Analysis Overview
SHA256
6fbb1c25814dd749fb423bc4f9bca99919030278a27ca09b9f997b3ef84d3c1d
Threat Level: Known bad
The file builder.exe was found to be: Known bad.
Malicious Activity Summary
Discordrat family
Discord RAT
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-17 17:50
Signatures
Discordrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 17:50
Reported
2024-06-17 17:53
Platform
win11-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Discord RAT
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4580-0-0x00007FFCB83B3000-0x00007FFCB83B5000-memory.dmp
memory/4580-1-0x0000027826B40000-0x0000027826B58000-memory.dmp
memory/4580-2-0x0000027841350000-0x0000027841512000-memory.dmp
memory/4580-3-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | e9aa12ff0be6d995ed86f8cf88678158 |
| SHA1 | e5ee38fc2ebef0fcbc3059dee29b39f7daf21931 |
| SHA256 | f35cd8ef03ac924a59943c5dfffc31ab67a8b5aff272e9f47ff776aabc7ee561 |
| SHA512 | 95a67acd2a4784b87d73910c1f1f590937c9d9b901e98448556a37eb8137ae5f458f1c673d65a46cf7d6b90bee5fe6b102ce3eeac9e819062cd9c5c2418bcbfc |
memory/4580-11-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp