Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 20:23
Static task
static1
Behavioral task
behavioral1
Sample
sgpj.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
sgpj.exe
Resource
win10v2004-20240412-en
General
-
Target
sgpj.exe
-
Size
563KB
-
MD5
0bbc0a7dc1a58f8a33fbd893ec737bc2
-
SHA1
6cc449fffcf0111d62ff0475afb30eef7d774089
-
SHA256
9f7154d3786a9f445d249454777da82ebca55681b0fdbe54f1695ce31a30543f
-
SHA512
d6a4cb34a70180951925d5414c1a563a37a5a6d5c92b6fc8c741711637ebd1af60a0e375e00334599f322226a084641f099042b524f7152c720f8a2e7ee14445
-
SSDEEP
12288:oCQjgAtAHM+vetZxF5EWry8AJGy0yfnSWv46NuV9TXH2505/N:o5ZWs+OZVEWry8AFBTjNufH2kV
Malware Config
Extracted
discordrat
-
discord_token
MTIyOTg4MjMyNDM2ODM2MzcwMA.GrfReS.9yWuSoWr3uhKK0b6qurk33JdihJVamaZgss9Yg
-
server_id
1229880755757514752
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation sgpj.exe -
Executes dropped EXE 1 IoCs
pid Process 2248 Client-built.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 32 discord.com 33 discord.com 36 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133577726457990318" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 756 chrome.exe 756 chrome.exe 1380 chrome.exe 1380 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 756 chrome.exe 756 chrome.exe 756 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2248 Client-built.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe Token: SeCreatePagefilePrivilege 756 chrome.exe Token: SeShutdownPrivilege 756 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2248 2696 sgpj.exe 90 PID 2696 wrote to memory of 2248 2696 sgpj.exe 90 PID 756 wrote to memory of 2104 756 chrome.exe 94 PID 756 wrote to memory of 2104 756 chrome.exe 94 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 1716 756 chrome.exe 95 PID 756 wrote to memory of 4240 756 chrome.exe 96 PID 756 wrote to memory of 4240 756 chrome.exe 96 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97 PID 756 wrote to memory of 1160 756 chrome.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\sgpj.exe"C:\Users\Admin\AppData\Local\Temp\sgpj.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8fc1aab58,0x7ff8fc1aab68,0x7ff8fc1aab782⤵PID:2104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1864,i,10797707792509916420,6539538308530911524,131072 /prefetch:22⤵PID:1716
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1864,i,10797707792509916420,6539538308530911524,131072 /prefetch:82⤵PID:4240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1864,i,10797707792509916420,6539538308530911524,131072 /prefetch:82⤵PID:1160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1864,i,10797707792509916420,6539538308530911524,131072 /prefetch:12⤵PID:1308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1864,i,10797707792509916420,6539538308530911524,131072 /prefetch:12⤵PID:3100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4308 --field-trial-handle=1864,i,10797707792509916420,6539538308530911524,131072 /prefetch:12⤵PID:3408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=1864,i,10797707792509916420,6539538308530911524,131072 /prefetch:82⤵PID:2244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1864,i,10797707792509916420,6539538308530911524,131072 /prefetch:82⤵PID:4196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4532 --field-trial-handle=1864,i,10797707792509916420,6539538308530911524,131072 /prefetch:82⤵PID:1780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1864,i,10797707792509916420,6539538308530911524,131072 /prefetch:82⤵PID:4200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1864,i,10797707792509916420,6539538308530911524,131072 /prefetch:82⤵PID:1000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1864,i,10797707792509916420,6539538308530911524,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5dd9cea60a3187a0da3c1755376b2cdc4
SHA111145506855e6836b251d539e1480b4edf92c4f1
SHA2560b50bc3ce8908b6c2abc853c38b60259fdfb0027b95a7b05b646859aa269bd61
SHA512360a2dd36c500427ceae1c8d0927a58320f0e79e2f17836cfb9396102cd11a1d0c8c3483be98c6e6daf6b657a60ad3d828a5f3daa3e4e467e74a3e1d784e6b6d
-
Filesize
1KB
MD59a347923055e906325a250660a2e071f
SHA173828bd3eb0dca6f2518336f76c536dd6f3c542e
SHA256b20c2136bc6d9e7de3743962277d7afc0181812d75d1a89a58f9324e3378f673
SHA512742688da3359d977f578fdc47bbb22781d49108f5512dec39c21d19ac27baf4773b81cb0976d1a81e19a2f3d27ec7ca6dc42b7b220f7665db77606ed24b6d034
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD59046c4b1e7cb4ba9dbed495211a7723a
SHA13c57fc57623ef93f91aa21e9dc73d2aaed1bc1e6
SHA256695a7a7b19030e5d3d2a140e7698c3496d10c1501aa0a2d862ee559a946521bd
SHA512d762cc4beb96f1618edab19509defbc57840fa9ddb292e7c968a776d2109eb4bbbd8f1b2ea1d2d6450973f80d290ed8c7936af4de9b69315d7a792245110db1b
-
Filesize
16KB
MD51e0dc33c113309998cc8b97acd29e301
SHA1227277dbd0535959686e8290205d0d7a1df41236
SHA2567c9cb6bcec4d3018e9bcdbc1f846a7f488f1f47b6a112ba153bb39ce64054764
SHA5125fec56797b9002ec2c4fb51dd6b0f9ef3113911f4cb3343e3bd70d2a21bab3139b8cead1d7a653e692137b244f2d092a6f22ecd74071c406458256ef645e6237
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b03fb57b-4d18-436e-ab1d-68f977993b4c.tmp
Filesize6KB
MD5d09faac03b4d0a58fc6efacaed82ad3a
SHA14fec8ae64b04f0deb9181d5744d007981bc5b9ec
SHA2564680a26e3df5aa2525715b6ecaa8e06b7564494d58fea339324c33837354d2e4
SHA512ca12c2cdf53de5060f3a63844aacc1f2acb0223a33928be746777bf7be70443f7e65df152bc9d6b136ad633f557f73d4584bd7d553b72bd69aab616436b35e8f
-
Filesize
78KB
MD59c9b36aa4fbe85b60277dd6ea9caf0e1
SHA1d037380d780a0165d02bdd51f3eb741519944a64
SHA25642b7cc111a1773cec2eb5c5e97e9d03cf3d32cbff97dc1f8027ed65955d63c47
SHA512a7d1d4d1f27407dcd49aaf111f84005534031cd4b705d2bc14a5594787af915410a82f41193072cddceeefd209997a24e379d970d94c8ff07bc5f950183884d6