe was found to be: Known bad.
Malicious Activity Summary
Discordrat family
Discord RAT
Unsigned PE
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-15 07:43
Signatures
Discordrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-15 07:43
Reported
2024-03-15 07:46
Platform
win10v2004-20240226-en
Max time kernel
136s
Max time network
138s
Command Line
Signatures
Discord RAT
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svc_host.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svc_host.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\svc_host.exe
"C:\Users\Admin\AppData\Local\Temp\svc_host.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1340.0.844200615\1265675642" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07485867-a8db-4a62-b396-6db09f778ac2} 1340 "\\.\pipe\gecko-crash-server-pipe.1340" 1976 1d3aafdc158 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1340.1.1410095613\1963065234" -parentBuildID 20221007134813 -prefsHandle 2364 -prefMapHandle 2352 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ee25852-c13b-4a15-8817-e0f5437fc247} 1340 "\\.\pipe\gecko-crash-server-pipe.1340" 2376 1d3aaefa558 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1340.2.1430170016\2104520590" -childID 1 -isForBrowser -prefsHandle 3104 -prefMapHandle 3100 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d3c1f7f-624f-41dc-aa42-1f3ce971ecb0} 1340 "\\.\pipe\gecko-crash-server-pipe.1340" 3116 1d3aaf61158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1340.3.1792211377\695340028" -childID 2 -isForBrowser -prefsHandle 1028 -prefMapHandle 1104 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {976b810b-1952-4c9c-ba28-780c759f110e} 1340 "\\.\pipe\gecko-crash-server-pipe.1340" 3616 1d39e761f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1340.4.2034656483\875799243" -childID 3 -isForBrowser -prefsHandle 4316 -prefMapHandle 4340 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {903648f3-1917-4732-a002-55657629de4d} 1340 "\\.\pipe\gecko-crash-server-pipe.1340" 4256 1d3b02dc758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1340.5.915622085\1105427084" -childID 4 -isForBrowser -prefsHandle 5168 -prefMapHandle 5176 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c55c0a0e-4644-404f-bb3e-6ec7954a8c8d} 1340 "\\.\pipe\gecko-crash-server-pipe.1340" 5200 1d39e72e458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1340.6.604236659\171800177" -childID 5 -isForBrowser -prefsHandle 5216 -prefMapHandle 5316 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f442374b-1519-4bfd-b41c-0d23cdf1f96d} 1340 "\\.\pipe\gecko-crash-server-pipe.1340" 5152 1d3b13c4458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1340.7.1170322613\1286592457" -childID 6 -isForBrowser -prefsHandle 5504 -prefMapHandle 5508 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {279b6e3f-4b80-4028-9e9e-f105968ae9be} 1340 "\\.\pipe\gecko-crash-server-pipe.1340" 5588 1d3b13c5f58 tab
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\Temp\svc_host.exe
"C:\Users\Admin\AppData\Local\Temp\svc_host.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.136.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 234.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 44.230.91.85:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:52740 | tcp | |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 85.91.230.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:52746 | tcp | |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.130.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 234.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
Files
memory/4872-0-0x0000023FD2520000-0x0000023FD2538000-memory.dmp
memory/4872-1-0x0000023FECB00000-0x0000023FECCC2000-memory.dmp
memory/4872-2-0x00007FFB11DC0000-0x00007FFB12881000-memory.dmp
memory/4872-3-0x0000023FECA60000-0x0000023FECA70000-memory.dmp
memory/4872-4-0x0000023FED340000-0x0000023FED868000-memory.dmp
memory/4872-5-0x00007FFB11DC0000-0x00007FFB12881000-memory.dmp
memory/4872-6-0x0000023FECA60000-0x0000023FECA70000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\pending_pings\351e179a-84ee-487e-9dc2-3f6c03f98f9c
| MD5 | 364b05b4de9124939f2ae56bb19e4021 |
| SHA1 | 4d75ab8f051806a55be48138f35b280fe40a02aa |
| SHA256 | abedc63d1fa9c2efe6b6775e4d2cc5e99e7cb8ce7a6e2fbe5b2ae19d84bc0ad7 |
| SHA512 | 1ef6e55a10eb61271adfcf622dee18a65fefc134e15f23528c7303b8dc04cd43805355d0093b7bb2a88806cfc436f36bf2b64ae2795f9a80ff06919be193d657 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\pending_pings\e8064f9d-5533-4fed-b0da-745ca8b48d11
| MD5 | 1b4990ac929e5bf1aa952e30fa367bc3 |
| SHA1 | 7fc6ce32d47646b04e15947d00dc4cc1d7980ddf |
| SHA256 | 944121b5a070328a50038361c8993190b832609b23bf87e7ccb60c4e477d6191 |
| SHA512 | 52a55aa80dbafed53c345b0d7e135bce2a9d26b8ff0f7c05a0659500546d1093b12e1efee6b6d7a318350c32d08da7ce8df6ae1f6076858e5df24fc8b58e2207 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 94960e47357987e2387d2586316e60c7 |
| SHA1 | 2c99d55a0cbfb73f2081800421eb4aa48d7483a0 |
| SHA256 | 569be2ab63cc7279580ed02a7e09a12d11bf8b8076ef6053d7b0a45bac925ab1 |
| SHA512 | 9e40501a932b63ef70768dd9060994f84a622695bf8c9afa79c5d04ef6ee76cd000f5d64cf836c87e2f0101b7f8d3f055da1b31b98a9c45fb395bffa66448a52 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs.js
| MD5 | 4214b6a3945e6084590f58c3530cf308 |
| SHA1 | 8f0c397f4c027658af2f54e9985b412c780dbf72 |
| SHA256 | 567cbc51ee36f21cc5650b3df061b1011a73ef055bf42e93cbc47fd9356faf2c |
| SHA512 | 738d4ff994810764c49cf054e8b56cd0ac3e2477865607b529ca3cbce48ae0151b5f74937fd794bca52f0e3a2ba645ed46c2845591cfc05d036baeb7b6978dad |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs-1.js
| MD5 | f6e39e5f8ed82524bdfac8a3b3d3dea4 |
| SHA1 | eed8315e00c678d3583c0cde8677b72a88d1ec12 |
| SHA256 | cafd914e07ddbbdccd40cec4d0bbde87e75f9c913b5f885a69af493ba5c8dd0b |
| SHA512 | d763e31d5715146c1edeade3ee00a470596b6f1d1d8cea8b42d90b925a0b8d90385733414a0f56498ffae9cbc9c4efcb484db06dc3fb18cca8b3631dcc8e8d13 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs-1.js
| MD5 | 373a869ebbc88dafb527739fbadc9930 |
| SHA1 | 8680487b85ee810366b6f2bd9491ab1181d93669 |
| SHA256 | 068cf3131aa8e707b1e614663e3b6bc8fe67b37a1a6ba96739aaa5c32b12add4 |
| SHA512 | 99e5c963f6bbe9c6822c1491b4de223ce8aef5f7f18d355227ddff4d5c2e4631d094ba10dfb5f1e28eed01c4e80b94f3d77c1037d8ec908e29273d839764ca5e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\sessionstore.jsonlz4
| MD5 | fad6ba70afa5a1c7a60249acc56aba87 |
| SHA1 | ea9ab4daa0d5e17a573c9b05d87532c74a36a488 |
| SHA256 | 4d8b3708606fdfa4a3ec42920117930debbb6e36e3ca71e1605e2033c3fe0177 |
| SHA512 | 7b537c4481a383ad8f5607c3d1071b31932814cd436397e1f44fc7de1b6055fe3b8d31c61e77ba33ae8081b3a2ca0f1ae0173f30b231d04ae891968796cb8517 |
memory/2012-167-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp
memory/2012-168-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp
memory/2012-169-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp
memory/2012-173-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp
memory/2012-175-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp
memory/2012-176-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp
memory/2012-177-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp
memory/2012-178-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp
memory/2012-174-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp
memory/2012-179-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp
memory/5168-180-0x00007FFB11DC0000-0x00007FFB12881000-memory.dmp
memory/5168-181-0x00000240FABD0000-0x00000240FABE0000-memory.dmp
memory/4872-182-0x00007FFB11DC0000-0x00007FFB12881000-memory.dmp
memory/5168-183-0x00007FFB11DC0000-0x00007FFB12881000-memory.dmp
memory/5168-184-0x00000240FABD0000-0x00000240FABE0000-memory.dmp