discordrat | 16cef3c03efe6d11b261709e330058536b7bd186fad81e932f2a9db1cef78610

Resubmissions

08-06-2024 23:05

240608-22vh3sae24 10

08-06-2024 22:56

240608-2w6ddsad42 10

Analysis

max time kernel
131s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
08-06-2024 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

newgame.exe
Size

86KB
MD5

da73d03e7e63df84355ca62baaefae8a
SHA1

4a24296ce0275ab6d5439a155a17d8de80d549d5
SHA256

16cef3c03efe6d11b261709e330058536b7bd186fad81e932f2a9db1cef78610
SHA512

7d8c28fa0ee62228104af1bd25aefe3f18fea9e9983d1cbcfa2f18f9f2832c5471fe4f545e775f6ed775802b3d687d81c1a14292af3406f6ef613c39e0c617e7
SSDEEP

1536:t2WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+UPIoC1:tZv5PDwbjNrmAE+IIoe

Score

10^/10

discordrat persistence ransomware rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NzYwNjA2ODE3NTk2MjEzMw.G3Bv2h.Oi-mmhg6ZK_uTFZKjQiDOwr-wcEm-Hq0xizKtQ
server_id
1247606720864321577

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 956 created 588	956	newgame.exe	5

Downloads MZ/PE file
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
5	discord.com
12	discord.com
23	discord.com
24	discord.com
30	raw.githubusercontent.com
31	discord.com
4	discord.com
13	discord.com
18	discord.com
20	raw.githubusercontent.com
21	raw.githubusercontent.com
9	discord.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp69AD.tmp.png"	newgame.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 3312	956	newgame.exe	72

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
956	newgame.exe
3312	dllhost.exe
3312	dllhost.exe
3312	dllhost.exe
3312	dllhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	newgame.exe
Token: SeDebugPrivilege	956	newgame.exe
Token: SeDebugPrivilege	3312	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 3312	956	newgame.exe	72
PID 956 wrote to memory of 3312	956	newgame.exe	72
PID 956 wrote to memory of 3312	956	newgame.exe	72
PID 956 wrote to memory of 3312	956	newgame.exe	72
PID 956 wrote to memory of 3312	956	newgame.exe	72
PID 956 wrote to memory of 3312	956	newgame.exe	72
PID 956 wrote to memory of 3312	956	newgame.exe	72
PID 956 wrote to memory of 3312	956	newgame.exe	72
PID 956 wrote to memory of 3312	956	newgame.exe	72
PID 956 wrote to memory of 3312	956	newgame.exe	72
PID 956 wrote to memory of 3312	956	newgame.exe	72
PID 3312 wrote to memory of 588	3312	dllhost.exe	5
PID 3312 wrote to memory of 644	3312	dllhost.exe	7
PID 3312 wrote to memory of 728	3312	dllhost.exe	8
PID 3312 wrote to memory of 912	3312	dllhost.exe	13
PID 3312 wrote to memory of 1000	3312	dllhost.exe	14
PID 3312 wrote to memory of 60	3312	dllhost.exe	16
PID 3312 wrote to memory of 832	3312	dllhost.exe	17
PID 3312 wrote to memory of 1096	3312	dllhost.exe	19
PID 3312 wrote to memory of 1124	3312	dllhost.exe	20
PID 3312 wrote to memory of 1180	3312	dllhost.exe	21
PID 3312 wrote to memory of 1208	3312	dllhost.exe	22
PID 3312 wrote to memory of 1324	3312	dllhost.exe	23
PID 3312 wrote to memory of 1332	3312	dllhost.exe	24
PID 3312 wrote to memory of 1360	3312	dllhost.exe	25
PID 3312 wrote to memory of 1384	3312	dllhost.exe	26
PID 3312 wrote to memory of 1508	3312	dllhost.exe	27
PID 3312 wrote to memory of 1540	3312	dllhost.exe	28
PID 3312 wrote to memory of 1584	3312	dllhost.exe	29
PID 3312 wrote to memory of 1596	3312	dllhost.exe	30
PID 3312 wrote to memory of 1676	3312	dllhost.exe	31
PID 3312 wrote to memory of 1692	3312	dllhost.exe	32
PID 3312 wrote to memory of 1804	3312	dllhost.exe	33
PID 3312 wrote to memory of 1820	3312	dllhost.exe	34
PID 3312 wrote to memory of 1912	3312	dllhost.exe	35
PID 3312 wrote to memory of 1952	3312	dllhost.exe	36
PID 3312 wrote to memory of 2032	3312	dllhost.exe	37
PID 3312 wrote to memory of 2040	3312	dllhost.exe	38
PID 3312 wrote to memory of 2124	3312	dllhost.exe	39
PID 3312 wrote to memory of 2392	3312	dllhost.exe	40
PID 3312 wrote to memory of 2408	3312	dllhost.exe	41
PID 3312 wrote to memory of 2432	3312	dllhost.exe	42
PID 3312 wrote to memory of 2488	3312	dllhost.exe	43
PID 3312 wrote to memory of 2652	3312	dllhost.exe	44
PID 3312 wrote to memory of 2664	3312	dllhost.exe	45
PID 3312 wrote to memory of 2692	3312	dllhost.exe	46
PID 3312 wrote to memory of 2700	3312	dllhost.exe	47
PID 3312 wrote to memory of 2712	3312	dllhost.exe	48
PID 3312 wrote to memory of 3012	3312	dllhost.exe	49
PID 3312 wrote to memory of 3064	3312	dllhost.exe	50
PID 3312 wrote to memory of 2364	3312	dllhost.exe	51
PID 3312 wrote to memory of 3216	3312	dllhost.exe	52
PID 3312 wrote to memory of 3268	3312	dllhost.exe	53
PID 3312 wrote to memory of 3396	3312	dllhost.exe	54
PID 3312 wrote to memory of 4012	3312	dllhost.exe	57
PID 3312 wrote to memory of 4004	3312	dllhost.exe	58
PID 3312 wrote to memory of 4812	3312	dllhost.exe	60
PID 3312 wrote to memory of 4724	3312	dllhost.exe	62
PID 3312 wrote to memory of 920	3312	dllhost.exe	63
PID 3312 wrote to memory of 3000	3312	dllhost.exe	64
PID 3312 wrote to memory of 4044	3312	dllhost.exe	65
PID 3312 wrote to memory of 3572	3312	dllhost.exe	66
PID 3312 wrote to memory of 4296	3312	dllhost.exe	67
PID 3312 wrote to memory of 432	3312	dllhost.exe	68

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:588
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1000
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ad5ed378-c8a3-4b39-8d20-ed2b9ba235c8}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3312
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:3604

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:644

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:728

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:60

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:832

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1096

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1124
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1180

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1208

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1324
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1332

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1384

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1508

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1584

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1676

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1820

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1952

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2032

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2040

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2124

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2392

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2432

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2652

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2664

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2692

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2700

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2712

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3012

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3268

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3396
- C:\Users\Admin\AppData\Local\Temp\newgame.exe
  "C:\Users\Admin\AppData\Local\Temp\newgame.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Sets desktop wallpaper using registry
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4004

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:4724

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:3000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4044

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:3572

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:4296

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD807.tmp.csv

Filesize
30KB

MD5
9310b0081385ad706af0d3d70739c5e1

SHA1
129f808bc779b5b1468fd9ef738712006aa12424

SHA256
f088a11b7403408cf1ce020a0f59709fe00922fcc05fdfaea057271b05f4f86a

SHA512
71f6fa39c8051de60f2cdd7c4bec001bf3733f84da7710499dba7ebd8ae52704d0219af7ad8f58cafbf9ee492e1c2029e490c0d0460a164845ad36513546fe88

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD846.tmp.txt

Filesize
12KB

MD5
9e379b2165f876fde18740b1e3b715bc

SHA1
73254ea81fb1686fbc8c78066d4cfad823b6c40c

SHA256
cc19b1b0ef0f30341e6020c231818981a31760e81f250338777c3a20dec0e7ce

SHA512
8615fabae7f1c36799f7745c5eaad5b2f880775d52ff76db2735aced92df26eac9b56b8f1f5e4e765b0baf4f6e904d1fbcc00138b43dadd26b7890ec33f42df5

Download Submit
memory/588-23-0x000001595F5F0000-0x000001595F613000-memory.dmp

Filesize
140KB

Download
memory/588-25-0x000001595F620000-0x000001595F64A000-memory.dmp

Filesize
168KB

Download
memory/588-26-0x00007FF7CA560000-0x00007FF7CA570000-memory.dmp

Filesize
64KB

Download
memory/588-235-0x000001595F620000-0x000001595F64A000-memory.dmp

Filesize
168KB

Download
memory/588-236-0x00007FF80A575000-0x00007FF80A576000-memory.dmp

Filesize
4KB

Download
memory/644-31-0x00000192728A0000-0x00000192728CA000-memory.dmp

Filesize
168KB

Download
memory/644-32-0x00007FF7CA560000-0x00007FF7CA570000-memory.dmp

Filesize
64KB

Download
memory/644-243-0x00000192728A0000-0x00000192728CA000-memory.dmp

Filesize
168KB

Download
memory/956-11-0x000001D1404C0000-0x000001D1404DE000-memory.dmp

Filesize
120KB

Download
memory/956-10-0x000001D140490000-0x000001D1404A2000-memory.dmp

Filesize
72KB

Download
memory/956-13-0x00007FF80A4D0000-0x00007FF80A6AB000-memory.dmp

Filesize
1.9MB

Download
memory/956-1-0x000001D13E880000-0x000001D13E89A000-memory.dmp

Filesize
104KB

Download
memory/956-2-0x000001D158EA0000-0x000001D159062000-memory.dmp

Filesize
1.8MB

Download
memory/956-3-0x00007FFFED900000-0x00007FFFEE2EC000-memory.dmp

Filesize
9.9MB

Download
memory/956-4-0x000001D159790000-0x000001D159CB6000-memory.dmp

Filesize
5.1MB

Download
memory/956-20-0x00007FFFED900000-0x00007FFFEE2EC000-memory.dmp

Filesize
9.9MB

Download
memory/956-12-0x000001D1591F0000-0x000001D15922E000-memory.dmp

Filesize
248KB

Download
memory/956-161-0x00007FFFED900000-0x00007FFFEE2EC000-memory.dmp

Filesize
9.9MB

Download
memory/956-5-0x00007FFFED903000-0x00007FFFED904000-memory.dmp

Filesize
4KB

Download
memory/956-0-0x00007FFFED903000-0x00007FFFED904000-memory.dmp

Filesize
4KB

Download
memory/956-6-0x00007FFFED900000-0x00007FFFEE2EC000-memory.dmp

Filesize
9.9MB

Download
memory/956-14-0x00007FF8097B0000-0x00007FF80985E000-memory.dmp

Filesize
696KB

Download
memory/956-9-0x000001D159170000-0x000001D1591E6000-memory.dmp

Filesize
472KB

Download
memory/1000-35-0x00007FF7CA560000-0x00007FF7CA570000-memory.dmp

Filesize
64KB

Download
memory/1000-34-0x0000028332100000-0x000002833212A000-memory.dmp

Filesize
168KB

Download
memory/1000-244-0x0000028332100000-0x000002833212A000-memory.dmp

Filesize
168KB

Download
memory/3312-231-0x00007FF80A4D0000-0x00007FF80A6AB000-memory.dmp

Filesize
1.9MB

Download
memory/3312-176-0x00007FF80A4D1000-0x00007FF80A5DF000-memory.dmp

Filesize
1.1MB

Download
memory/3312-16-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3312-19-0x00007FF8097B0000-0x00007FF80985E000-memory.dmp

Filesize
696KB

Download
memory/3312-21-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3312-15-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3312-18-0x00007FF80A4D0000-0x00007FF80A6AB000-memory.dmp

Filesize
1.9MB

Download
memory/3312-17-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download