discordrat | 74b6089379acff9803a37c3b5e8bc86c5877a319c4ced5a714ff9c9c63905188

Resubmissions

25-06-2024 14:50

240625-r7v2payhnn 10

25-06-2024 14:48

25-06-2024 14:40

25-06-2024 14:36

25-06-2024 14:34

Analysis

max time kernel
126s
max time network
139s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
25-06-2024 14:40

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

cdumper/compiler.exe
Size

78KB
MD5

cc0c0d53ea855321b892e9d69ce09d1f
SHA1

604de3c919a7768f107e15c12c816ed11ea0146f
SHA256

cd28a30e4e7970b5fe7e2d2ab0244a41ed3fed048904d671ce2db28de1a87529
SHA512

58a7a3e9b374296d8898929a9c1806beb501e45c232efd11db1449583e8227b4a0511fc724d07be030baa640aa285ed7648ed1a328a40e47989b0d7673a4d609
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+SPIC:5Zv5PDwbjNrmAE+eIC

Score

10^/10

discordrat persistence ransomware rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1MzY2NzkzMTcwMzc0MjQ3NA.Gw8dsn.LeG778rjIzDyfb3CK-K3udb1GPBgWlxFwh_VdU
server_id
1250682422434074634

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
3	discord.com
4	discord.com
10	discord.com
6	discord.com
8	discord.com
14	discord.com
44	discord.com
45	discord.com
7	discord.com
12	discord.com
15	discord.com
16	discord.com
41	discord.com
11	discord.com
43	discord.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpAB34.tmp.png"	compiler.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpC1BB.tmp.png"	compiler.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133638001234763434"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3288	chrome.exe
3288	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	compiler.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: 33	2128	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2128	AUDIODG.EXE
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	3288	chrome.exe
Token: SeCreatePagefilePrivilege	3288	chrome.exe
Token: SeShutdownPrivilege	2436	compiler.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe
3288	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 4212	3288	chrome.exe	80
PID 3288 wrote to memory of 4212	3288	chrome.exe	80
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 3268	3288	chrome.exe	81
PID 3288 wrote to memory of 228	3288	chrome.exe	82
PID 3288 wrote to memory of 228	3288	chrome.exe	82
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83
PID 3288 wrote to memory of 1848	3288	chrome.exe	83

C:\Users\Admin\AppData\Local\Temp\cdumper\compiler.exe
"C:\Users\Admin\AppData\Local\Temp\cdumper\compiler.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbaa3aab58,0x7ffbaa3aab68,0x7ffbaa3aab78
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1832,i,1144931001242086019,3814878710446047147,131072 /prefetch:2
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1832,i,1144931001242086019,3814878710446047147,131072 /prefetch:8
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1392 --field-trial-handle=1832,i,1144931001242086019,3814878710446047147,131072 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1832,i,1144931001242086019,3814878710446047147,131072 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1832,i,1144931001242086019,3814878710446047147,131072 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1832,i,1144931001242086019,3814878710446047147,131072 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4400 --field-trial-handle=1832,i,1144931001242086019,3814878710446047147,131072 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1832,i,1144931001242086019,3814878710446047147,131072 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1832,i,1144931001242086019,3814878710446047147,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4424 --field-trial-handle=1832,i,1144931001242086019,3814878710446047147,131072 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1832,i,1144931001242086019,3814878710446047147,131072 /prefetch:8
  2⤵
  PID:3068

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5092

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004EC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact