Analysis
-
max time kernel
87s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-04-2024 03:48
Static task
static1
Behavioral task
behavioral1
Sample
Microsoft Windows Search Protocol Host.exe
Resource
win11-20240412-en
Errors
General
-
Target
Microsoft Windows Search Protocol Host.exe
-
Size
83.1MB
-
MD5
db7547dd16de219ddd802249edc8b836
-
SHA1
df769131ed7f844ebba99b5bdfd7ee64d931ff86
-
SHA256
52be3b91781d67fc47a8c57035ee3b7a63157062105833a6e7e37e53fce87487
-
SHA512
921f7246100917b1a3e8bdcab672adaf6b4f5c493fcec40b355bf883cd3081a7e2f4f2fe92937143dc467a467540876aa64c0631f9e1eb408bd414042f416859
-
SSDEEP
1572864:cddzlkR0Nf4amAXDtx+SotbqpWCpIPsdNvFw2pdsdW5JzIsqZvJH:W+DaDXdM6lCsH9w2pdsdW5Wbv1
Malware Config
Extracted
discordrat
-
discord_token
MTIzMTA1NzI4MTM2MjQzMjEwMw.GqS2R9.POtFa_pdzS_mi2VjvgY9ceyf-OtuUfRBAGmViY
-
server_id
1231045348793778197
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2148 created 624 2148 Microsoft Windows Search Protocol Host.exe 5 -
Executes dropped EXE 1 IoCs
pid Process 2148 Microsoft Windows Search Protocol Host.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 12 discord.com 1 discord.com 3 discord.com 4 raw.githubusercontent.com 7 discord.com 8 discord.com 9 discord.com 11 raw.githubusercontent.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2148 set thread context of 1504 2148 Microsoft Windows Search Protocol Host.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2148 Microsoft Windows Search Protocol Host.exe 1504 dllhost.exe 1504 dllhost.exe 1504 dllhost.exe 1504 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2148 Microsoft Windows Search Protocol Host.exe Token: SeDebugPrivilege 2148 Microsoft Windows Search Protocol Host.exe Token: SeDebugPrivilege 1504 dllhost.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 4668 wrote to memory of 2148 4668 Microsoft Windows Search Protocol Host.exe 80 PID 4668 wrote to memory of 2148 4668 Microsoft Windows Search Protocol Host.exe 80 PID 2148 wrote to memory of 1504 2148 Microsoft Windows Search Protocol Host.exe 82 PID 2148 wrote to memory of 1504 2148 Microsoft Windows Search Protocol Host.exe 82 PID 2148 wrote to memory of 1504 2148 Microsoft Windows Search Protocol Host.exe 82 PID 2148 wrote to memory of 1504 2148 Microsoft Windows Search Protocol Host.exe 82 PID 2148 wrote to memory of 1504 2148 Microsoft Windows Search Protocol Host.exe 82 PID 2148 wrote to memory of 1504 2148 Microsoft Windows Search Protocol Host.exe 82 PID 2148 wrote to memory of 1504 2148 Microsoft Windows Search Protocol Host.exe 82 PID 2148 wrote to memory of 1504 2148 Microsoft Windows Search Protocol Host.exe 82 PID 2148 wrote to memory of 1504 2148 Microsoft Windows Search Protocol Host.exe 82 PID 2148 wrote to memory of 1504 2148 Microsoft Windows Search Protocol Host.exe 82 PID 2148 wrote to memory of 1504 2148 Microsoft Windows Search Protocol Host.exe 82 PID 1504 wrote to memory of 624 1504 dllhost.exe 5 PID 1504 wrote to memory of 684 1504 dllhost.exe 7 PID 1504 wrote to memory of 980 1504 dllhost.exe 12 PID 1504 wrote to memory of 464 1504 dllhost.exe 13 PID 684 wrote to memory of 2548 684 lsass.exe 45 PID 1504 wrote to memory of 416 1504 dllhost.exe 14 PID 1504 wrote to memory of 432 1504 dllhost.exe 15 PID 1504 wrote to memory of 1052 1504 dllhost.exe 16 PID 684 wrote to memory of 2548 684 lsass.exe 45 PID 1504 wrote to memory of 1076 1504 dllhost.exe 17 PID 1504 wrote to memory of 1152 1504 dllhost.exe 18 PID 1504 wrote to memory of 1172 1504 dllhost.exe 19 PID 684 wrote to memory of 2548 684 lsass.exe 45 PID 1504 wrote to memory of 1232 1504 dllhost.exe 21 PID 1504 wrote to memory of 1308 1504 dllhost.exe 22 PID 1504 wrote to memory of 1444 1504 dllhost.exe 23 PID 1504 wrote to memory of 1452 1504 dllhost.exe 24 PID 1504 wrote to memory of 1468 1504 dllhost.exe 25 PID 1504 wrote to memory of 1556 1504 dllhost.exe 26 PID 1504 wrote to memory of 1572 1504 dllhost.exe 27 PID 1504 wrote to memory of 1680 1504 dllhost.exe 28 PID 1504 wrote to memory of 1712 1504 dllhost.exe 29 PID 1504 wrote to memory of 1768 1504 dllhost.exe 30 PID 1504 wrote to memory of 1852 1504 dllhost.exe 31
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:624
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:464
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ba9a611c-92b4-4980-b7a6-d2109e439664}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:416
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:432
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1152
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1172
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1444
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1556
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1572
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1852
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Windows Search Protocol Host.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Windows Search Protocol Host.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Users\Admin\AppData\Roaming\Microsoft Windows Search Protocol Host\Microsoft Windows Search Protocol Host.exe"C:\Users\Admin\AppData\Roaming\Microsoft Windows Search Protocol Host\Microsoft Windows Search Protocol Host.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft Windows Search Protocol Host\Microsoft Windows Search Protocol Host.exe
Filesize161KB
MD5e84b0c5ae5da700f7f51478976dd627d
SHA11775328e100294390dc1a14ee688cee65c1ba821
SHA2564c9510bc3771e10b315ceaffafab277b34a4d62daa40492ee0d930cdccd2dc17
SHA512edd8606b29b75ae2da8664416ff89a59c1c11fb2866b95a049b40955f4f3ecf68254c3905c5a258ac717d41f0b3d1a299cfdf66852be4c49ac4f74d16dcb73f0