Analysis
-
max time kernel
41s -
max time network
54s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
25-06-2024 16:36
Errors
General
-
Target
https://cdn.discordapp.com/attachments/1254334525543288915/1254336947875217519/solarabootstraper.exe?ex=667bc2d0&is=667a7150&hm=9e37d9feda8ac823db279851a858c2d999a629b641924f99d34c335af2ab7d6e&
Malware Config
Extracted
discordrat
-
discord_token
MTIzOTEzMTk4MTc4NzI5OTkxMg.G2PouQ.rmLVRC29c13dyUDlcJhFL4MtNpJCMM3OTOmuyI
-
server_id
1254334525543288912
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 36 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1254334525543288915/1254336947875217519/solarabootstraper.exe?ex=667bc2d0&is=667a7150&hm=9e37d9feda8ac823db279851a858c2d999a629b641924f99d34c335af2ab7d6e&1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff80f013cb8,0x7ff80f013cc8,0x7ff80f013cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5816 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\solarabootstraper.exe"C:\Users\Admin\Downloads\solarabootstraper.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77test.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe'" /sc onlogon /rl HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a8e4bf11ed97b6b312e938ca216cf30e
SHA1ff6b0b475e552dc08a2c81c9eb9230821d3c8290
SHA256296db8c9361efb62e23be1935fd172cfe9fbcd89a424f34f347ec3cc5ca5afad
SHA512ce1a05df2619af419ed3058dcbd7254c7159d333356d9f1d5e2591c19e17ab0ac9b6d3e625e36246ad187256bee75b7011370220ef127c4f1171879014d0dd76
-
Filesize
152B
MD523da8c216a7633c78c347cc80603cd99
SHA1a378873c9d3484e0c57c1cb6c6895f34fee0ea61
SHA25603dbdb03799f9e37c38f6d9d498ad09f7f0f9901430ff69d95aa26cae87504d3
SHA512d34ae684e8462e3f2aba2260f2649dee01b4e2138b50283513c8c19c47faf039701854e1a9cbf21d7a20c28a6306f953b58ffb9144ead067f5f73650a759ff17
-
Filesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
Filesize
5KB
MD53a2dabb54ea9b4f4517881e92dd77b63
SHA1478e42b82b3b68627363aecb939551c386e929fc
SHA256897c75479c8cd0abd55173cb0ba0a5d3f1e137b58c2f6509b28b6b2aa093cc9c
SHA512a73b6a0eba56a0da3bafc7e6318407a446d0c31486a4d6f1b39a61dd50ed36734a732a0300bbe5c59b2ba4e755ffc592c8a7328024ea59af54933e390d5f0534
-
Filesize
5KB
MD5eae4285984655415c93c8089929db201
SHA143f78ab62088822daae8917e2952d9697ab4dd88
SHA25689e6c309f20127176afeeec396d43f7fd89d776f52c72fef7ef4ae48c5b7fa1f
SHA51252f33078ef5717f439323db1be7295d016f5fbf7a55b06f07cbef82dc73eeca9b48e89fd32be3103e3c8592062aade5c66782d17215584997f1c2ca531011479
-
Filesize
5KB
MD5fc4f194621d8837c314f93a43ff80ea4
SHA187682f1d85ff5af60cbb6fd1a459d99906b05eba
SHA2566eea96649109f0bcdc7882bcdc31393abcf7de6c7f82fabf44ba96fe9254c1fc
SHA51291ad899c363c614e87c37cd518cfc1d6bbe75c6aba8e370bf8e76813fb64501c3a2a12bd72dc631bf812fa8de18b804acca5827dcfe70f8963239b820192435a
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5754b9a63bc08f84ffc4bbf21f3397556
SHA13f01c210d860c5a9281479304efbadf543b50d09
SHA2566f3fef9f4562dfc9a08380ff591ef7a5a6395d83bdbd8dad9667e08cae5c1a5c
SHA51232a65bdac36acf966e3f237d35638368b6d29e4f79ebfb2e5b1418970201ac09f461d9d4f03645dfd4a34d4ae0961b0af3e3b87e4f909454072b86b75a3ebafb
-
Filesize
11KB
MD5be6eb3d4c033a8702d905afae18a5f87
SHA1669aab92d92bdf80e48809a05cbc864eaefe61aa
SHA256b78ca11790ae1e63c758309b071edd692ad9e5ca033d41554dc3cb1b2239f797
SHA51256c0ead5d71b922765eefc0cc11cbb4a37ebc12855f1c1c1671693dced2b88c3520cf68edf5e2b4e6677db13d60d9638d3e911b5c8e947184e4453a81d2ca29d
-
Filesize
78KB
MD5cd0398fb5a04ce43be2b1183e7dfad06
SHA1e1e9ac1f1f2533f3bfec802cae2cbeeeac65c181
SHA256c4fb94399b109d19585a03233be7663000aae8c7c7f8661ce744c59bfa8ced08
SHA51250bfd2614078082fd83e43e61a36b086eae0fec2399fae5655c6442a474ffb7c25cabe43b4c484c85acc4fac72c2f2613dc00e85045242dfcdd91093519699bc
-
Filesize
497KB
MD548258af1b1134dffa388c6f2590325c3
SHA1e2fa6a4351d7b358e6b20e9194b63b54751458d4
SHA256d0452f63e207ead4ba0828fba9cd46d54c08906ac3f35f1c0b27dda2d60fbc83
SHA5121eeceefb8843f72b55e1b517039ab53cd72af3bb294fe9b06ce0a6207749506bf299cd913a4a1088ffa002069821d346ec3fc045fa701014110beec03d7d208c
-
Filesize
96KB
-
Filesize
1.8MB
-
Filesize
5.2MB