Analysis

  • max time kernel
    135s
  • max time network
    137s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-04-2024 19:11

General

  • Target

    injector.exe

  • Size

    78KB

  • MD5

    997bc4ce7d58191913f386b62737e547

  • SHA1

    532ec6e768f92ba470673cd24f55458ca7104774

  • SHA256

    2334a4519ae1aa064e12b6484e5ba9e1e16063441be92420d2077f9acf0f04a3

  • SHA512

    1bdb5aa42f44ec2a9395621c7e0ea09784da8a503a6576236c82e12a36a74186104b857d400256c0122e86c000c476f0fa96379ea6ba119689979beae93867f2

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+OPIC:5Zv5PDwbjNrmAE+qIC

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIyNDA2MTAzMzQ4OTEwOTE0Mw.GG6OsM.gvmNCjFemn-m8sco5tZiTQhOWazT7Mq5aDarj8

  • server_id

    1227693529006997554

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\injector.exe
    "C:\Users\Admin\AppData\Local\Temp\injector.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3800
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4548
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2088.0.684333800\228608954" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c23a5e2-a099-4fab-9593-f2357be832c4} 2088 "\\.\pipe\gecko-crash-server-pipe.2088" 1796 29b87ad4058 gpu
        3⤵
          PID:4972
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2088.1.1592497209\373274425" -parentBuildID 20221007134813 -prefsHandle 2132 -prefMapHandle 2128 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a41bbb36-60e3-4717-a155-e45180ad80d8} 2088 "\\.\pipe\gecko-crash-server-pipe.2088" 2152 29bffef9558 socket
          3⤵
          • Checks processor information in registry
          PID:1580
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2088.2.203333548\1838054689" -childID 1 -isForBrowser -prefsHandle 2696 -prefMapHandle 2812 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea1c1b93-562e-4d2c-ad78-ab2f36d4e213} 2088 "\\.\pipe\gecko-crash-server-pipe.2088" 2776 29b87a5b358 tab
          3⤵
            PID:1880
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2088.3.115624222\1245249891" -childID 2 -isForBrowser -prefsHandle 3620 -prefMapHandle 3616 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6092131-1f75-4c10-9b57-8260568d10d2} 2088 "\\.\pipe\gecko-crash-server-pipe.2088" 3632 29b8a4de358 tab
            3⤵
              PID:4504
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2088.4.644408291\1825018664" -childID 3 -isForBrowser -prefsHandle 4080 -prefMapHandle 4072 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {feb72ab6-7f9d-41bb-bc8e-9a89fe4ab3e5} 2088 "\\.\pipe\gecko-crash-server-pipe.2088" 4124 29b8d0f4058 tab
              3⤵
                PID:772
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2088.5.1463751855\464166439" -childID 4 -isForBrowser -prefsHandle 4776 -prefMapHandle 4772 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33c9ecb1-548e-4d5c-9b06-28fb00745b87} 2088 "\\.\pipe\gecko-crash-server-pipe.2088" 4784 29b8dfc8858 tab
                3⤵
                  PID:1036
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2088.6.887883601\1334048829" -childID 5 -isForBrowser -prefsHandle 4916 -prefMapHandle 4920 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce040d24-e610-41e9-b544-9b82b7228b33} 2088 "\\.\pipe\gecko-crash-server-pipe.2088" 4908 29b8dfc8e58 tab
                  3⤵
                    PID:1192
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2088.7.909461699\322808146" -childID 6 -isForBrowser -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5b266fc-739e-4ff7-957a-13bb120299fc} 2088 "\\.\pipe\gecko-crash-server-pipe.2088" 5100 29b8dfc9a58 tab
                    3⤵
                      PID:1416

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C

                  Filesize

                  13KB

                  MD5

                  acabb733c07b02c89aeafebf1a3a5e3b

                  SHA1

                  9293a036b1883584680227e86bda4a6772f6f7ff

                  SHA256

                  f7a3d70a88dab545a1bdb8f99318ac8b44435718b4b746b536022fbc25fd28a4

                  SHA512

                  aebf628c6143163fab44cc4170d116310196814794c9caed08f1992cb893dacfcbaf8ec75dfb3ca2fc4c0c2cc197cb8a800fa97e65bb78af11ba861e35e47be9

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                  Filesize

                  442KB

                  MD5

                  85430baed3398695717b0263807cf97c

                  SHA1

                  fffbee923cea216f50fce5d54219a188a5100f41

                  SHA256

                  a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                  SHA512

                  06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                  Filesize

                  8.0MB

                  MD5

                  a01c5ecd6108350ae23d2cddf0e77c17

                  SHA1

                  c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                  SHA256

                  345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                  SHA512

                  b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin

                  Filesize

                  2KB

                  MD5

                  3f33bf024b645490457b48deeba1310b

                  SHA1

                  6207bc28d7e075daadc11b9a3c3e4b6f8438d028

                  SHA256

                  0ae01518165bf4bc495799d5af4445449e23a99529de21083eeec9556a6e1b56

                  SHA512

                  af7160206586e71f5945e354f49abff085ee1267100ed11b5e39b491556c1c2f099f33ce65f2ba42ac9f15ab85925768858f95c5d5cfb8af887cf8aae7a5b580

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\a12ef75b-9cb2-4d1b-971b-f5560d00fc75

                  Filesize

                  11KB

                  MD5

                  09bb3b46e6b36fc27f2269dc4ee226b3

                  SHA1

                  66f14b4b2daabbab5ebbbbfde6d87dad984102d9

                  SHA256

                  8ef03fcae64b5b5406f2d7410831bb0a57c4ce1a6c2a304d85f472c49bd7054d

                  SHA512

                  ed139b35693d92d60f8345f8b8ac35122f882209fffa2fcfe53d0fac9ed9ddb350dd9e17947d91f4e4a69997917e9f3d519be0c4ec454b11b8dedc47400d1cc9

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\b1ea15ee-55b8-4076-952b-ec3d6b4147e0

                  Filesize

                  746B

                  MD5

                  c7f448d7d33a5b7839bcc2f99ea5a39a

                  SHA1

                  fa34d9bab72234abe64cd3b66e0845547b96ea47

                  SHA256

                  315bd695bb55a685f34c939e6dd05a43cc427b0c597bde92909653069ec46074

                  SHA512

                  56c06ab75c20e61ac52000c93d8239e132ca6c7fe58d460bc2ce5c56d162565c21cd34eec2f68c3a2098bc610c8654da26b2c9f687e9b026a9a83adb429098bd

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                  Filesize

                  997KB

                  MD5

                  fe3355639648c417e8307c6d051e3e37

                  SHA1

                  f54602d4b4778da21bc97c7238fc66aa68c8ee34

                  SHA256

                  1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                  SHA512

                  8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                  Filesize

                  116B

                  MD5

                  3d33cdc0b3d281e67dd52e14435dd04f

                  SHA1

                  4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                  SHA256

                  f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                  SHA512

                  a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                  Filesize

                  479B

                  MD5

                  49ddb419d96dceb9069018535fb2e2fc

                  SHA1

                  62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                  SHA256

                  2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                  SHA512

                  48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                  Filesize

                  372B

                  MD5

                  8be33af717bb1b67fbd61c3f4b807e9e

                  SHA1

                  7cf17656d174d951957ff36810e874a134dd49e0

                  SHA256

                  e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                  SHA512

                  6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                  Filesize

                  11.8MB

                  MD5

                  33bf7b0439480effb9fb212efce87b13

                  SHA1

                  cee50f2745edc6dc291887b6075ca64d716f495a

                  SHA256

                  8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                  SHA512

                  d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                  Filesize

                  1KB

                  MD5

                  688bed3676d2104e7f17ae1cd2c59404

                  SHA1

                  952b2cdf783ac72fcb98338723e9afd38d47ad8e

                  SHA256

                  33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                  SHA512

                  7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                  Filesize

                  1KB

                  MD5

                  937326fead5fd401f6cca9118bd9ade9

                  SHA1

                  4526a57d4ae14ed29b37632c72aef3c408189d91

                  SHA256

                  68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                  SHA512

                  b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

                  Filesize

                  8KB

                  MD5

                  b22bd92b98b3caf7a650c7678ceca92a

                  SHA1

                  bb08ef09be565c41e061c57e64d40b9c875076d3

                  SHA256

                  d0906f665fc053312d362041d5aeb97e762b19cb8cb608f0c258982f2c5825be

                  SHA512

                  9b091fbf3b0b5aa0e1b4cb4b6586af10bbe184c7c1d3daec7ae5ca245fa3d21909fea4af23b424751c4c9be51993df6799da73b5127421ca94b6d7b9ca2bd299

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

                  Filesize

                  6KB

                  MD5

                  d80f61df17b1e8d1237648e2acb99ff4

                  SHA1

                  4a8fef44e01d7cde4c9f3491e3f7616f1518077c

                  SHA256

                  f50cce6ccd333cf02a282adade00499d79173e65a23cfe7b3b5e00af4ec318a9

                  SHA512

                  e5ad2e20ada7b6496af6bafa08a68e92d499787fe25f3e7b3132b5b1dd11046afb11f7309e51ae04a30da6ce0e64896ad10be8d5b9ddffc997cfcb58df16cd17

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

                  Filesize

                  6KB

                  MD5

                  05e7a55fe1d7b1b922f1d60a8e2931f7

                  SHA1

                  bdd91b287c6240da25382dffbd85a2b256918d6f

                  SHA256

                  1680630e7709c33f3f395949c7ed29592f845ea25e40142dd11639bc511a811e

                  SHA512

                  042dde2c89344fc05397ab07f0000c5d21eb32d5815baaab1fba4d3e5e7a0384a86009cfb9d5af8bc8ee1df4d43d2d560f892d580c0a5e812a2159101a846f91

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

                  Filesize

                  1017B

                  MD5

                  4d0e62fb2c9d35b366dce3aa91a5ee64

                  SHA1

                  f0ef670a9670dbf68e88dbf4632e5cafcef7a59a

                  SHA256

                  ae02adb6c1667876d378b869e9447d985adfd2d45cd4acb57c1f99c44c4349f1

                  SHA512

                  eba3c990fd878a88e312a70df54e90615e0bb9b0dc2653fe9398453ba943b043eb4dbbc9f3a2c37a03a4321fb74a3fd90ca76211e9cb5ee2027c5f13cb91d730

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

                  Filesize

                  1KB

                  MD5

                  17bd087d92990ac77d714f51011a1608

                  SHA1

                  f950392635dc1189337286f4943242dd6816d10a

                  SHA256

                  744df6ae4e7c36fd0974ef74be60507fb3c2e99f78ea0d577e8f9118c86cb27e

                  SHA512

                  b4ab416ad1d18028c68d1acf03e43e0cb5a8995c1117030d0194db9ae5da83aa6e705e52373581d41db3402345a8700e13438d3567ffc6f568b44d90fb3c856d

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore.jsonlz4

                  Filesize

                  915B

                  MD5

                  899d88fb6fd3b3c5adbc109a37a87cb4

                  SHA1

                  6375e24345488176dff35660e0c844d161542ebf

                  SHA256

                  e63cbdde17a8be06447104fd947bcfb01bd4a9377cde8fe07618d7063ad1bd96

                  SHA512

                  d406e9ef1277a287b650ebb66e673c866894bbe5b16c92f3b2beaf5253f2c5ddf06711f698f8045674e60e753963201ad1fdba670d8f17c25412c3438688bbd5

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                  Filesize

                  7.8MB

                  MD5

                  0002ee8291db719e720b2b12a22259ce

                  SHA1

                  208f70ad42a93c740df02a50b262113f5c99500d

                  SHA256

                  0ff8a58805e3f6de977a24e6dccecd9271f28187f60641a01a91c02959a63547

                  SHA512

                  8951fcd5ee38fc2cb0862f7f213e2ed69be4b70a4cf0e0a6c23c20996996d565c9a666230731fe2e622904dad05092156c4a42349413b87a9da9ad98e86c530d

                • memory/3800-88-0x0000021143D80000-0x0000021143D90000-memory.dmp

                  Filesize

                  64KB

                • memory/3800-4-0x000002115CDD0000-0x000002115D2F6000-memory.dmp

                  Filesize

                  5.1MB

                • memory/3800-3-0x0000021143D80000-0x0000021143D90000-memory.dmp

                  Filesize

                  64KB

                • memory/3800-2-0x00007FF8BF310000-0x00007FF8BFCFC000-memory.dmp

                  Filesize

                  9.9MB

                • memory/3800-1-0x000002115C6D0000-0x000002115C892000-memory.dmp

                  Filesize

                  1.8MB

                • memory/3800-84-0x00007FF8BF310000-0x00007FF8BFCFC000-memory.dmp

                  Filesize

                  9.9MB

                • memory/3800-0-0x0000021141F10000-0x0000021141F28000-memory.dmp

                  Filesize

                  96KB