discordrat | 144ce56abbd5e2377f3c3218763cb2f27cb334515838be32ca0514995fd5f706

General

Target

Custom Theme.msi
Size

1.9MB
MD5

3a6d228f64408b62459124daf05bb83f
SHA1

a0c43230ae4eb0611052b78053214a5e8898a9a4
SHA256

90673e8a84408b0bf7c029cf6b3c1394a52bb32f318770a0328d7904256e7643
SHA512

1cfc629d234cb97a40c154a3beeef2f822bbf86c6d90c8df026cf249afd6b7b062ce7a0f6f1b8e787a3972848b42b5320c1ed7ff99c91e00c1d494d412c52c13
SSDEEP

24576:IxoNa2uPYAGxUherZNh0lhSMXlrI5s2JK5kmwy0CfKAe7:9GP5Ferq7I5RJK5k1jCfKAe7

Score

10^/10

discordrat persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1ODA5NjQzNzA2MjAwOTA2NQ.GhJzhd.kk9R2GDudIgunSijVjaWQD6sIwY3-Lvdx3K_jA
server_id
1258096259378577508

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Downloads MZ/PE file

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

Processes:

flow	ioc
45	discord.com
48	discord.com
49	discord.com
36	discord.com
37	discord.com
43	raw.githubusercontent.com
44	raw.githubusercontent.com
28	discord.com
29	discord.com
33	discord.com
47	discord.com

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created C:\Program Files (x86)\Custom Theme Group\Custom Theme\MSI Setup.exe msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Custom Theme Group\Custom Theme\MSI Setup.exe	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e587a7c.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{823D70DF-6282-40AC-89F8-DD3C108B2C66}	msiexec.exe
File created	C:\Windows\Installer\{823D70DF-6282-40AC-89F8-DD3C108B2C66}\Icon.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7AC9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BA4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BE4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e587a7a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e587a7a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CB0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{823D70DF-6282-40AC-89F8-DD3C108B2C66}\Icon.exe	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

MSI Setup.exe

pid process

4884 MSI Setup.exe

pid	process
4884	MSI Setup.exe

Loads dropped DLL 11 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid	process
1736	MsiExec.exe
1736	MsiExec.exe
1736	MsiExec.exe
1736	MsiExec.exe
1736	MsiExec.exe
1736	MsiExec.exe
1736	MsiExec.exe
4320	MsiExec.exe
4320	MsiExec.exe
4320	MsiExec.exe
1736	MsiExec.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EEF39D69C4AF34C4B8E5DEC55642718B\FD07D3282826CA04988FDDC301B8C266	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\PackageCode = "41E80B3C5A6FE5A458C165F0C6AF261A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD07D3282826CA04988FDDC301B8C266\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\SourceList\PackageName = "Custom Theme.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\Version = "67436544"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\ProductIcon = "C:\\Windows\\Installer\\{823D70DF-6282-40AC-89F8-DD3C108B2C66}\\Icon.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EEF39D69C4AF34C4B8E5DEC55642718B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD07D3282826CA04988FDDC301B8C266	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\ProductName = "Custom Theme"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\Language = "1036"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD07D3282826CA04988FDDC301B8C266\InstanceType = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

516 msiexec.exe
516 msiexec.exe

pid	process
516	msiexec.exe
516	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1496	msiexec.exe
Token: SeSecurityPrivilege	516	msiexec.exe
Token: SeCreateTokenPrivilege	1496	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1496	msiexec.exe
Token: SeLockMemoryPrivilege	1496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1496	msiexec.exe
Token: SeMachineAccountPrivilege	1496	msiexec.exe
Token: SeTcbPrivilege	1496	msiexec.exe
Token: SeSecurityPrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeLoadDriverPrivilege	1496	msiexec.exe
Token: SeSystemProfilePrivilege	1496	msiexec.exe
Token: SeSystemtimePrivilege	1496	msiexec.exe
Token: SeProfSingleProcessPrivilege	1496	msiexec.exe
Token: SeIncBasePriorityPrivilege	1496	msiexec.exe
Token: SeCreatePagefilePrivilege	1496	msiexec.exe
Token: SeCreatePermanentPrivilege	1496	msiexec.exe
Token: SeBackupPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeShutdownPrivilege	1496	msiexec.exe
Token: SeDebugPrivilege	1496	msiexec.exe
Token: SeAuditPrivilege	1496	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1496	msiexec.exe
Token: SeChangeNotifyPrivilege	1496	msiexec.exe
Token: SeRemoteShutdownPrivilege	1496	msiexec.exe
Token: SeUndockPrivilege	1496	msiexec.exe
Token: SeSyncAgentPrivilege	1496	msiexec.exe
Token: SeEnableDelegationPrivilege	1496	msiexec.exe
Token: SeManageVolumePrivilege	1496	msiexec.exe
Token: SeImpersonatePrivilege	1496	msiexec.exe
Token: SeCreateGlobalPrivilege	1496	msiexec.exe
Token: SeCreateTokenPrivilege	1496	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1496	msiexec.exe
Token: SeLockMemoryPrivilege	1496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1496	msiexec.exe
Token: SeMachineAccountPrivilege	1496	msiexec.exe
Token: SeTcbPrivilege	1496	msiexec.exe
Token: SeSecurityPrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeLoadDriverPrivilege	1496	msiexec.exe
Token: SeSystemProfilePrivilege	1496	msiexec.exe
Token: SeSystemtimePrivilege	1496	msiexec.exe
Token: SeProfSingleProcessPrivilege	1496	msiexec.exe
Token: SeIncBasePriorityPrivilege	1496	msiexec.exe
Token: SeCreatePagefilePrivilege	1496	msiexec.exe
Token: SeCreatePermanentPrivilege	1496	msiexec.exe
Token: SeBackupPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeShutdownPrivilege	1496	msiexec.exe
Token: SeDebugPrivilege	1496	msiexec.exe
Token: SeAuditPrivilege	1496	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1496	msiexec.exe
Token: SeChangeNotifyPrivilege	1496	msiexec.exe
Token: SeRemoteShutdownPrivilege	1496	msiexec.exe
Token: SeUndockPrivilege	1496	msiexec.exe
Token: SeSyncAgentPrivilege	1496	msiexec.exe
Token: SeEnableDelegationPrivilege	1496	msiexec.exe
Token: SeManageVolumePrivilege	1496	msiexec.exe
Token: SeImpersonatePrivilege	1496	msiexec.exe
Token: SeCreateGlobalPrivilege	1496	msiexec.exe
Token: SeCreateTokenPrivilege	1496	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1496	msiexec.exe
Token: SeLockMemoryPrivilege	1496	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1496 msiexec.exe
1496 msiexec.exe

pid	process
1496	msiexec.exe
1496	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 516 wrote to memory of 1736	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 1736	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 1736	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 4320	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 4320	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 4320	516	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Custom Theme.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1496

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2C36C6130EA1A26774C9656053E175BF C
2⤵
- Loads dropped DLL
PID:1736

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CB8A4D3F89D56F2B79C2BF01A2E5062F
2⤵
- Loads dropped DLL
PID:4320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1296

C:\Program Files (x86)\Custom Theme Group\Custom Theme\MSI Setup.exe
"C:\Program Files (x86)\Custom Theme Group\Custom Theme\MSI Setup.exe"
1⤵
- Executes dropped EXE
PID:4884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e587a7b.rbs
Filesize
9KB

MD5
c4dd8bf368cebdf2297d329edeaec3d7

SHA1
35f3c5225107fcde769f402a8e4e41a1571d6e87

SHA256
c119c370b45a68c4633b200142643f384ce4e8b24157c993cb5f399d2ae612ae

SHA512
1a052f1ffb7781ff46713eff71a39fe9c1e3239bfd3a7901cd51f32b88a05843122a5dd9ced36dbd99089e4faebb2f4ecc528d935d374abe23ce7721752b6869

Download Submit
C:\Program Files (x86)\Custom Theme Group\Custom Theme\MSI Setup.exe
Filesize
78KB

MD5
a5d78ceca0d1cf4f7c01570f52c87eba

SHA1
79a51625c12e3dc18f0df104e4b69c390780642a

SHA256
9bcaf3dbe98611f6cda0aa2e225777401746a802e53bd4b48f3d11637ed19c1a

SHA512
ce2fa48229eae4ee7ea6e707de5c244b9a645735731d2c9174bb65e272380b109ea709eac1c20fc5b5e004af0e340c44827a488b217ac14787ef4cc33a3cbc3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7BD7.tmp
Filesize
904KB

MD5
421643ee7bb89e6df092bc4b18a40ff8

SHA1
e801582a6dd358060a699c9c5cde31cd07ee49ab

SHA256
d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da

SHA512
d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023

Download Submit
C:\Windows\Installer\e587a7a.msi
Filesize
1.9MB

MD5
3a6d228f64408b62459124daf05bb83f

SHA1
a0c43230ae4eb0611052b78053214a5e8898a9a4

SHA256
90673e8a84408b0bf7c029cf6b3c1394a52bb32f318770a0328d7904256e7643

SHA512
1cfc629d234cb97a40c154a3beeef2f822bbf86c6d90c8df026cf249afd6b7b062ce7a0f6f1b8e787a3972848b42b5320c1ed7ff99c91e00c1d494d412c52c13

Download Submit
memory/4884-69-0x00000285AEBA0000-0x00000285AEBB8000-memory.dmp

Filesize
96KB

Download
memory/4884-70-0x00000285C9280000-0x00000285C9442000-memory.dmp

Filesize
1.8MB

Download
memory/4884-71-0x00000285CA410000-0x00000285CA938000-memory.dmp

Filesize
5.2MB

Download
memory/4884-72-0x00000285C9EE0000-0x00000285CA1AA000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads