Analysis
-
max time kernel
53s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
05-07-2024 18:08
General
-
Target
https://temp.sh/uMbqJ/Client-built.exe
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTI1ODU2OTIyODI0NDQ4ODIyMw.GnIJVs.5zOhjSe19Xxbj-9HD6xp8S7SsR4uMRCuSTJDrw
-
server_id
1258830436147396800
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://temp.sh/uMbqJ/Client-built.exe1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd07f4ab58,0x7ffd07f4ab68,0x7ffd07f4ab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4920 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5064 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4216 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4824 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5076 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:82⤵
-
C:\Users\Admin\Downloads\Client-built.exe"C:\Users\Admin\Downloads\Client-built.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD58809978978dc1a0e3b19c09de9206766
SHA16eb45d160c99eb42a617fe10590dff81130a88ce
SHA256c9859292a87550a64631f2fddd34d5585ed0d3415fa0ad241724f2f838bfe67f
SHA5126d6c81ba56ae68f3fe9b36f1c81d9dacca591ae3dc62310048749620f75860af80785e66c72e3af2c6b44dee23d18dc7dc6e7278edc0ea45d971a2d3173ffdff
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD55fc8f321fe28770687278d8921726574
SHA1950c285b13a900dde2e1e3bc51ddfd9e1d021e5b
SHA25692f2f87723fa8f7fe62017330cc5b8daf58f413351c525f8f56a5af7b18139ec
SHA5121ae22ebf6dcfaf96f2643ada189b0122c0d66deefd8fc4e8bceca7c1d6edec70e2eeaedef9ee682e283fb0d264fcf45de8d9b0a130b89c53e6e673c308a8e193
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
144KB
MD5aa4754c287300e54bb4a10de5ad27e91
SHA178700d6833154cbe0bfc4db11d3d71f8e6692f1b
SHA2560500f7126d1e1588584cc488f725598a0f3ab4216c27a4e7b9c4dd2bc674ac46
SHA512a6cf2565b42d41547f37df771dd463fafec65aaa6eef6d667d2a1221a197d45b4e327d1faf2cee9595515e5980468eee6044b48f5599dac3e5bb4feb2551747c
-
C:\Users\Admin\Downloads\Client-built.exeFilesize
78KB
MD53af7020c009f0a19928adfd6bb0c4020
SHA153d39065c64a083761be79f62b5c2f5575286403
SHA2562d7bb996e36f5788d26e021d056c8ec48bc3dcdb57ffb0f4cd9380e6e84eabfd
SHA5121ecd3ee565c181284492c37a518c5c3e34e6d34ddcf485c905e34fce95de1cda6ca8721bc5f56d905aa90341eb7f2cbaa3319c7127d3416d08d6f9b371f33bd8
-
\??\pipe\crashpad_4832_FJFYZGFSEVQZURCDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4872-54-0x0000017A339B0000-0x0000017A339C8000-memory.dmpFilesize
96KB
-
memory/4872-58-0x0000017A4F510000-0x0000017A4FA38000-memory.dmpFilesize
5.2MB
-
memory/4872-57-0x00007FFCFA120000-0x00007FFCFABE1000-memory.dmpFilesize
10.8MB
-
memory/4872-56-0x0000017A4E190000-0x0000017A4E352000-memory.dmpFilesize
1.8MB
-
memory/4872-55-0x00007FFCFA123000-0x00007FFCFA125000-memory.dmpFilesize
8KB
-
memory/4872-95-0x00007FFCFA123000-0x00007FFCFA125000-memory.dmpFilesize
8KB
-
memory/4872-96-0x00007FFCFA120000-0x00007FFCFABE1000-memory.dmpFilesize
10.8MB
-
memory/5052-69-0x000001EE84F50000-0x000001EE84F51000-memory.dmpFilesize
4KB
-
memory/5052-76-0x000001EE84F50000-0x000001EE84F51000-memory.dmpFilesize
4KB
-
memory/5052-81-0x000001EE84F50000-0x000001EE84F51000-memory.dmpFilesize
4KB
-
memory/5052-80-0x000001EE84F50000-0x000001EE84F51000-memory.dmpFilesize
4KB
-
memory/5052-79-0x000001EE84F50000-0x000001EE84F51000-memory.dmpFilesize
4KB
-
memory/5052-78-0x000001EE84F50000-0x000001EE84F51000-memory.dmpFilesize
4KB
-
memory/5052-77-0x000001EE84F50000-0x000001EE84F51000-memory.dmpFilesize
4KB
-
memory/5052-75-0x000001EE84F50000-0x000001EE84F51000-memory.dmpFilesize
4KB
-
memory/5052-70-0x000001EE84F50000-0x000001EE84F51000-memory.dmpFilesize
4KB
-
memory/5052-71-0x000001EE84F50000-0x000001EE84F51000-memory.dmpFilesize
4KB