discordrat | 9d0e13b30050899624473e710d44cb372a881a38d2802cc6c0ea2e2f54580689

Analysis

max time kernel
84s
max time network
86s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 01:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Google Chrome.exe
Size

492KB
MD5

d3ebb8649264196a80f589dcf0c97f9b
SHA1

4bbeef7c604629c5cce710ff78dd1c032dc67fc5
SHA256

9d0e13b30050899624473e710d44cb372a881a38d2802cc6c0ea2e2f54580689
SHA512

fcb8dd306b96ff2cd6c13cd9dcd70330efd2d2cab63548b1089fa207b0249603b8f45f5f2c50755db2a7d877774a7497c2303fc9ab5150529fcf6a24e7f1f9b6
SSDEEP

12288:2CQjgAtAHM+vetZxF5EWry8AJGy0khGPyJm:25ZWs+OZVEWry8AFtGPZ

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NDA5NTY1ODUwNDM1OTk3Ng.GTDu8V.pnAIDXNTNWIQchltJK15s3stoHuo5RxHsi9AYg
server_id
1244095541626015796

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Google Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	backdoor.exe

Executes dropped EXE 1 IoCs

pid	Process
3196	backdoor.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
93	discord.com
71	discord.com
72	discord.com
76	discord.com
79	discord.com
80	discord.com
91	discord.com
92	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133611607760793351"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "233"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2236	chrome.exe
2236	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3468	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2236	1688	Google Chrome.exe	82
PID 1688 wrote to memory of 2236	1688	Google Chrome.exe	82
PID 2236 wrote to memory of 1984	2236	chrome.exe	84
PID 2236 wrote to memory of 1984	2236	chrome.exe	84
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 2208	2236	chrome.exe	85
PID 2236 wrote to memory of 1244	2236	chrome.exe	86
PID 2236 wrote to memory of 1244	2236	chrome.exe	86
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87
PID 2236 wrote to memory of 2668	2236	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
"C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85becab58,0x7ff85becab68,0x7ff85becab78
    3⤵
    PID:1984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:2
    3⤵
    PID:2208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
    3⤵
    PID:1244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
    3⤵
    PID:2668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:1
    3⤵
    PID:2420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:1
    3⤵
    PID:2136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4332 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:1
    3⤵
    PID:3960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
    3⤵
    PID:1768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4264 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
    3⤵
    PID:3132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
    3⤵
    PID:1420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
    3⤵
    PID:4084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
    3⤵
    PID:4264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
    3⤵
    PID:4280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
    3⤵
    PID:1544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
    3⤵
    PID:4808
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3196
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" /s /t 0
    3⤵
    PID:3188

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2808

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3902055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
fbdf1490d8356d46dca563ab82f503f5

SHA1
61f8da4d9a73b7cc00cab465def436bc2bf7313f

SHA256
b26a701052ed6f2166b5e8cc9ec6f6011393187100b084c1368bbb56aef8d217

SHA512
d0a65aa6f3206a7e57dc57db86d262cd8213f7848b2cb8600279f74f2e636163117a837ff4a8139d57a2318e9d34b5fd4938dcc32ff7c650caadda8c9cf9d40c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2c55c1c7c85404a8c061d5c06e15144a

SHA1
07817845d32c536a65e2341efa99487e2a507dae

SHA256
32353908ccf59a37066e58a8e49138bb40c958f743bc50d14d65710b91ceb5d3

SHA512
46c2c857ddab480119a903f62916cb5121f04f960ee8d6bf7cb8ede862e35c0f2ef62d1194ee72e1ae0ff9c4d97ee2386a90e9844f781166fcd7f7022c321479

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d4eb7e6c2b1ac427624a4d9f99bdb5a4

SHA1
71d3d34b207822c8c4c9fdb772a7e2914d1e0ce4

SHA256
ccc709f92ae1922fe99a59d81f9d9b979ce6c3a8ad7e6be53fa42c6ed5ce8f1a

SHA512
9d94bfde147ed60e1b970468d193cc2418bcc2e34b2d9ffe4133c3dacd1e93fdea60e6d6ef63c89b5cfb3e15360321511bb3fc53a51d72fb7d4b928e85c3eb06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8c2873f1a31f09a85fb3a2fa16e3fd92

SHA1
65c52ade98c0f13b707c658231a6e001f02895bc

SHA256
5d4d267cf4de7f4ac396f5ad42efc69773de0042c3a87f1147fdf33f70162d02

SHA512
c768c5d5025789e1f9343a479d55d7898796fe357ebb23a40d18d0beb19f1649cebae4663741c49f9c402e182e0150e35c891fe6d427e8745c5d50e97766afa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
0f5ec81823c58e751e246b7bd52ebea0

SHA1
6b34b386b59d62ee3151763267e2245e3e22b981

SHA256
8167fff6b2e54772d8a743ab28c7fc49e520d699b2823f9530df8c788b5470a1

SHA512
cac2349b28f65eaf501d0e214b4ad46a7cfcec4cb3d82821b3df7785a34280e8d50ec248af3e937df3843d73dab8e3d0d3190ec23934582cadd6c3fcb648217e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
894b7cbb6068c504526e95dfd2f17695

SHA1
929cc09bc5b9a87c8a20a593aed15c631f629cf1

SHA256
cbb437dce9409b713a09513aeb655c92d39c1451ea469ff4d110586eb78a6b5c

SHA512
267c6a73752698b67a0a24fcdd442272bfcc91154730db30a5fa7dcf70af9f5bd6138a413fc3e9cfad53fd9aae7438337238be007f06940afc6d28d5f183fabe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
a476f60d5e5d6abf90c56a80bbccb9fe

SHA1
7bd1d0a94fb13aaa0b79f9a4c02bfe6305f60a05

SHA256
981a4c94a452c830ba98f989554b6564fda6689a867b2fc61ec23d0188adb9b3

SHA512
f9f056c2f970d701311a528e7ebe07b7137195198fa366c8680c2647ffb4b864edd092aef37a3dee42642d7da8e5149bdfa4daa1dce9930f7d9e0b5fc4dc651c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
67218bb637af9e356c2d58d7c66eb11e

SHA1
0bb524e8c7592bf5e6b5b5c03183c40c1fa8cb1d

SHA256
ae0ca0a7deefd6d9903e9105e32adb3390cf607ab11b8775a7134b2a1d63ae5b

SHA512
8209d0be2f0d21c2799b214e6872c7a91153fba542a98aebc9e8031a065ecb99f7a1bb4f44280ac555b28958d48ddfc6815c2c7fd839890a24de036363d9ee8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

Filesize
78KB

MD5
9553a880a3c466fa75a66e0c39227e12

SHA1
792c1dad18fb2cbcec2d481521562f03ef87a349

SHA256
2b10f66d9a5a6e56e89b939b3606ebb628035a96ea64fc45f792ecc59b30d286

SHA512
0abe8444f4d80f6e40571a7e12340043a7ee42aafb8fae20f5d86c40c2429527c4d4def9a71965fd861474aee7a0d4bbc6c230400bb3eee39d37bb2145a83099

Download Submit
memory/3196-173-0x00000293AACE0000-0x00000293AACF8000-memory.dmp

Filesize
96KB

Download
memory/3196-174-0x00000293C53D0000-0x00000293C5592000-memory.dmp

Filesize
1.8MB

Download
memory/3196-175-0x00000293C5BD0000-0x00000293C60F8000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads