discordrat | 969dff2acdf0d2cc713929f46629150e821de3c2dbdd3add229a5843e7b09703

Analysis

max time kernel
91s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
09-07-2024 18:49

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

d5cbf90eddc9215abfbf3ff955c35798
SHA1

959858304f4ce75e10f4a1ba7df814146b585c50
SHA256

969dff2acdf0d2cc713929f46629150e821de3c2dbdd3add229a5843e7b09703
SHA512

c96c59656195ac5fe276467bdf4c9e509c6284caa73b0e05b583f84dc0f6d03c84df3bc95267162173c3c42181e209c91d49ed7affe03418021e37d7aab3df6b
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+FPIC:5Zv5PDwbjNrmAE+VIC

Score

10^/10

discordrat persistence ransomware rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NzY0ODI3NjkwNDI4NDIxMQ.GxgExQ.-X3xbQZyb7DoDabkSC2djFpmyZUvGKUE2hzlN4
server_id
1247801636122787851

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service
T1102

Processes:

flow ioc

1 discord.com
7 discord.com
8 discord.com
10 discord.com
13 discord.com
4 discord.com
6 discord.com
11 discord.com
12 discord.com

flow	ioc
1	discord.com
7	discord.com
8	discord.com
10	discord.com
13	discord.com
4	discord.com
6	discord.com
11	discord.com
12	discord.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Client-built.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp2B9F.tmp.png"	Client-built.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

3500 msedge.exe
3500 msedge.exe
1492 msedge.exe
1492 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

1492 msedge.exe
1492 msedge.exe
1492 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client-built.exe

description pid process

Token: SeDebugPrivilege 228 Client-built.exe
Token: SeShutdownPrivilege 228 Client-built.exe

pid	process
3500	msedge.exe
3500	msedge.exe
1492	msedge.exe
1492	msedge.exe

description	pid	process
Token: SeDebugPrivilege	228	Client-built.exe
Token: SeShutdownPrivilege	228	Client-built.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exemsedge.exe

description	pid	process	target process
PID 228 wrote to memory of 1492	228	Client-built.exe	msedge.exe
PID 228 wrote to memory of 1492	228	Client-built.exe	msedge.exe
PID 1492 wrote to memory of 5028	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 5028	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3272	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3500	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 3500	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4568	1492	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pornhub.com/
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe20983cb8,0x7ffe20983cc8,0x7ffe20983cd8
3⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,1151937942535509492,15511570229120965137,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
3⤵
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,1151937942535509492,15511570229120965137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,1151937942535509492,15511570229120965137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
3⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1151937942535509492,15511570229120965137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
3⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1151937942535509492,15511570229120965137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
3⤵
PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1151937942535509492,15511570229120965137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
3⤵
PID:2772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4244

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5478498cbfa587d1d55a9ca5598bf6b9

SHA1
82fedfb941371c42f041f891ea8eb9fe4cf7dcc8

SHA256
a4e82ce07a482da1a3a3ba11fcceee197c6b2b42608320c4f3e67f1c6a6d6606

SHA512
7641a2f3cc7321b1277c58a47dfd71be087f67f8b57dca6e72bd4e1b664f36151cd723e03ea348835581bcb773eb97911f985d5ee770d4d1b8b6f7849ce74b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
bb87c05bdde5672940b661f7cf6c188e

SHA1
476f902e4743e846c500423fb7e195151f22f3b5

SHA256
7b7f02109a9d1f4b5b57ca376fcacd34f894d2c80584630c3733f2a41dddf063

SHA512
c60d8b260d98ced6fe283ca6fed06e5f4640e9de2609bcfbfa176da1d0744b7f68acabfa66f35455e68cad8be1e2cfc9b5046463e13ae5f33bbbf87a005d1e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
792B

MD5
96baaf8b5a5b19850e51951ef135a0b5

SHA1
cbea42dedf512c4d98dcbc1378c7149f0b21fc32

SHA256
e3249813993361100b39e3dcae84961f435835b5cff96e2d717f26d06953061c

SHA512
af79515202e187cff65cfe28816286142352bfd9487018f5f3d80b264279453ff255ab895c34bb831beb86dd03706129804d8b2c9b6e358a5f0eb11fc01495d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
644b27910f1c529cc9d9183083ff1743

SHA1
0ae45d5bcccf7e4fcdf8dc3f9a659595034b5718

SHA256
a577af3f12954903caecbb15c73b46b48f487b95f59c73d8e9763b213fc5b52d

SHA512
7650c29ad8b16faf163915f07dc9f14db10eb1b54596d485953de6828344d72839553a40398acdf09f1a110e22956d8dccc790fab3e8491564d7111b09bb853c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
ad7e44de2d15fcc89fca74578fdb09a6

SHA1
f7c12b8cc5b6124f39a1790321645b985b300034

SHA256
a97638fc38bb09b92cd035ee8e683167de9dde8bbc2c5555a5c8b2d3e2b6b157

SHA512
7a140f009b2586bee0b9e2a1219c4408ac44fecabf0c8a2fea4579e7680abd656fa6a9753dc7a4fb108f5c05069f703ffb46dcd6a9c5f1628f2b07f59e2f63c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b6393e1e9f15f56033e2c07f953f58e8

SHA1
d6ba3cf8fbc5405b6caa3f2c0c6b08a6693eb210

SHA256
a8bacbb8dff89aa97e9956e5fc75d1472c44a1da160f52f56036bbe761697125

SHA512
06acf2d46153928845348b7ecd708823f6131798889fa8f279896eea8371b568411a7b954e84093acc9c64289ca6c55993691a532961f1ac63a54ea99065d965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
731bcd0b3714a0e1e87a36751bde364a

SHA1
94667e5eb756c3012b55e3af7cc7090c25abb53d

SHA256
cd703f6f125d16a935598d49f606188431fae1dde98bf9e2de6fefe671b6be70

SHA512
e498e6262d067f177eaeb25098f40df8ccff52d162c4705e3db3b02e4bc9762fbce9979682878169f3f9c0c38485c48e8ba042f9299217cf5ddca8ac1b6afdfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58b6d8.TMP
Filesize
48B

MD5
382ff1e3d5360ddf37d8c81a6f8681b3

SHA1
1e54e786636d6e1a68347bae8512c8660f624167

SHA256
18375985e70d3819219e9b36d7fa8c4f342315242e5b92911dbc8eab94d91402

SHA512
3779eadcc04c13821f6df25f7015f90ffd2533c073ed2d14d7192471530c9c2322038bcb24c0cd0c1c70477650eb7f27b40b0189105e7cef222da2e60e18192a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
575750b5dec72fcc2ea7646dd7fa4aa2

SHA1
8d4528c1c24be432b6764aca268706925409bd3e

SHA256
2c1f556e2f924d7ca0d4643eaa74666d4224d3d38163831d055c503a6f126da6

SHA512
46d38de672a6aa7a0c2edc82afcf4b9b1fce9ce79911c4d4ca08a3e18f3b1e44fb47404a324b1b30d3beb8878d04db8b79c23cb4856c1fd0747779fb9c4ff877

Download Submit
\??\pipe\LOCAL\crashpad_1492_JWZBTXAOIWSGHNGK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/228-2-0x0000020347730000-0x00000203478F2000-memory.dmp

Filesize
1.8MB

Download
memory/228-1-0x00007FFE0F533000-0x00007FFE0F535000-memory.dmp

Filesize
8KB

Download
memory/228-0-0x000002032D120000-0x000002032D138000-memory.dmp

Filesize
96KB

Download
memory/228-3-0x00007FFE0F530000-0x00007FFE0FFF2000-memory.dmp

Filesize
10.8MB

Download
memory/228-5-0x00007FFE0F530000-0x00007FFE0FFF2000-memory.dmp

Filesize
10.8MB

Download
memory/228-4-0x0000020348AA0000-0x0000020348FC8000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads