Analysis
-
max time kernel
231s -
max time network
232s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
19-05-2024 17:49
Errors
General
-
Target
KEIN VIRUS.exe
-
Size
78KB
-
MD5
9f8a43b5ca89a37ac0835c0911f0358e
-
SHA1
a24e7cecf2e998b6a74a4cbf560dbf97d443b4e2
-
SHA256
c99c61b9dcbd3ce7fc8596627afa3ed4dfc62c8769cc3e1f7e2296908012ac7b
-
SHA512
9918fecf89442fb315747dfff40e2a40905fcbd9a4806a29eff14ed88fa4ca47c71efebe813af71fdd295383d6c4e7c281a146e376b4abd0cc0549aebcc4d640
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+pPIC:5Zv5PDwbjNrmAE+ZIC
Malware Config
Extracted
discordrat
-
discord_token
MTIzODIxODI5OTI0NjkwNzQ0Mw.GM_DE9.sCwhiQT-xwZE1RaUtI6kAXfQioIKUFeb-kbyGA
-
server_id
1241809630498259105
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\KEIN VIRUS.exe"C:\Users\Admin\AppData\Local\Temp\KEIN VIRUS.exe"1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtube.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd37346f8,0x7ffbd3734708,0x7ffbd37347183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,18220468676688496721,14000144001212359859,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,18220468676688496721,14000144001212359859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,18220468676688496721,14000144001212359859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,18220468676688496721,14000144001212359859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,18220468676688496721,14000144001212359859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,18220468676688496721,14000144001212359859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,18220468676688496721,14000144001212359859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2032,18220468676688496721,14000144001212359859,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4984 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2032,18220468676688496721,14000144001212359859,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5228 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,18220468676688496721,14000144001212359859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,18220468676688496721,14000144001212359859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,18220468676688496721,14000144001212359859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,18220468676688496721,14000144001212359859,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,18220468676688496721,14000144001212359859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,18220468676688496721,14000144001212359859,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:13⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4fc 0x4c81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
456B
MD5084066fdebc8762a978115f15863cd1c
SHA10b7ea41653a48450359b3e49329a98cc344a0d6b
SHA256cba07938ae547ff54a836567d3e9b4e722c2fba5f0896bc205246114d1842926
SHA5120231ce1903abf77750122ce7be90b4f0a054d9062b50f0bcc9b0f0c33fb9d570a7a206d5f3c0a3e8bcdcd380663f54b82aec4ca5a5791883651cebdea3dd764d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD567782b8067b602dfa93f3ebe9942508c
SHA151bc12772b50d1be5ec14906932b50225b4e4309
SHA25654efe81e01e5cddb1e46fedad69bd8ae0f9c019c84676c9ef99fdd203d73e51a
SHA5122e51c2f56a76282ff2471766137d27fdf8f7aac22c25608f56d6049a859e475db1b42ccb4c591780ef41c67f5355ea8052d31d6d0a84861446153673a1b02f74
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54c63e5b300837c4dc3e4fbc1ea38a33c
SHA19362ee432209bffc1c8aec8f34c86dda47e8a6b8
SHA256b7b5adf925e9d630c4f8dd13e064a9c29a75e8d9fe3a8d3469401fcb6430f2bb
SHA512876f65329248fb903933e29320d3b9b0737d2dcd6e8177b3b62b77fc320897940ae97abd5c089ec6fe3f44e856c8641d278c4db32b169474861d41ce83da1131
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\dcf2bf78-7574-4627-8edc-86934d812424\index-dir\the-real-indexFilesize
2KB
MD5355538aecfe0df4834f0bff5065f832e
SHA18d7fb9809b0e253f1d7efb38a6df274de6c67c70
SHA256f1b8746a000bbcd7449bcc8bf998b6237f6f270693029db11f308899c426b545
SHA512d8481b3ad1f60227611a0ab4e80b661357194a7a0b7612d5d8e579fdf2b3c4c83ed41711c6a12c3a780f7c7998069516a77d367a7fe483faeb3e671ec34dcf30
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\dcf2bf78-7574-4627-8edc-86934d812424\index-dir\the-real-index~RFe5ac843.TMPFilesize
48B
MD5c600cddb1a30a1d03ce788d87cdabfdb
SHA142223fcaa4f887436ded42a0915f549c7df7861f
SHA256f43b79003d3d4344404ed586a52aa678639f9d530b3e68c2c48f4ef6c40e1363
SHA512d06d1138c9e33a2f53b162a42d3b4094dbe31e08139661e2642b91d58128723f2a1f85f4b956f67688fb30d1c82a2922bb4fbc15d18dfc98360d20ca58469190
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
89B
MD5517dfb7c5a395328bbd96c60340539dd
SHA1e0fb95259f8056f45ae3fadd2745a58e224d67bf
SHA2566ed4bcb5b768a53314196a0917a406ef6f1204f07c2c1383b01b61af364a3d7e
SHA51277b80e33350c0da0b8bf88f81cae7f1fc470da590b69a4b243415b096987ec0a7f7074beb0732d6fabb9c17d05225c7db03f58d23117c95936e372d7323852be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
146B
MD5858315e0cc69fb8f5535aa2d145c3c54
SHA1ea11d66595d4fafbbc4763e83f3b8794cfceae40
SHA256697be09ab22b3f52865914dee8cd4161fe9a028a279b61fce6623f1fedbe110d
SHA512cbfc158b5fe45b13740a80ea4769ff38dc170545cdc51e27b8c5e5ee7a333d0c933d347a5bf4704d30ce1aeda699c1b92a22ddcfc0206225073645e13d64d94c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
82B
MD55c09100389d61d730f8c92507aac5b35
SHA12f3925b2178f00d3678259c885eb6a3187c942d6
SHA25642317e951afdd8d2b6632bcb704437dd1409a491c739c3f083ff86993b294bd7
SHA5120a2f5e63a409bb93cd6bed001608cf32b5e00a65ab6081ab27f982a071991ed93f631147b3dfe18a0a11576489e14df1ebb0ba927f40c3f01fc4d9e492e1aae4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmpFilesize
84B
MD54779c10e54971ab27f098280dbd4c498
SHA16846b19d56cbe41996d82c36935e212c017cc29c
SHA256f68fd700e8de8f5a361b43b0b91c591a3ba7c867eedf415a0442502ac37b80e2
SHA512f18111149f6e6a955bec05761e8a1a85d5c18692c9e915280485e8bea2962979d85cfa1559e056dfb5cd5f20679d95a51a7fb2020009d3898873a1ac354fcefc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD58f100e7725fdfbee697a52c90c45f671
SHA1023e7479fbe4765b73674309016323fcc844e8f9
SHA2567027ce073185284648ab7b7d74836d0599a6ee86b52eddc5c8f11bc791ad6bb9
SHA512f17d6fe942bb6e66b641ff306f2664b25aef5f456d59655fdf55ef916f600ebf348e7d7eb59d93f7befa56ed6fec030fac253e0396223460fe980da3c9c41ae8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5ac390.TMPFilesize
48B
MD5a1ccf57d083cc4b06d9f3af98f792d24
SHA1aa64a651ee1348f5a45b252dfcb9becdfc8803a4
SHA2561500a534e24ede51fc02dfda337d5377f959f680c24b26e22bfc3ceb86d4f857
SHA5124fd359538df210bdfd57c9d51004593b42eacfdc4740d41fc2630a6161d57f1f910b8699da359c63583333213faeb7a9631ff6e09e2ef7fda3b60bc0ca3582e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD529771a27996f569ac02ed555c90679b6
SHA1f2cff1fcb00d3a86a4abfa88e274e9445e8e27b0
SHA25682d371d2418ae00785187a84c6e34c438d6439a3bb3726faa86d63992a18cbeb
SHA51236ad3116b0b2fab8dc0f43abcd187ffde274b092eee81bc61714b8f05c5769532b9c2a5f0e806be9e53629ce2032e35dbb81c5f86c7b49bd6421d858e02c6732
-
\??\pipe\LOCAL\crashpad_4800_EXONADWEQFBNQKKDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3192-10-0x00000213BE500000-0x00000213BE51E000-memory.dmpFilesize
120KB
-
memory/3192-1-0x00007FFBD7163000-0x00007FFBD7165000-memory.dmpFilesize
8KB
-
memory/3192-9-0x00000213BE0F0000-0x00000213BE102000-memory.dmpFilesize
72KB
-
memory/3192-8-0x00000213C0620000-0x00000213C0696000-memory.dmpFilesize
472KB
-
memory/3192-5-0x00007FFBD7160000-0x00007FFBD7C21000-memory.dmpFilesize
10.8MB
-
memory/3192-4-0x00000213BE920000-0x00000213BEE48000-memory.dmpFilesize
5.2MB
-
memory/3192-3-0x00007FFBD7160000-0x00007FFBD7C21000-memory.dmpFilesize
10.8MB
-
memory/3192-2-0x00000213BE120000-0x00000213BE2E2000-memory.dmpFilesize
1.8MB
-
memory/3192-0-0x00000213A3AF0000-0x00000213A3B08000-memory.dmpFilesize
96KB