Analysis
-
max time kernel
100s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
28-06-2024 23:27
General
-
Target
https://mega.nz/file/ozkjTSJZ#fJ0Vh1Kci8EtKQMCQ_k_sw1UaRnrwmIoUAQJg1zpGrw
Malware Config
Extracted
discordrat
-
discord_token
MTI1NjMyOTc1MzA1NzY4OTcxNw.G2RyzH.lPU7ZMdJ4zfRkLH95jf-R422bjUb-BYiYsu2tg
-
server_id
1256329683432112240
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 61 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/ozkjTSJZ#fJ0Vh1Kci8EtKQMCQ_k_sw1UaRnrwmIoUAQJg1zpGrw1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff457b46f8,0x7fff457b4708,0x7fff457b47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6104 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2984 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6320 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4c4 0x3e41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\LX Executor - FN,RBX,WAR.exe"C:\Users\Admin\Downloads\LX Executor - FN,RBX,WAR.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5dabfafd78687947a9de64dd5b776d25f
SHA116084c74980dbad713f9d332091985808b436dea
SHA256c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c39b3aa574c0c938c80eb263bb450311
SHA1f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA25666f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD53ffc8742109f81b4445144f6373a52c2
SHA1791c93b18ab44ff6cdc6c8b80c3c0d563113e9f5
SHA25632b287f3e8e5af6d48edf8fe57b6e2695fe95bb59dc13e02d9ef216e3819a7bf
SHA51263f3eb03d3d356d408c2632fc436a4bbd8aeada76bc1f6251c1f90943745984f9f67430879451dfd4c77745e22a53a4f5f68e90340c46618b4ed36a9c9ef0135
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59a4dc83e9b22b040c2417ddcaf800379
SHA1c4982646ed059f69825420d15441a803ad37ba74
SHA256d3ba6bed9cce19d5c9da98fa7946d6b992f41493b6d0366f03ac67b9c63f43a0
SHA512116422c60fc0073aa5273724f79acfa99ebdd8e07891020eb13e241c3874bcbe47aa0e4dbf6fca139d91f571955fe04bd5d8cee24396dd1d5e2e355721c2dac3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD578fce8c124d6a651ff747155e5a1d180
SHA16d5c57099c773a7aeada4377c631fc79cf74889b
SHA25600487f4b00b0441c762680851450cfb133f5517b81266ded7260547d4b695cda
SHA51244a3d45a7a0b75c2d03f7b6f8e52880c372178ecc282dece1d75c85c1ec7e6094cea53429de1ed989b40255fbe6a8a57f83a409bb19b899ce6c62696ed602132
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD5111bc6dd6e25fcbec08696ff282a5e43
SHA1eac70e871ca1a224db80fed5e48ed5a5a5a4c0e0
SHA256122bef027194082196fa2ca54cc521ee4d5f9065d7473d3c444f71e1d3f8dc56
SHA5123c5dfc11dea45224767cdce650018695988f77c3f2d200c3bc2fc49996cb9f2d2dec6093a57b0690a217633a175e776750e8d583d72ada246fa34cfe80eeac71
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579a4c.TMPFilesize
48B
MD5d700c1212e7c905199c7eb9ae0b35e8c
SHA13435321339a127158aa31b278e88539da2a8c973
SHA256660db660899b4adf114219288c5b904326786964825c15344fb0b11e1f24feda
SHA512d46cff9bd01b7d5c1945fd9896dc99defe791f94e4d178294a4e6e8c8abf98f43241fda845fd5f38f6ab9e84eb9bf9416dc90565dc9212bd49158235597f28cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cd3f5f7f-b48a-4c24-a2e8-672fa756baa9.tmpFilesize
5KB
MD54f4dba68896332970af647a0d11fc69d
SHA1ea5a6d3baf1777de5dc8d3343402ccfcde89bdba
SHA256e52d4f0ed41b75815b66483a4d38f8aa96bb2532e7b764c2026e789e7a4a3cdb
SHA512527ad21fa3f6878defcfe18b7e1f13e45e1dabbca8127c2452788c4e7658fc8c63ecc9de95555d5ced563369bf633f78b15aa1604b37623b7dce539849f98753
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58372dd94672e41eb348ff643185c0b5d
SHA19c3ea79cddb131c470e6bbf894d33a454e81d48e
SHA256dcd0ec943d8e5a8a627d7d3e4b05a60b15ee5cd7271a18fc71265f7f41fa143a
SHA512a665d667f25fe6d617978d832e94a937f5e792d36e4223225c5205a7a332a6e9c3efad2fec8a6bbb3dcf8e2d5aa67228bb4e5c77c259397044f9b625a89dd6d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD519c9168e927e239f95ce62a0e29ab9de
SHA1a59d623703af5e82d92502db38ce26b6808c231c
SHA25692416f2a4a716dd87c4adb42ee82af34295ed40eec143460b10f2b5e568d3270
SHA5128ecce07f4e038c5bac9fc82d63203c06f6bced4d6b5fb27e2fd814d72bc18bf06cafb61fbcff4a39afe78991dbb9914389d930012381e8bbdf2faf5df22f4d8f
-
C:\Users\Admin\Downloads\LX Executor - FN,RBX,WAR.exeFilesize
78KB
MD55a990fb404c61ad153c8004c94670f93
SHA110f8ac57cb952bd39dc87a4fcc5dc9ade06709b8
SHA25630301c07c9b85a6afb1338b95ad67b0ea64d487a7b16555a32a164b3ef263da8
SHA512bd02653fae4bf085452916d6a80dd0a72a99275c351773217e72dd3f13af993e82fc47956ddac33229013348b15b4dbb468d99c982d8376e82e58e9db565cf90
-
\??\pipe\LOCAL\crashpad_4916_HIOREYZQRDGCLHKIMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/780-226-0x0000020B43950000-0x0000020B43968000-memory.dmpFilesize
96KB
-
memory/780-228-0x0000020B5E770000-0x0000020B5EC98000-memory.dmpFilesize
5.2MB
-
memory/780-293-0x0000020B5E2F0000-0x0000020B5E39A000-memory.dmpFilesize
680KB
-
memory/780-227-0x0000020B5DF70000-0x0000020B5E132000-memory.dmpFilesize
1.8MB
-
memory/3008-285-0x00000182B1060000-0x00000182B1061000-memory.dmpFilesize
4KB
-
memory/3008-287-0x00000182B1060000-0x00000182B1061000-memory.dmpFilesize
4KB
-
memory/3008-286-0x00000182B1060000-0x00000182B1061000-memory.dmpFilesize
4KB
-
memory/3008-277-0x00000182B1060000-0x00000182B1061000-memory.dmpFilesize
4KB
-
memory/3008-284-0x00000182B1060000-0x00000182B1061000-memory.dmpFilesize
4KB
-
memory/3008-283-0x00000182B1060000-0x00000182B1061000-memory.dmpFilesize
4KB
-
memory/3008-282-0x00000182B1060000-0x00000182B1061000-memory.dmpFilesize
4KB
-
memory/3008-281-0x00000182B1060000-0x00000182B1061000-memory.dmpFilesize
4KB
-
memory/3008-276-0x00000182B1060000-0x00000182B1061000-memory.dmpFilesize
4KB
-
memory/3008-275-0x00000182B1060000-0x00000182B1061000-memory.dmpFilesize
4KB