Analysis
-
max time kernel
1050s -
max time network
632s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 15:43
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win10v2004-20240412-en
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
deaf5dca76c8d07ba1dde0c427e72255
-
SHA1
970a7fe7fbad3038a535f5e92cb45c24875d9822
-
SHA256
7ecf30ca60d35b0e45c14bf6f2108f7227b06efc456aa91bc1fe0525524f326e
-
SHA512
c733d3f24f7784bf8468f78713e9e35d6afe2150af9263a3a86c77fe94b41e33c0e24e72fcf0cbdd2aca4e9f388978815580e8e32edfcf2c130e3527cae2b73b
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+YPIC:5Zv5PDwbjNrmAE+8IC
Malware Config
Extracted
discordrat
-
discord_token
MTExOTY4MDYxNDIxNjUxNTY5NQ.G4EXsN.rare5BIxmEl7wss7NznVobbl9DJL5xulluzALs
-
server_id
1229094624333926517
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation Client-built.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 36 IoCs
flow ioc 119 discord.com 73 discord.com 78 discord.com 84 discord.com 105 discord.com 107 discord.com 118 discord.com 70 discord.com 72 raw.githubusercontent.com 102 discord.com 104 discord.com 106 discord.com 76 discord.com 82 discord.com 83 discord.com 91 discord.com 67 raw.githubusercontent.com 86 discord.com 88 discord.com 95 discord.com 66 discord.com 75 discord.com 98 discord.com 13 discord.com 31 discord.com 38 discord.com 39 discord.com 65 discord.com 12 discord.com 68 raw.githubusercontent.com 108 discord.com 69 discord.com 74 discord.com 77 discord.com 87 discord.com 117 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1436 SCHTASKS.exe 2100 SCHTASKS.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "122" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1612 taskmgr.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 1248 Process not Found 4156 Process not Found 4728 Process not Found 3408 Process not Found 3972 Process not Found 4932 Process not Found 4672 Process not Found 3952 Process not Found 2028 Process not Found 3500 Process not Found 2148 Process not Found 4348 Process not Found 948 Process not Found 2956 Process not Found 4368 Process not Found 2168 Process not Found 2096 Process not Found 2872 Process not Found 2260 Process not Found 880 Process not Found 3540 Process not Found 2728 Process not Found 4864 Process not Found 1232 Process not Found 1652 Process not Found 4328 Process not Found 4224 Process not Found 1732 Process not Found 4152 Process not Found 3600 Process not Found 3956 Process not Found 5076 Process not Found 632 Process not Found 4572 Process not Found 3392 Process not Found 4596 Process not Found 3920 Process not Found 4124 Process not Found 400 Process not Found 4984 Process not Found 3396 Process not Found 4320 Process not Found 3996 Process not Found 4376 Process not Found 1148 Process not Found 4144 Process not Found 740 Process not Found 4800 Process not Found 4760 Process not Found 2904 Process not Found 760 Process not Found 4344 Process not Found 1584 Process not Found 2944 Process not Found 3676 Process not Found 3904 Process not Found 4272 Process not Found 2632 Process not Found 1660 Process not Found 1716 Process not Found 1436 Process not Found 4232 Process not Found 4140 Process not Found 3344 Process not Found -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 1228 Client-built.exe Token: SeDebugPrivilege 1612 taskmgr.exe Token: SeSystemProfilePrivilege 1612 taskmgr.exe Token: SeCreateGlobalPrivilege 1612 taskmgr.exe Token: SeDebugPrivilege 1652 Client-built.exe Token: SeDebugPrivilege 852 powershell.exe Token: 33 1612 taskmgr.exe Token: SeIncBasePriorityPrivilege 1612 taskmgr.exe Token: SeDebugPrivilege 1888 taskmgr.exe Token: SeSystemProfilePrivilege 1888 taskmgr.exe Token: SeCreateGlobalPrivilege 1888 taskmgr.exe Token: 33 1888 taskmgr.exe Token: SeIncBasePriorityPrivilege 1888 taskmgr.exe Token: SeDebugPrivilege 4364 taskmgr.exe Token: SeSystemProfilePrivilege 4364 taskmgr.exe Token: SeCreateGlobalPrivilege 4364 taskmgr.exe Token: 33 4364 taskmgr.exe Token: SeIncBasePriorityPrivilege 4364 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1228 Client-built.exe 1228 Client-built.exe 4868 LogonUI.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1228 wrote to memory of 4900 1228 Client-built.exe 96 PID 1228 wrote to memory of 4900 1228 Client-built.exe 96 PID 1228 wrote to memory of 852 1228 Client-built.exe 103 PID 1228 wrote to memory of 852 1228 Client-built.exe 103 PID 1228 wrote to memory of 1436 1228 Client-built.exe 105 PID 1228 wrote to memory of 1436 1228 Client-built.exe 105 PID 1228 wrote to memory of 2100 1228 Client-built.exe 108 PID 1228 wrote to memory of 2100 1228 Client-built.exe 108 PID 1228 wrote to memory of 2276 1228 Client-built.exe 111 PID 1228 wrote to memory of 2276 1228 Client-built.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I2⤵PID:4900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Client-built.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Client-built.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:1436
-
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Client-built.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Client-built.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:2100
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /L2⤵PID:2276
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1612
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:756
-
C:\Users\Admin\Desktop\Client-built.exe"C:\Users\Admin\Desktop\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4364
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3919055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82