Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 16:11
Static task
static1
Behavioral task
behavioral1
Sample
orgpj.exe
Resource
win10v2004-20240412-en
General
-
Target
orgpj.exe
-
Size
451KB
-
MD5
83897c26f97ac29b0473e572fc9011a0
-
SHA1
8dfd92c318535a67323a831c93d48d5a4e5f52ab
-
SHA256
5399c9635622edf962fcf6d73111676df49526175e04a31a4eb9b82720a0de91
-
SHA512
257f58ff8f159992eab1824b572883fc1b3bea0de8279f1a8059863c1cac0715551ba9287d42de7ed7b654c7b83f507284b4a84a7d3cab06b772f45136063ac1
-
SSDEEP
12288:/lM1A8JQMVxm4V1db5AgVDk5/ieLPoGtWcMs7:/lMiZMVn1db5AgFk56eLPftL
Malware Config
Extracted
discordrat
-
discord_token
MTIyNjI3NDQ5OTg2NDAzOTQyNA.Gq7LiV.GqnYoTN8UBwHwLu5VOTno0mKdGo4KJ1bFd3-j4
-
server_id
1207280969305034823
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation orgpj.exe -
Executes dropped EXE 1 IoCs
pid Process 2572 backdoor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 36 discord.com 37 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4532 chrome.exe 4532 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2572 backdoor.exe Token: SeShutdownPrivilege 4532 chrome.exe Token: SeCreatePagefilePrivilege 4532 chrome.exe Token: SeShutdownPrivilege 4532 chrome.exe Token: SeCreatePagefilePrivilege 4532 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe 4532 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 660 wrote to memory of 2572 660 orgpj.exe 92 PID 660 wrote to memory of 2572 660 orgpj.exe 92 PID 4532 wrote to memory of 3488 4532 chrome.exe 116 PID 4532 wrote to memory of 3488 4532 chrome.exe 116 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4936 4532 chrome.exe 117 PID 4532 wrote to memory of 4072 4532 chrome.exe 118 PID 4532 wrote to memory of 4072 4532 chrome.exe 118 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119 PID 4532 wrote to memory of 3152 4532 chrome.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\orgpj.exe"C:\Users\Admin\AppData\Local\Temp\orgpj.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2324
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc8208ab58,0x7ffc8208ab68,0x7ffc8208ab782⤵PID:3488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1916,i,2128944138218715660,11304979498762515472,131072 /prefetch:22⤵PID:4936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1916,i,2128944138218715660,11304979498762515472,131072 /prefetch:82⤵PID:4072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1916,i,2128944138218715660,11304979498762515472,131072 /prefetch:82⤵PID:3152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1916,i,2128944138218715660,11304979498762515472,131072 /prefetch:12⤵PID:4372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1916,i,2128944138218715660,11304979498762515472,131072 /prefetch:12⤵PID:4356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4380 --field-trial-handle=1916,i,2128944138218715660,11304979498762515472,131072 /prefetch:12⤵PID:3292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1916,i,2128944138218715660,11304979498762515472,131072 /prefetch:82⤵PID:3436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1916,i,2128944138218715660,11304979498762515472,131072 /prefetch:82⤵PID:2296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4140 --field-trial-handle=1916,i,2128944138218715660,11304979498762515472,131072 /prefetch:12⤵PID:3608
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
78KB
MD5b40cdf79ed34fce3d4a65f0ed1c4a94c
SHA1d5c99a85bf3a95b2bc455554eb2191f8c6ad7461
SHA2561900c982bb8a4b0ed0c33804000933585843bf35f5ac12fb53b5ac1a8f5d6c84
SHA51261d66dda7261ebfb9fd42975c54f9604d3d3a012654cbfbc81918e5e17c7dfcb293d3c1696a87e166a96531944b48b0f5c473bd8393b61da362e0e2e82e6d489