Analysis
-
max time kernel
52s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 16:03
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1255165018316476447/1255511838292971550/3CXLoader_.exe?ex=667d6604&is=667c1484&hm=3dfb0e5e516e2709cfc51305ca6edf7d1956e3bcbab56a2d64f29b61a1fd9037&
Resource
win10v2004-20240611-en
General
-
Target
https://cdn.discordapp.com/attachments/1255165018316476447/1255511838292971550/3CXLoader_.exe?ex=667d6604&is=667c1484&hm=3dfb0e5e516e2709cfc51305ca6edf7d1956e3bcbab56a2d64f29b61a1fd9037&
Malware Config
Extracted
discordrat
-
discord_token
MTI1NTM0ODAzMTI3NzEwOTMyOA.GFA2V2.Xn7ioNW4QOiq2qIR5-q8URTs5_7FhbdVLeLF14
-
server_id
1255347532347736107
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 4 IoCs
pid Process 4300 3CXLoader.exe 5412 3CXLoader.exe 5488 3CXLoader.exe 3556 3CXLoader.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 105 discord.com 107 discord.com 108 discord.com 128 discord.com 130 discord.com 98 discord.com 99 discord.com -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4300 3CXLoader.exe Token: SeDebugPrivilege 5412 3CXLoader.exe Token: SeDebugPrivilege 5488 3CXLoader.exe Token: SeDebugPrivilege 3556 3CXLoader.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3988 wrote to memory of 4300 3988 3CXLoader.exe 113 PID 3988 wrote to memory of 4300 3988 3CXLoader.exe 113 PID 5180 wrote to memory of 5412 5180 3CXLoader.exe 118 PID 5180 wrote to memory of 5412 5180 3CXLoader.exe 118 PID 5200 wrote to memory of 5488 5200 3CXLoader.exe 119 PID 5200 wrote to memory of 5488 5200 3CXLoader.exe 119 PID 5372 wrote to memory of 3556 5372 3CXLoader.exe 128 PID 5372 wrote to memory of 3556 5372 3CXLoader.exe 128
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1255165018316476447/1255511838292971550/3CXLoader_.exe?ex=667d6604&is=667c1484&hm=3dfb0e5e516e2709cfc51305ca6edf7d1956e3bcbab56a2d64f29b61a1fd9037&1⤵PID:1484
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=764,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:11⤵PID:4948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4308,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5040 /prefetch:11⤵PID:4288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5072,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:11⤵PID:2192
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5472,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:81⤵PID:2132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5488,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5564 /prefetch:81⤵PID:4724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=6308,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=6220 /prefetch:81⤵PID:2064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5108,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=6428 /prefetch:11⤵PID:4976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6300,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:11⤵PID:2620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5024,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5032 /prefetch:81⤵PID:4364
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=6976,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=6984 /prefetch:81⤵PID:3496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=7128,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5032 /prefetch:81⤵PID:1156
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6996,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=7096 /prefetch:81⤵PID:1036
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f0 0x3201⤵PID:2712
-
C:\Users\Admin\Downloads\3CXLoader.exe"C:\Users\Admin\Downloads\3CXLoader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\3CXLoader.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\3CXLoader.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
-
C:\Users\Admin\Downloads\3CXLoader.exe"C:\Users\Admin\Downloads\3CXLoader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5180 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\3CXLoader.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\3CXLoader.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5412
-
-
C:\Users\Admin\Downloads\3CXLoader.exe"C:\Users\Admin\Downloads\3CXLoader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5200 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\3CXLoader.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\3CXLoader.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=5320,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:81⤵PID:5932
-
C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=5320,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:81⤵PID:5948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=6604,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=6560 /prefetch:11⤵PID:6036
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1484
-
C:\Users\Admin\Downloads\3CXLoader.exe"C:\Users\Admin\Downloads\3CXLoader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5372 -
C:\Users\Admin\AppData\Local\Temp\RarSFX3\3CXLoader.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\3CXLoader.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=7172,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=7308 /prefetch:81⤵PID:5904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD559c231f52b80f128a8f5ef1216980c82
SHA1710bfdbca2cc26a856619808121e23160fae874f
SHA256e8452a2ffae08315c802c2ac4de41ea328de6fed942890e0682d261e89391502
SHA51293024af146d4586ada9410ba59f49811454fad40bf61349e99c5b4920449d5fcea3c70ba6a7df53b80464d61efcca708c22847f27f02be4ede4b97ce1678c5f1
-
Filesize
45KB
MD5a966b0d8ea9adb1b32f8cda40dec4d32
SHA198d342253bbe84c20a03742e409e0c3909ae28dd
SHA256e1e993f2026f740af27642e9b0529a8eee5614829fd89e9e715c0e4f5aeec680
SHA5126878b1fba8f72e82ab6d3d6821eee7493a0c16c64f46505bf4069314d4550791b6f94e73f15737a95f8f04e4d07f020b6c7ec306b218f84ba6fded0bfb3074bd