Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
03-07-2024 15:39
General
-
Target
veydovokna.exe
-
Size
78KB
-
MD5
7ee32f2553fa474e79b2f1a444172735
-
SHA1
fc17876384c197f73a7471850d13748aa6f659b0
-
SHA256
d99a4d776f04dfd3e8004c466ab81788da8f0ba08b83430df4dd984fa1ef4e39
-
SHA512
2789dc16e615f28c29f5e81ade9e4b03a47d9855cc9092bbcdf90ce7419fe38cabd729a87f038f4aa3d8e2f5317ac69a0637737f468dd8d05532dbd3dda738b9
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+APIC:5Zv5PDwbjNrmAE+kIC
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTI1NjYyNDkzOTk3MzQ4MDYzOA.GmmRJ5.-nbYbt2H8apuatUJNXT2gF-Pq4ZpLJRKwy0hls
-
server_id
1257063713945419826
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Downloads MZ/PE file
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 12 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{e7d6cd19-0383-45ce-b7fb-436e9ad97cca}2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\veydovokna.exe"C:\Users\Admin\AppData\Local\Temp\veydovokna.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnregisterSplit.ogg"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe"2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /72⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s LicenseManager1⤵
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k imgsvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.jsonFilesize
233B
MD5721836bbbbc66f60f370b7b4dfa46834
SHA138a710491bb5a25b8041ec696e8fb04d141ae9d8
SHA25670056310f5cfa853b61e10ac840d5eac7b3cc8c90c635ef11cbb3d67d25f6b5b
SHA51224eb166b11950b2bab4312f816d6f265cdd648262cf15e373219f9af110ac694604f718ef34635f973be35959fefa68ce4617ccf1d688b96d60ee3a047155a77
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.jsonFilesize
2KB
MD5404a3ec24e3ebf45be65e77f75990825
SHA11e05647cf0a74cedfdeabfa3e8ee33b919780a61
SHA256cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2
SHA512a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5
-
C:\Users\Admin\AppData\Local\Packages\microsoft.mspaint_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
4KB
MD51bfe591a4fe3d91b03cdf26eaacd8f89
SHA1719c37c320f518ac168c86723724891950911cea
SHA2569cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA51202f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db
-
C:\Users\Admin\AppData\Local\Packages\microsoft.mspaint_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
338B
MD53cdb58f4130d87cbd48166cb7346fa04
SHA159f7fc2ea1b6791f94c859b186f474a936d7dfbf
SHA256a805131e00ad9d78064b96b29badcddd2eb3e93a9122b6ed08ff1326b4ac2342
SHA5126c4a289e3881f74a566dda26d28404ea6bf90a413d7f6aa16af0d1ed5f60325090820714e241cc34ab1dc7bc745718df3ecfb9e8b72578cefa044ea98e30fdb8
-
memory/512-102-0x00007FFEB0420000-0x00007FFEB05FB000-memory.dmpFilesize
1.9MB
-
memory/512-101-0x0000026AB5690000-0x0000026AB56CE000-memory.dmpFilesize
248KB
-
memory/512-6-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmpFilesize
9.9MB
-
memory/512-0-0x00007FFE943D3000-0x00007FFE943D4000-memory.dmpFilesize
4KB
-
memory/512-103-0x00007FFEB02C0000-0x00007FFEB036E000-memory.dmpFilesize
696KB
-
memory/512-4-0x0000026ACE7A0000-0x0000026ACECC6000-memory.dmpFilesize
5.1MB
-
memory/512-5-0x00007FFE943D3000-0x00007FFE943D4000-memory.dmpFilesize
4KB
-
memory/512-2-0x0000026ACDFA0000-0x0000026ACE162000-memory.dmpFilesize
1.8MB
-
memory/512-3-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmpFilesize
9.9MB
-
memory/512-1-0x0000026AB3930000-0x0000026AB3948000-memory.dmpFilesize
96KB
-
memory/556-113-0x00007FFE704B0000-0x00007FFE704C0000-memory.dmpFilesize
64KB
-
memory/556-112-0x0000025DA6070000-0x0000025DA609A000-memory.dmpFilesize
168KB
-
memory/556-110-0x0000025DA6040000-0x0000025DA6063000-memory.dmpFilesize
140KB
-
memory/644-115-0x0000024C650A0000-0x0000024C650CA000-memory.dmpFilesize
168KB
-
memory/644-116-0x00007FFE704B0000-0x00007FFE704C0000-memory.dmpFilesize
64KB
-
memory/880-19-0x00007FF708A20000-0x00007FF708B18000-memory.dmpFilesize
992KB
-
memory/880-22-0x00007FFE8A100000-0x00007FFE8B1B0000-memory.dmpFilesize
16.7MB
-
memory/880-23-0x00007FFE8E180000-0x00007FFE8E28E000-memory.dmpFilesize
1.1MB
-
memory/880-21-0x00007FFE8FAF0000-0x00007FFE8FDA6000-memory.dmpFilesize
2.7MB
-
memory/880-20-0x00007FFEA05A0000-0x00007FFEA05D4000-memory.dmpFilesize
208KB
-
memory/1012-122-0x00007FFE704B0000-0x00007FFE704C0000-memory.dmpFilesize
64KB
-
memory/1012-121-0x0000028C40600000-0x0000028C4062A000-memory.dmpFilesize
168KB
-
memory/4896-107-0x00007FFEB02C0000-0x00007FFEB036E000-memory.dmpFilesize
696KB
-
memory/4896-108-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/4896-106-0x00007FFEB0420000-0x00007FFEB05FB000-memory.dmpFilesize
1.9MB
-
memory/4896-105-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/4896-104-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB