Overview

overview

10

Static

static

10

Client-built.exe

windows11-21h2-x64

Analysis

  • max time kernel
    91s
  • max time network
    95s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-07-2024 18:49

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    d5cbf90eddc9215abfbf3ff955c35798

  • SHA1

    959858304f4ce75e10f4a1ba7df814146b585c50

  • SHA256

    969dff2acdf0d2cc713929f46629150e821de3c2dbdd3add229a5843e7b09703

  • SHA512

    c96c59656195ac5fe276467bdf4c9e509c6284caa73b0e05b583f84dc0f6d03c84df3bc95267162173c3c42181e209c91d49ed7affe03418021e37d7aab3df6b

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+FPIC:5Zv5PDwbjNrmAE+VIC

Score
10/10
discordratpersistenceransomwareratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI0NzY0ODI3NjkwNDI4NDIxMQ.GxgExQ.-X3xbQZyb7DoDabkSC2djFpmyZUvGKUE2hzlN4

  • server_id

    1247801636122787851

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pornhub.com/
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe20983cb8,0x7ffe20983cc8,0x7ffe20983cd8
        3⤵
          PID:5028
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,1151937942535509492,15511570229120965137,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
          3⤵
            PID:3272
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,1151937942535509492,15511570229120965137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3500
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,1151937942535509492,15511570229120965137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
            3⤵
              PID:4568
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1151937942535509492,15511570229120965137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
              3⤵
                PID:3356
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1151937942535509492,15511570229120965137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
                3⤵
                  PID:4448
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1151937942535509492,15511570229120965137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
                  3⤵
                    PID:2772
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:904
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:4244

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                    Filesize

                    152B

                    MD5

                    5478498cbfa587d1d55a9ca5598bf6b9

                    SHA1

                    82fedfb941371c42f041f891ea8eb9fe4cf7dcc8

                    SHA256

                    a4e82ce07a482da1a3a3ba11fcceee197c6b2b42608320c4f3e67f1c6a6d6606

                    SHA512

                    7641a2f3cc7321b1277c58a47dfd71be087f67f8b57dca6e72bd4e1b664f36151cd723e03ea348835581bcb773eb97911f985d5ee770d4d1b8b6f7849ce74b44

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                    Filesize

                    152B

                    MD5

                    bb87c05bdde5672940b661f7cf6c188e

                    SHA1

                    476f902e4743e846c500423fb7e195151f22f3b5

                    SHA256

                    7b7f02109a9d1f4b5b57ca376fcacd34f894d2c80584630c3733f2a41dddf063

                    SHA512

                    c60d8b260d98ced6fe283ca6fed06e5f4640e9de2609bcfbfa176da1d0744b7f68acabfa66f35455e68cad8be1e2cfc9b5046463e13ae5f33bbbf87a005d1e0b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                    Filesize

                    792B

                    MD5

                    96baaf8b5a5b19850e51951ef135a0b5

                    SHA1

                    cbea42dedf512c4d98dcbc1378c7149f0b21fc32

                    SHA256

                    e3249813993361100b39e3dcae84961f435835b5cff96e2d717f26d06953061c

                    SHA512

                    af79515202e187cff65cfe28816286142352bfd9487018f5f3d80b264279453ff255ab895c34bb831beb86dd03706129804d8b2c9b6e358a5f0eb11fc01495d2

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                    Filesize

                    1KB

                    MD5

                    644b27910f1c529cc9d9183083ff1743

                    SHA1

                    0ae45d5bcccf7e4fcdf8dc3f9a659595034b5718

                    SHA256

                    a577af3f12954903caecbb15c73b46b48f487b95f59c73d8e9763b213fc5b52d

                    SHA512

                    7650c29ad8b16faf163915f07dc9f14db10eb1b54596d485953de6828344d72839553a40398acdf09f1a110e22956d8dccc790fab3e8491564d7111b09bb853c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                    Filesize

                    5KB

                    MD5

                    ad7e44de2d15fcc89fca74578fdb09a6

                    SHA1

                    f7c12b8cc5b6124f39a1790321645b985b300034

                    SHA256

                    a97638fc38bb09b92cd035ee8e683167de9dde8bbc2c5555a5c8b2d3e2b6b157

                    SHA512

                    7a140f009b2586bee0b9e2a1219c4408ac44fecabf0c8a2fea4579e7680abd656fa6a9753dc7a4fb108f5c05069f703ffb46dcd6a9c5f1628f2b07f59e2f63c7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                    Filesize

                    6KB

                    MD5

                    b6393e1e9f15f56033e2c07f953f58e8

                    SHA1

                    d6ba3cf8fbc5405b6caa3f2c0c6b08a6693eb210

                    SHA256

                    a8bacbb8dff89aa97e9956e5fc75d1472c44a1da160f52f56036bbe761697125

                    SHA512

                    06acf2d46153928845348b7ecd708823f6131798889fa8f279896eea8371b568411a7b954e84093acc9c64289ca6c55993691a532961f1ac63a54ea99065d965

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                    Filesize

                    96B

                    MD5

                    731bcd0b3714a0e1e87a36751bde364a

                    SHA1

                    94667e5eb756c3012b55e3af7cc7090c25abb53d

                    SHA256

                    cd703f6f125d16a935598d49f606188431fae1dde98bf9e2de6fefe671b6be70

                    SHA512

                    e498e6262d067f177eaeb25098f40df8ccff52d162c4705e3db3b02e4bc9762fbce9979682878169f3f9c0c38485c48e8ba042f9299217cf5ddca8ac1b6afdfa

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58b6d8.TMP
                    Filesize

                    48B

                    MD5

                    382ff1e3d5360ddf37d8c81a6f8681b3

                    SHA1

                    1e54e786636d6e1a68347bae8512c8660f624167

                    SHA256

                    18375985e70d3819219e9b36d7fa8c4f342315242e5b92911dbc8eab94d91402

                    SHA512

                    3779eadcc04c13821f6df25f7015f90ffd2533c073ed2d14d7192471530c9c2322038bcb24c0cd0c1c70477650eb7f27b40b0189105e7cef222da2e60e18192a

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                    Filesize

                    11KB

                    MD5

                    575750b5dec72fcc2ea7646dd7fa4aa2

                    SHA1

                    8d4528c1c24be432b6764aca268706925409bd3e

                    SHA256

                    2c1f556e2f924d7ca0d4643eaa74666d4224d3d38163831d055c503a6f126da6

                    SHA512

                    46d38de672a6aa7a0c2edc82afcf4b9b1fce9ce79911c4d4ca08a3e18f3b1e44fb47404a324b1b30d3beb8878d04db8b79c23cb4856c1fd0747779fb9c4ff877

                    Download Submit

                  • memory/228-2-0x0000020347730000-0x00000203478F2000-memory.dmp

                    Filesize

                    1.8MB

                    Download

                  • memory/228-1-0x00007FFE0F533000-0x00007FFE0F535000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/228-0-0x000002032D120000-0x000002032D138000-memory.dmp

                    Filesize

                    96KB

                    Download

                  • memory/228-3-0x00007FFE0F530000-0x00007FFE0FFF2000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/228-5-0x00007FFE0F530000-0x00007FFE0FFF2000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/228-4-0x0000020348AA0000-0x0000020348FC8000-memory.dmp

                    Filesize

                    5.2MB

                    Download