Analysis Overview
SHA256
d71e071decfbf58e254b4c45a18c71b30446ca83d7acff324761569e57027b24
Threat Level: Known bad
The file hehe's external.exe was found to be: Known bad.
Malicious Activity Summary
Discordrat family
Discord RAT
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-19 18:57
Signatures
Discordrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 18:57
Reported
2024-06-19 19:00
Platform
win10-20240404-en
Max time kernel
133s
Max time network
137s
Command Line
Signatures
Discord RAT
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4272278488\2581520266.pri | C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hehe's external.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4656 wrote to memory of 4704 | N/A | C:\Users\Admin\AppData\Local\Temp\hehe's external.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4656 wrote to memory of 4704 | N/A | C:\Users\Admin\AppData\Local\Temp\hehe's external.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\hehe's external.exe
"C:\Users\Admin\AppData\Local\Temp\hehe's external.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.136.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 234.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 157.252.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watson.telemetry.microsoft.com | udp |
| US | 20.189.173.22:443 | watson.telemetry.microsoft.com | tcp |
| US | 8.8.8.8:53 | 22.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
memory/4656-0-0x000001F7351C0000-0x000001F7351D8000-memory.dmp
memory/4656-1-0x00007FFC34933000-0x00007FFC34934000-memory.dmp
memory/4656-2-0x000001F74F8C0000-0x000001F74FA82000-memory.dmp
memory/4656-3-0x00007FFC34930000-0x00007FFC3531C000-memory.dmp
memory/4656-4-0x000001F7500C0000-0x000001F7505E6000-memory.dmp
memory/4656-5-0x00007FFC34933000-0x00007FFC34934000-memory.dmp
memory/4656-6-0x00007FFC34930000-0x00007FFC3531C000-memory.dmp
memory/4704-11-0x00007FFC34930000-0x00007FFC3531C000-memory.dmp
memory/4704-12-0x000002466BE30000-0x000002466BE52000-memory.dmp
memory/4704-13-0x00007FFC34930000-0x00007FFC3531C000-memory.dmp
memory/4704-16-0x000002466BFE0000-0x000002466C056000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hrmmsl3v.dcq.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4704-40-0x00007FFC34930000-0x00007FFC3531C000-memory.dmp
memory/4704-41-0x00007FFC34930000-0x00007FFC3531C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 18:57
Reported
2024-06-19 19:00
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Discord RAT
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hehe's external.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3672 wrote to memory of 4928 | N/A | C:\Users\Admin\AppData\Local\Temp\hehe's external.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3672 wrote to memory of 4928 | N/A | C:\Users\Admin\AppData\Local\Temp\hehe's external.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\hehe's external.exe
"C:\Users\Admin\AppData\Local\Temp\hehe's external.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2524 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.135.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 234.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| GB | 172.217.169.74:443 | tcp | |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
Files
memory/3672-0-0x00007FFC3DC93000-0x00007FFC3DC95000-memory.dmp
memory/3672-1-0x000001BF513C0000-0x000001BF513D8000-memory.dmp
memory/3672-2-0x000001BF6B990000-0x000001BF6BB52000-memory.dmp
memory/3672-3-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp
memory/3672-4-0x000001BF6C1E0000-0x000001BF6C708000-memory.dmp
memory/3672-5-0x00007FFC3DC93000-0x00007FFC3DC95000-memory.dmp
memory/3672-6-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp
memory/4928-7-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp
memory/4928-8-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fuycsiwa.enq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4928-18-0x000001B649A80000-0x000001B649AA2000-memory.dmp
memory/4928-19-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp
memory/4928-20-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp
memory/4928-23-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-19 18:57
Reported
2024-06-19 19:00
Platform
win11-20240611-en
Max time kernel
91s
Max time network
126s
Command Line
Signatures
Discord RAT
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hehe's external.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4288 wrote to memory of 2020 | N/A | C:\Users\Admin\AppData\Local\Temp\hehe's external.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4288 wrote to memory of 2020 | N/A | C:\Users\Admin\AppData\Local\Temp\hehe's external.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\hehe's external.exe
"C:\Users\Admin\AppData\Local\Temp\hehe's external.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F8 0x0000000000000500
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.130.234:443 | gateway.discord.gg | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| NL | 52.111.243.29:443 | tcp |
Files
memory/4288-1-0x00007FFF45B73000-0x00007FFF45B75000-memory.dmp
memory/4288-0-0x0000026160890000-0x00000261608A8000-memory.dmp
memory/4288-2-0x000002617AEA0000-0x000002617B062000-memory.dmp
memory/4288-3-0x00007FFF45B70000-0x00007FFF46632000-memory.dmp
memory/4288-4-0x000002617C170000-0x000002617C698000-memory.dmp
memory/4288-5-0x00007FFF45B70000-0x00007FFF46632000-memory.dmp
memory/4288-6-0x000002617BCF0000-0x000002617BD9A000-memory.dmp
memory/4288-7-0x00007FFF45B70000-0x00007FFF46632000-memory.dmp
memory/4288-11-0x00007FFF45B70000-0x00007FFF46632000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fux45edj.4ot.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2020-20-0x000001E1ABF70000-0x000001E1ABF92000-memory.dmp