Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://download1510...

windows10-2004-x64

Analysis

  • max time kernel
    63s
  • max time network
    78s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 13:04

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    https://download1510.mediafire.com/x79vrqsdxnqguHUF4SSVf-iPx8wIW1ED-CKmVSY9ke_byteihfnFTVtJOnJ_FyFGsEucQHzi6OU49G_fRKVPm2n6lPfsyC2h8fBlv0sU-6qguvJaJw9neiuBdazcZ-lYxd1c1_fBXF31LxhSnAbSL2h1BbJWoP8cL7pb7wTE9fHbGQ/ok9xp2g17vbucqx/Panda_Exploit.rar

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIzOTE4NzgzMTUxNjE3MjM4OA.GYLFDQ.huQJASMCLjqluR9WrTcqri5t-vNOB6HHEry5Kw

  • server_id

    1237879900740915321

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download1510.mediafire.com/x79vrqsdxnqguHUF4SSVf-iPx8wIW1ED-CKmVSY9ke_byteihfnFTVtJOnJ_FyFGsEucQHzi6OU49G_fRKVPm2n6lPfsyC2h8fBlv0sU-6qguvJaJw9neiuBdazcZ-lYxd1c1_fBXF31LxhSnAbSL2h1BbJWoP8cL7pb7wTE9fHbGQ/ok9xp2g17vbucqx/Panda_Exploit.rar
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe344246f8,0x7ffe34424708,0x7ffe34424718
      2⤵
        PID:948
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,9195666515274039112,10313068730287299609,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        2⤵
          PID:1172
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,9195666515274039112,10313068730287299609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1812
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,9195666515274039112,10313068730287299609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
          2⤵
            PID:4012
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9195666515274039112,10313068730287299609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
            2⤵
              PID:880
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9195666515274039112,10313068730287299609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
              2⤵
                PID:4016
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,9195666515274039112,10313068730287299609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
                2⤵
                  PID:4972
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,9195666515274039112,10313068730287299609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1912
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9195666515274039112,10313068730287299609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
                  2⤵
                    PID:4400
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9195666515274039112,10313068730287299609,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
                    2⤵
                      PID:1360
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,9195666515274039112,10313068730287299609,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5712 /prefetch:8
                      2⤵
                        PID:784
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9195666515274039112,10313068730287299609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
                        2⤵
                          PID:2224
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,9195666515274039112,10313068730287299609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3816
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9195666515274039112,10313068730287299609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
                          2⤵
                            PID:5260
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9195666515274039112,10313068730287299609,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
                            2⤵
                              PID:5268
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1892
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3596
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:6000
                                • C:\Program Files\7-Zip\7zG.exe
                                  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6163:88:7zEvent19912
                                  1⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  PID:6052
                                • C:\Users\Admin\Downloads\Panda_Exploit\Panda Exploit\Bin\Panda.exe
                                  "C:\Users\Admin\Downloads\Panda_Exploit\Panda Exploit\Bin\Panda.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2940

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  537815e7cc5c694912ac0308147852e4

                                  SHA1

                                  2ccdd9d9dc637db5462fe8119c0df261146c363c

                                  SHA256

                                  b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

                                  SHA512

                                  63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  8b167567021ccb1a9fdf073fa9112ef0

                                  SHA1

                                  3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

                                  SHA256

                                  26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

                                  SHA512

                                  726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  6KB

                                  MD5

                                  a156ed416357f1dcbd6a6416eb735ab4

                                  SHA1

                                  4c7f6264b5ce687aa9628498bad6b285074f18e2

                                  SHA256

                                  5c9ef68e7cfee1bad80c52c689fc39d469260f5e6f942dbbb39f09a8ea884233

                                  SHA512

                                  7d10932c44b5bb703fd62628414e11bf56afb056a41892d868390f1a25765dbc68c61f65348aad13923cc767a21c8cbd5671f4b782d7d52690e8c252d61245e3

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  5KB

                                  MD5

                                  e869aa92ba4cd7daf3d510a29458b76c

                                  SHA1

                                  33399347fd89eca73514eb4ab51a7f2a07201a5e

                                  SHA256

                                  622d964eae1a1b99acc4f0a13dfc036b53f8c1d2bf47620d1a4f554fb0060144

                                  SHA512

                                  ea8cab8ae9efd11c2bd041cabc3802a6b55867501125c270078b0c1ccfec20d684dd01e5c5ba93b5ef754f644fd784e0910c0c517c16fb0455c1ac4b0c5edbd6

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                  Filesize

                                  16B

                                  MD5

                                  6752a1d65b201c13b62ea44016eb221f

                                  SHA1

                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                  SHA256

                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                  SHA512

                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                  Filesize

                                  11KB

                                  MD5

                                  b9b477bf4da5ad6b178bef61234c73b5

                                  SHA1

                                  546d0e7020f6e4f7d19f2996a7e7a8843ab3061f

                                  SHA256

                                  1bb43426e5e6da308eefbce09240a5e23b097706fec8bad16772a65c23d4c3bc

                                  SHA512

                                  88c870a67c81c99449af3e9bd7c56898f4ca2e36a46ace7eaa3472dcd8c6b78c54fc971708102048c0ea303c223e480db2ca4357d06880978e274d05b976caca

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                  Filesize

                                  11KB

                                  MD5

                                  c3de661cd7636fbc70cb7baddc4339ab

                                  SHA1

                                  c9963110f3881afcd0a1336405e884e7a0c21407

                                  SHA256

                                  aa126908fb8089fee459bc3bc1288f22694b9160e80aad1f8316a669592762b9

                                  SHA512

                                  2c61145a573d8185fb894e72832fdabef0e30fd637a8b5abffeff98e70bb7d95d30f3cc3fd8c994f568f774ee9c742f02d208f4bd604257d3fdfb552ecc17b46

                                  Download Submit

                                • C:\Users\Admin\Downloads\Panda_Exploit.rar
                                  Filesize

                                  7.6MB

                                  MD5

                                  ec6a80e0b2c60e53dde934dbd8abdf2a

                                  SHA1

                                  9a27f15bf954e448722952b0d41eafeaf4cc4bce

                                  SHA256

                                  21bc8d165a2a6c7c933eaa8cbb4b6c61d6ea1a08467e0ef2f75392f31ec2ac65

                                  SHA512

                                  031903ad0e5a986b0efaffcb9cf5e1613ee909807a98dc6b168915ff6431db80981bf90c7fa5c71fbb4a5674ab85263f6047a062c21e45d91f3f0e2ecc58a867

                                  Download Submit

                                • C:\Users\Admin\Downloads\Panda_Exploit\Panda Exploit\Bin\Panda.exe
                                  Filesize

                                  78KB

                                  MD5

                                  2203f35650f3c3356116c0bc4012699e

                                  SHA1

                                  ca37979cca3e4d0043af8abddb3c40d69da1f400

                                  SHA256

                                  05e1e92373e97d5a5777af35955eaeb08db1d9313db75a83b5f9d87de83a5b7d

                                  SHA512

                                  fffe795f4c36806ee8c7138e756ec7a895c88fa41589f44f3bffbe01a3d413785fd9d173079ff80f3cdd94ea7ae7a993e2565f66252dc1a7ba708778e446cf13

                                  Download Submit

                                • memory/2940-134-0x0000022985550000-0x0000022985568000-memory.dmp

                                  Filesize

                                  96KB

                                  Download

                                • memory/2940-135-0x000002299FBC0000-0x000002299FD82000-memory.dmp

                                  Filesize

                                  1.8MB

                                  Download

                                • memory/2940-136-0x00000229A03C0000-0x00000229A08E8000-memory.dmp

                                  Filesize

                                  5.2MB

                                  Download