discordrat | 52be3b91781d67fc47a8c57035ee3b7a63157062105833a6e7e37e53fce87487

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-20T03:50:26Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win11-20240412-en/instance_8-dirty.qcow2\"}"

General

Target

Microsoft Windows Search Protocol Host.exe
Size

83.1MB
MD5

db7547dd16de219ddd802249edc8b836
SHA1

df769131ed7f844ebba99b5bdfd7ee64d931ff86
SHA256

52be3b91781d67fc47a8c57035ee3b7a63157062105833a6e7e37e53fce87487
SHA512

921f7246100917b1a3e8bdcab672adaf6b4f5c493fcec40b355bf883cd3081a7e2f4f2fe92937143dc467a467540876aa64c0631f9e1eb408bd414042f416859
SSDEEP

1572864:cddzlkR0Nf4amAXDtx+SotbqpWCpIPsdNvFw2pdsdW5JzIsqZvJH:W+DaDXdM6lCsH9w2pdsdW5Wbv1

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIzMTA1NzI4MTM2MjQzMjEwMw.GqS2R9.POtFa_pdzS_mi2VjvgY9ceyf-OtuUfRBAGmViY
server_id
1231045348793778197

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Microsoft Windows Search Protocol Host.exe

description pid process target process

PID 2148 created 624 2148 Microsoft Windows Search Protocol Host.exe winlogon.exe
Executes dropped EXE 1 IoCs

Processes:

Microsoft Windows Search Protocol Host.exe

pid process

2148 Microsoft Windows Search Protocol Host.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service
T1102

Processes:

flow ioc

12 discord.com
1 discord.com
3 discord.com
4 raw.githubusercontent.com
7 discord.com
8 discord.com
9 discord.com
11 raw.githubusercontent.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Microsoft Windows Search Protocol Host.exe

description pid process target process

PID 2148 set thread context of 1504 2148 Microsoft Windows Search Protocol Host.exe dllhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Microsoft Windows Search Protocol Host.exedllhost.exe

pid process

2148 Microsoft Windows Search Protocol Host.exe
1504 dllhost.exe
1504 dllhost.exe
1504 dllhost.exe
1504 dllhost.exe

description	pid	process	target process
PID 2148 created 624	2148	Microsoft Windows Search Protocol Host.exe	winlogon.exe

pid	process
2148	Microsoft Windows Search Protocol Host.exe

flow	ioc
12	discord.com
1	discord.com
3	discord.com
4	raw.githubusercontent.com
7	discord.com
8	discord.com
9	discord.com
11	raw.githubusercontent.com

description	pid	process	target process
PID 2148 set thread context of 1504	2148	Microsoft Windows Search Protocol Host.exe	dllhost.exe

pid	process
2148	Microsoft Windows Search Protocol Host.exe
1504	dllhost.exe
1504	dllhost.exe
1504	dllhost.exe
1504	dllhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Microsoft Windows Search Protocol Host.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	2148	Microsoft Windows Search Protocol Host.exe
Token: SeDebugPrivilege	2148	Microsoft Windows Search Protocol Host.exe
Token: SeDebugPrivilege	1504	dllhost.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

Microsoft Windows Search Protocol Host.exeMicrosoft Windows Search Protocol Host.exedllhost.exelsass.exe

description	pid	process	target process
PID 4668 wrote to memory of 2148	4668	Microsoft Windows Search Protocol Host.exe	Microsoft Windows Search Protocol Host.exe
PID 4668 wrote to memory of 2148	4668	Microsoft Windows Search Protocol Host.exe	Microsoft Windows Search Protocol Host.exe
PID 2148 wrote to memory of 1504	2148	Microsoft Windows Search Protocol Host.exe	dllhost.exe
PID 2148 wrote to memory of 1504	2148	Microsoft Windows Search Protocol Host.exe	dllhost.exe
PID 2148 wrote to memory of 1504	2148	Microsoft Windows Search Protocol Host.exe	dllhost.exe
PID 2148 wrote to memory of 1504	2148	Microsoft Windows Search Protocol Host.exe	dllhost.exe
PID 2148 wrote to memory of 1504	2148	Microsoft Windows Search Protocol Host.exe	dllhost.exe
PID 2148 wrote to memory of 1504	2148	Microsoft Windows Search Protocol Host.exe	dllhost.exe
PID 2148 wrote to memory of 1504	2148	Microsoft Windows Search Protocol Host.exe	dllhost.exe
PID 2148 wrote to memory of 1504	2148	Microsoft Windows Search Protocol Host.exe	dllhost.exe
PID 2148 wrote to memory of 1504	2148	Microsoft Windows Search Protocol Host.exe	dllhost.exe
PID 2148 wrote to memory of 1504	2148	Microsoft Windows Search Protocol Host.exe	dllhost.exe
PID 2148 wrote to memory of 1504	2148	Microsoft Windows Search Protocol Host.exe	dllhost.exe
PID 1504 wrote to memory of 624	1504	dllhost.exe	winlogon.exe
PID 1504 wrote to memory of 684	1504	dllhost.exe	lsass.exe
PID 1504 wrote to memory of 980	1504	dllhost.exe	svchost.exe
PID 1504 wrote to memory of 464	1504	dllhost.exe	dwm.exe
PID 684 wrote to memory of 2548	684	lsass.exe	sysmon.exe
PID 1504 wrote to memory of 416	1504	dllhost.exe	svchost.exe
PID 1504 wrote to memory of 432	1504	dllhost.exe	svchost.exe
PID 1504 wrote to memory of 1052	1504	dllhost.exe	svchost.exe
PID 684 wrote to memory of 2548	684	lsass.exe	sysmon.exe
PID 1504 wrote to memory of 1076	1504	dllhost.exe	svchost.exe
PID 1504 wrote to memory of 1152	1504	dllhost.exe	svchost.exe
PID 1504 wrote to memory of 1172	1504	dllhost.exe	svchost.exe
PID 684 wrote to memory of 2548	684	lsass.exe	sysmon.exe
PID 1504 wrote to memory of 1232	1504	dllhost.exe	svchost.exe
PID 1504 wrote to memory of 1308	1504	dllhost.exe	svchost.exe
PID 1504 wrote to memory of 1444	1504	dllhost.exe	svchost.exe
PID 1504 wrote to memory of 1452	1504	dllhost.exe	svchost.exe
PID 1504 wrote to memory of 1468	1504	dllhost.exe	svchost.exe
PID 1504 wrote to memory of 1556	1504	dllhost.exe	svchost.exe
PID 1504 wrote to memory of 1572	1504	dllhost.exe	svchost.exe
PID 1504 wrote to memory of 1680	1504	dllhost.exe	svchost.exe
PID 1504 wrote to memory of 1712	1504	dllhost.exe	svchost.exe
PID 1504 wrote to memory of 1768	1504	dllhost.exe	svchost.exe
PID 1504 wrote to memory of 1852	1504	dllhost.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:464

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ba9a611c-92b4-4980-b7a6-d2109e439664}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1852

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\Microsoft Windows Search Protocol Host.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Windows Search Protocol Host.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4668

C:\Users\Admin\AppData\Roaming\Microsoft Windows Search Protocol Host\Microsoft Windows Search Protocol Host.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Windows Search Protocol Host\Microsoft Windows Search Protocol Host.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft Windows Search Protocol Host\Microsoft Windows Search Protocol Host.exe
Filesize
161KB

MD5
e84b0c5ae5da700f7f51478976dd627d

SHA1
1775328e100294390dc1a14ee688cee65c1ba821

SHA256
4c9510bc3771e10b315ceaffafab277b34a4d62daa40492ee0d930cdccd2dc17

SHA512
edd8606b29b75ae2da8664416ff89a59c1c11fb2866b95a049b40955f4f3ecf68254c3905c5a258ac717d41f0b3d1a299cfdf66852be4c49ac4f74d16dcb73f0

Download Submit
memory/416-58-0x000001829D590000-0x000001829D5BA000-memory.dmp

Filesize
168KB

Download
memory/416-60-0x00007FFF4DD70000-0x00007FFF4DD80000-memory.dmp

Filesize
64KB

Download
memory/416-66-0x000001829D590000-0x000001829D5BA000-memory.dmp

Filesize
168KB

Download
memory/432-69-0x000001D77BAD0000-0x000001D77BAFA000-memory.dmp

Filesize
168KB

Download
memory/432-61-0x000001D77BAD0000-0x000001D77BAFA000-memory.dmp

Filesize
168KB

Download
memory/432-65-0x00007FFF4DD70000-0x00007FFF4DD80000-memory.dmp

Filesize
64KB

Download
memory/464-52-0x000002026E560000-0x000002026E58A000-memory.dmp

Filesize
168KB

Download
memory/464-48-0x000002026E560000-0x000002026E58A000-memory.dmp

Filesize
168KB

Download
memory/464-53-0x00007FFF8DD83000-0x00007FFF8DD84000-memory.dmp

Filesize
4KB

Download
memory/464-54-0x00007FFF8DD84000-0x00007FFF8DD85000-memory.dmp

Filesize
4KB

Download
memory/464-55-0x00007FFF8DD86000-0x00007FFF8DD87000-memory.dmp

Filesize
4KB

Download
memory/624-38-0x000001CC64940000-0x000001CC6496A000-memory.dmp

Filesize
168KB

Download
memory/624-34-0x000001CC64910000-0x000001CC64933000-memory.dmp

Filesize
140KB

Download
memory/624-105-0x000001CC64940000-0x000001CC6496A000-memory.dmp

Filesize
168KB

Download
memory/624-44-0x00007FFF8DD83000-0x00007FFF8DD84000-memory.dmp

Filesize
4KB

Download
memory/624-42-0x00007FFF8DD84000-0x00007FFF8DD85000-memory.dmp

Filesize
4KB

Download
memory/624-37-0x00007FFF4DD70000-0x00007FFF4DD80000-memory.dmp

Filesize
64KB

Download
memory/624-36-0x000001CC64940000-0x000001CC6496A000-memory.dmp

Filesize
168KB

Download
memory/684-43-0x00007FFF4DD70000-0x00007FFF4DD80000-memory.dmp

Filesize
64KB

Download
memory/684-125-0x000002018F9C0000-0x000002018F9EA000-memory.dmp

Filesize
168KB

Download
memory/684-39-0x000002018F9C0000-0x000002018F9EA000-memory.dmp

Filesize
168KB

Download
memory/980-50-0x000002087BB90000-0x000002087BBBA000-memory.dmp

Filesize
168KB

Download
memory/980-49-0x00007FFF4DD70000-0x00007FFF4DD80000-memory.dmp

Filesize
64KB

Download
memory/980-47-0x000002087BB90000-0x000002087BBBA000-memory.dmp

Filesize
168KB

Download
memory/1052-70-0x0000027A48740000-0x0000027A4876A000-memory.dmp

Filesize
168KB

Download
memory/1052-92-0x0000027A48740000-0x0000027A4876A000-memory.dmp

Filesize
168KB

Download
memory/1052-74-0x00007FFF4DD70000-0x00007FFF4DD80000-memory.dmp

Filesize
64KB

Download
memory/1076-75-0x00007FFF4DD70000-0x00007FFF4DD80000-memory.dmp

Filesize
64KB

Download
memory/1076-73-0x000001EF6DF80000-0x000001EF6DFAA000-memory.dmp

Filesize
168KB

Download
memory/1152-78-0x000001B6A7F00000-0x000001B6A7F2A000-memory.dmp

Filesize
168KB

Download
memory/1152-82-0x00007FFF4DD70000-0x00007FFF4DD80000-memory.dmp

Filesize
64KB

Download
memory/1172-83-0x00000296F3760000-0x00000296F378A000-memory.dmp

Filesize
168KB

Download
memory/1172-84-0x00007FFF4DD70000-0x00007FFF4DD80000-memory.dmp

Filesize
64KB

Download
memory/1232-87-0x0000025345E50000-0x0000025345E7A000-memory.dmp

Filesize
168KB

Download
memory/1232-89-0x00007FFF4DD70000-0x00007FFF4DD80000-memory.dmp

Filesize
64KB

Download
memory/1308-96-0x00007FFF4DD70000-0x00007FFF4DD80000-memory.dmp

Filesize
64KB

Download
memory/1308-95-0x0000023314340000-0x000002331436A000-memory.dmp

Filesize
168KB

Download
memory/1308-100-0x0000023314340000-0x000002331436A000-memory.dmp

Filesize
168KB

Download
memory/1444-101-0x0000022F4AB80000-0x0000022F4ABAA000-memory.dmp

Filesize
168KB

Download
memory/1444-103-0x00007FFF4DD70000-0x00007FFF4DD80000-memory.dmp

Filesize
64KB

Download
memory/1452-104-0x00000290EE910000-0x00000290EE93A000-memory.dmp

Filesize
168KB

Download
memory/1452-108-0x00007FFF4DD70000-0x00007FFF4DD80000-memory.dmp

Filesize
64KB

Download
memory/1452-110-0x00000290EE910000-0x00000290EE93A000-memory.dmp

Filesize
168KB

Download
memory/1468-115-0x000001B42CF40000-0x000001B42CF6A000-memory.dmp

Filesize
168KB

Download
memory/1504-27-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1504-32-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1504-26-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1504-25-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1504-97-0x00007FFF8DCE0000-0x00007FFF8DEE9000-memory.dmp

Filesize
2.0MB

Download
memory/1504-28-0x00007FFF8DCE0000-0x00007FFF8DEE9000-memory.dmp

Filesize
2.0MB

Download
memory/1504-30-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1504-31-0x00007FFF8DCE0000-0x00007FFF8DEE9000-memory.dmp

Filesize
2.0MB

Download
memory/1504-29-0x00007FFF8C250000-0x00007FFF8C30D000-memory.dmp

Filesize
756KB

Download
memory/1556-118-0x00000198C69B0000-0x00000198C69DA000-memory.dmp

Filesize
168KB

Download
memory/1572-123-0x0000021A01330000-0x0000021A0135A000-memory.dmp

Filesize
168KB

Download
memory/1680-132-0x0000023F86460000-0x0000023F8648A000-memory.dmp

Filesize
168KB

Download
memory/1712-129-0x00000240097A0000-0x00000240097CA000-memory.dmp

Filesize
168KB

Download
memory/2148-24-0x00007FFF8C250000-0x00007FFF8C30D000-memory.dmp

Filesize
756KB

Download
memory/2148-17-0x000001D82D950000-0x000001D82DE78000-memory.dmp

Filesize
5.2MB

Download
memory/2148-90-0x00007FFF8C250000-0x00007FFF8C30D000-memory.dmp

Filesize
756KB

Download
memory/2148-62-0x00007FFF8DCE0000-0x00007FFF8DEE9000-memory.dmp

Filesize
2.0MB

Download
memory/2148-15-0x000001D82C4D0000-0x000001D82C692000-memory.dmp

Filesize
1.8MB

Download
memory/2148-22-0x00007FFF8DCE0000-0x00007FFF8DEE9000-memory.dmp

Filesize
2.0MB

Download
memory/2148-16-0x00007FFF6CB30000-0x00007FFF6D5F2000-memory.dmp

Filesize
10.8MB

Download
memory/2148-14-0x000001D811D20000-0x000001D811D4C000-memory.dmp

Filesize
176KB

Download
memory/2148-21-0x000001D813A90000-0x000001D813ACE000-memory.dmp

Filesize
248KB

Download
memory/2148-20-0x00007FFF6CB30000-0x00007FFF6D5F2000-memory.dmp

Filesize
10.8MB

Download
memory/4668-19-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/4668-1-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/4668-2-0x0000000006C20000-0x0000000006C30000-memory.dmp

Filesize
64KB

Download
memory/4668-0-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

Errors