discordrat | d71e071decfbf58e254b4c45a18c71b30446ca83d7acff324761569e57027b24

General

Target

hehe's external.exe
Size

78KB
MD5

89843ea4105378e4fbe7afe99f2b291b
SHA1

a469ae734ba46f9a3712d95fa987286a303263d7
SHA256

d71e071decfbf58e254b4c45a18c71b30446ca83d7acff324761569e57027b24
SHA512

7cff64984b9d4cd233542e10cb507b99fd7c291d4cea52af6feb36e029094d7db68643d120f6239623ef567867baab903095a56fc713565cddddbcb66b5f5574
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+9GPIC:5Zv5PDwbjNrmAE+8IC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1MjM2MzM1NDQwNDgxOTEzOA.Gu7T7x.fG7ImMChaLHchh6lcv8_MHa3JQWR8Fn4L12thY
server_id
1251916764929982485

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

hehe's external.exe

description pid process target process

PID 4728 created 584 4728 hehe's external.exe winlogon.exe
Downloads MZ/PE file

description	pid	process	target process
PID 4728 created 584	4728	hehe's external.exe	winlogon.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

Processes:

flow	ioc
4	discord.com
12	discord.com
18	discord.com
19	discord.com
25	raw.githubusercontent.com
27	discord.com
3	discord.com
9	discord.com
13	discord.com
17	discord.com
24	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

hehe's external.exe

description pid process target process

PID 4728 set thread context of 4100 4728 hehe's external.exe dllhost.exe

description	pid	process	target process
PID 4728 set thread context of 4100	4728	hehe's external.exe	dllhost.exe

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exeExplorer.EXE

pid process

4192 taskmgr.exe
3360 Explorer.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

hehe's external.exetaskmgr.exeAUDIODG.EXEdllhost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4728	hehe's external.exe
Token: SeDebugPrivilege	4192	taskmgr.exe
Token: SeSystemProfilePrivilege	4192	taskmgr.exe
Token: SeCreateGlobalPrivilege	4192	taskmgr.exe
Token: 33	4192	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4192	taskmgr.exe
Token: 33	4152	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4152	AUDIODG.EXE
Token: SeDebugPrivilege	4728	hehe's external.exe
Token: SeDebugPrivilege	4100	dllhost.exe
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

hehe's external.exedllhost.exe

description	pid	process	target process
PID 4728 wrote to memory of 4348	4728	hehe's external.exe	SCHTASKS.exe
PID 4728 wrote to memory of 4348	4728	hehe's external.exe	SCHTASKS.exe
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	dllhost.exe
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	dllhost.exe
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	dllhost.exe
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	dllhost.exe
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	dllhost.exe
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	dllhost.exe
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	dllhost.exe
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	dllhost.exe
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	dllhost.exe
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	dllhost.exe
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	dllhost.exe
PID 4100 wrote to memory of 584	4100	dllhost.exe	winlogon.exe
PID 4100 wrote to memory of 636	4100	dllhost.exe	lsass.exe
PID 4100 wrote to memory of 728	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 908	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1004	4100	dllhost.exe	dwm.exe
PID 4100 wrote to memory of 64	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 304	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 380	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1040	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1080	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1100	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1172	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1220	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1304	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1324	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1336	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1416	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1472	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1540	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1564	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1584	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1664	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1680	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1796	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1804	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1868	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1904	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 1536	4100	dllhost.exe	spoolsv.exe
PID 4100 wrote to memory of 1900	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 2060	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 2364	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 2492	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 2536	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 2544	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 2588	4100	dllhost.exe	sihost.exe
PID 4100 wrote to memory of 2632	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 2708	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 2716	4100	dllhost.exe	sysmon.exe
PID 4100 wrote to memory of 2756	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 2780	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 2792	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 2904	4100	dllhost.exe	taskhostw.exe
PID 4100 wrote to memory of 3052	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 2864	4100	dllhost.exe	unsecapp.exe
PID 4100 wrote to memory of 3360	4100	dllhost.exe	Explorer.EXE
PID 4100 wrote to memory of 3932	4100	dllhost.exe	RuntimeBroker.exe
PID 4100 wrote to memory of 3684	4100	dllhost.exe	DllHost.exe
PID 4100 wrote to memory of 4752	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 4488	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 3968	4100	dllhost.exe	svchost.exe
PID 4100 wrote to memory of 2560	4100	dllhost.exe	OfficeClickToRun.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:584

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:1004

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{502ccfae-c3a2-47f2-ac71-6f0b0a4d45c7}
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:636

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:728

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:64

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1040

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1080

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:1100

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1172

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1220

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1324

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1336

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1416

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:2588

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1472

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1564

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1584

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1680

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f8
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1804

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1868

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1904

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1536

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1900

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2060

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2492

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2536

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2544

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2708

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2716

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2780

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2792

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3052

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2864

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Users\Admin\AppData\Local\Temp\hehe's external.exe
"C:\Users\Admin\AppData\Local\Temp\hehe's external.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\SYSTEM32\SCHTASKS.exe
"SCHTASKS.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
3⤵
PID:4348

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4192

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3932

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3684

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4752

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3968

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3464

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:3948

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:3704

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:3068

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_FB37E93139FE414EACF34E30FDA993A6.dat
Filesize
940B

MD5
d55714f7fc0bdc6379d97500d325b221

SHA1
0662517e18ca899b56fff8cf2d9d917afd54a6ce

SHA256
9da511206473d7f3c178592dca1a7d9a9da5ab3573602f39c8a51649166c49a8

SHA512
561d7e6dfb9517ee1e2dfeb5e2b6b47a378d06331f5e0f30d6280a628c68ee01820bfdb7920828b7c0531f4f407cd1865bd3d3e464a09e454c71980c7d805ea3

Download Submit
memory/584-37-0x00007FFF884F0000-0x00007FFF88500000-memory.dmp

Filesize
64KB

Download
memory/584-34-0x0000022D64A80000-0x0000022D64AA3000-memory.dmp

Filesize
140KB

Download
memory/584-36-0x0000022D64AB0000-0x0000022D64ADA000-memory.dmp

Filesize
168KB

Download
memory/636-39-0x000001F3C7E60000-0x000001F3C7E8A000-memory.dmp

Filesize
168KB

Download
memory/636-40-0x00007FFF884F0000-0x00007FFF88500000-memory.dmp

Filesize
64KB

Download
memory/1004-46-0x00007FFF884F0000-0x00007FFF88500000-memory.dmp

Filesize
64KB

Download
memory/1004-45-0x0000028C31FC0000-0x0000028C31FEA000-memory.dmp

Filesize
168KB

Download
memory/3360-88-0x0000000002590000-0x00000000025BA000-memory.dmp

Filesize
168KB

Download
memory/3360-89-0x00007FFF884F0000-0x00007FFF88500000-memory.dmp

Filesize
64KB

Download
memory/4100-28-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4100-31-0x00007FFFC6D40000-0x00007FFFC6DEE000-memory.dmp

Filesize
696KB

Download
memory/4100-32-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4100-29-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4100-30-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-26-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-0-0x00007FFFABA43000-0x00007FFFABA44000-memory.dmp

Filesize
4KB

Download
memory/4728-27-0x00007FFFC6D40000-0x00007FFFC6DEE000-memory.dmp

Filesize
696KB

Download
memory/4728-25-0x0000011EEB1E0000-0x0000011EEB21E000-memory.dmp

Filesize
248KB

Download
memory/4728-17-0x0000011EEB0F0000-0x0000011EEB19A000-memory.dmp

Filesize
680KB

Download
memory/4728-13-0x00007FFFABA40000-0x00007FFFAC42C000-memory.dmp

Filesize
9.9MB

Download
memory/4728-12-0x00007FFFABA43000-0x00007FFFABA44000-memory.dmp

Filesize
4KB

Download
memory/4728-4-0x0000011EE9080000-0x0000011EE95A6000-memory.dmp

Filesize
5.1MB

Download
memory/4728-3-0x00007FFFABA40000-0x00007FFFAC42C000-memory.dmp

Filesize
9.9MB

Download
memory/4728-2-0x0000011EE8880000-0x0000011EE8A42000-memory.dmp

Filesize
1.8MB

Download
memory/4728-1-0x0000011ECE280000-0x0000011ECE298000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads