Analysis
-
max time kernel
89s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
16-06-2024 14:28
Errors
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
ecb53bd6e2dcc654cf535d68d3a51ed7
-
SHA1
ec0f92220186d59e15914cd9665eb06f9e5c30b3
-
SHA256
2df3388f1981b32ad6e83789b3051d32894388be5aa997bebfe39ce370f5249c
-
SHA512
28c3b41199bc832349cd794135c81a4af459251a266002ec0db439f243c2d65a81e9697f973e14fc3d213e7f6d8ffef31d254e0a73ce818dc878643e757101c9
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+8PIC:5Zv5PDwbjNrmAE+wIC
Malware Config
Extracted
discordrat
-
discord_token
MTE4MTY1NzgyNTYwNTMzNzExOQ.Gh8-wx.xiyycDlChj7_zNW0UGw9RXtpwC1XGb_ZUVyHPg
-
server_id
1250078737546870865
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 27 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pornhub.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedc3846f8,0x7ffedc384708,0x7ffedc3847183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,2647231282088752745,9077555651015157602,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,2647231282088752745,9077555651015157602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,2647231282088752745,9077555651015157602,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2647231282088752745,9077555651015157602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2647231282088752745,9077555651015157602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2647231282088752745,9077555651015157602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2647231282088752745,9077555651015157602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2647231282088752745,9077555651015157602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:13⤵
-
-
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Client-built.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Client-built.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4b0 0x1501⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD556067634f68231081c4bd5bdbfcc202f
SHA15582776da6ffc75bb0973840fc3d15598bc09eb1
SHA2568c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784
-
Filesize
152B
MD581e892ca5c5683efdf9135fe0f2adb15
SHA139159b30226d98a465ece1da28dc87088b20ecad
SHA256830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0
-
Filesize
768B
MD56b0a36565522f48916ef603763f87ee9
SHA11dfc33fea9893e8d11d2271cfe5445c9b3993512
SHA256fdd5768dfd7bef5e8c49928e8904887801b05ff4280d9fb71ccae7b60802050d
SHA5126ffb55f429bca2fee8e037686e80daa6e364b3585d96905745864ff6ed1d8fa524f870f639082117eb993e2259673ecabdb455c11e81caf7a7d866ef890c2ba5
-
Filesize
1KB
MD515a1f7aa22ec76f16a93051a433bb4f7
SHA10701d640fba6f2d31dff5aabdc0f10fb871322ff
SHA256e0d2770942c9108aa98ab7ce241d11f3dd8f2cbc7dd36a7df2cbac86bf3b8baf
SHA51287f5a7bc9cbe0b9724b5583733fc29738ed150716b43e8780f6e1c7f856766a0fec1e6105aef235a342a83e5a708c8a65324e40ef97b885b294627b9a1d03340
-
Filesize
6KB
MD522a5e7e535be2ad967f957981261b5f0
SHA16914745db59bc751187cf4273693592e579cac2b
SHA2563a39fda3505a87e43bd0f4adc764fa25ca731b8a8f377db29cf14de8aea86b41
SHA512dd6460efbeba2c317688d4fd75a171cddae8c073cdbe84c66cef452f992ceddf415328bbe3494a0b27102227a42fd775aba04adb37f9b990a92d4c34d8d567c0
-
Filesize
7KB
MD52c7ae6b7dfdb86db4c769e11ac4fa320
SHA18ee031f8bc23310f02eb45eeb16cc5a1807285ac
SHA256c1c28b0118139c22102682aab99f555eb865cde1116127113a2b0ad3afb86934
SHA512dfcfd97a652018a0c0ee14dd1ce3ca2a209c20f023ec4220b6894aafab9257946e704c9e4055fb3561b3d97af05e6f52834b62106149f9cea2e2d183ad237636
-
Filesize
72B
MD5b291384ea7590a20bb49a7cba4425b39
SHA1489b70afbf177ea87616d39efbaceea44f090745
SHA2569fc9685773bc8b70d3fe92be05cb920c9d519f5c93357a4b62b1666cfb893533
SHA51258fc4aeac36ddfbacf1f5598facf6d5bfe651f3efe8dfd160776ff909b610d9f5e728c12ffc133215da405bd864d7be68daa1d93b2fc051f435d4e60deda8142
-
Filesize
48B
MD57c1f85d87d39b95fe8f94868544b57f4
SHA15886c7075e94240fc3363c021e3965d538e87d40
SHA25661f1d62f8e0003d9e709bc37dc0d95d432ee24b605fd4d7fc5319f61259d41d9
SHA5120b1d61a9370a989a7ba078d9a12e3ee2ee0a3cef44009fb57b42a1718cd30945903e3aff6de431b44e3a5a16d1d628b168128d6e6a96c808cc77009d0cc38f2f
-
Filesize
11KB
MD54c7902c35c0cc26c573db59f4a8039dd
SHA14cfb3e09b0811a9f0cd0a871d0b3918a141f6cbc
SHA2569bdf3df23ff79772fd300b3dcffdc94859af9873d87c67c2d93db9b4e0735066
SHA512dfbea89299d172494bf0f3f55684f35865d6c6554f32c95b3dd8b75284330bd07950362fbf0ab8585025d5b7cea06d6fb803183efa740c69300bac45f2d32144
-
Filesize
96KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
5.2MB
-
Filesize
10.8MB
-
Filesize
1.8MB
-
Filesize
8KB
-
Filesize
680KB