Analysis
-
max time kernel
100s -
max time network
112s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
-
submitted
15-07-2024 02:39
Errors
General
-
Target
file.html
-
Size
312KB
-
MD5
88b581d4bef9fbf7eeb967bc441afd15
-
SHA1
908a9cbb5e146715c270b2a60618ac485e52073b
-
SHA256
b725618b2c8bc35e25fa786ec258fe3c27aec84b18e455d00aa16b4ed62be6c5
-
SHA512
0b99c995992c49ed3a75397df2e29d2c902aa85e8faed8e21a02d026238f30e94edf6a4a02e8198316be1eebfc1f077eeafe05236678aaff657dc4e9e245d981
-
SSDEEP
3072:LiggAkHnjPIQ6KSEc/HHaPaW+LN7DxRLlzglKAVARk:LgAkHnjPIQBSEi6PCN7jBAVARk
Malware Config
Extracted
discordrat
-
discord_token
MTI2MjE4MzU5NjU1MTE4MDQwMg.Gzy3x9.RZIwVThFyDF6ranz-qVbm6lG_FO19_NJuZ4LiM
-
server_id
1262179245837258894
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 38 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\file.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbca923cb8,0x7ffbca923cc8,0x7ffbca923cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6488 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7028 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6462013441648788551,2241276047994937031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Epic\VSoftware.exe"C:\Users\Admin\Downloads\Epic\VSoftware.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77VSoftware.exe" /tr "'C:\Users\Admin\Downloads\Epic\VSoftware.exe'" /sc onlogon /rl HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\Downloads\Epic\VSoftware.exe"C:\Users\Admin\Downloads\Epic\VSoftware.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77VSoftware.exe" /tr "'C:\Users\Admin\Downloads\Epic\VSoftware.exe'" /sc onlogon /rl HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\Downloads\Epic\VSoftware.exe"C:\Users\Admin\Downloads\Epic\VSoftware.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c4915f5546d95ffeec60455267cb8491
SHA15ea32fd86aaef190b4ed125d5f956b5b6c2e6e2a
SHA25677804cbabdc25c2a9574a84e4f4c299754b181b785cd0e49f5169dbda4ea1014
SHA51224f7ab8e933f2202af3a5d55c5c04465eb151679f5a0bd8b6f23e2423b4d436374bb3207c1d172615f1d966a22da41b88476511e4441fe5c2b915b53f6c624a4
-
Filesize
152B
MD5caaeb604a99d78c4a41140a3082ca660
SHA16d9cd8a52c0f2cd9b48b00f612ec33cd7ca0aa97
SHA25675e15f595387aec18f164aa0d6573c1564aaa49074547a2d48a9908d22a3b5d6
SHA5121091aa1e8bf74ed74ad8eb8fa25c4e24b6cfd0496482e526ef915c5a7d431f05360b87d07c11b93eb9296fe386d71e99d214afce163c2d01505349c52f2d5d66
-
Filesize
152B
MD51fe10b6cb6b345a095320391bda78b22
SHA146c36ab1994b86094f34a0fbae3a3921d6690862
SHA25685a627e9b109e179c49cf52420ad533db38e75bc131714a25c1ae92dd1d05239
SHA5129f9d689662da014dfae3565806903de291c93b74d11b47a94e7e3846537e029e1b61ad2fad538b10344641003da4d7409c3dd834fed3a014c56328ae76983a2a
-
Filesize
480B
MD5b106688140b16f2bb40776835c119b0f
SHA1c8657771dadce4cf19b5b53f9119f708ff16d3bc
SHA25622d65dd1aca943890193b3b8197c21e700f152eca71aff650f2a241c2b9d0814
SHA512ecc27d3f323b8d0cc5907e643068f7e5dfac4a6629feb5bc96bee3c14d05b385bcb47b3d5f41cc66d1d0b9ef050c740948b7d92b95fbe614a052c870c2e2e6ff
-
Filesize
3KB
MD586ffd2e06b71f744d14e1cdb50664bce
SHA17c3beb106db0762ec595dcf8a9504bdfb740bdf5
SHA25651c74f6def420e55b395a847909f9c876ac2e2d9636d229c824264c040af4245
SHA512f21b3c55b9ff1df22588ba4177a3aca95b09f71eee9c08410634f57762c83ae3f56c9a3aa3d8542c7e866c535218b95a7c324a9478c80ff29b3d6a4808221a54
-
Filesize
5KB
MD54cdaf5d052753fd8b3f5746288d89e07
SHA1d3e8c199453b012ba0d4c541ed3426a8d3517d92
SHA256a2d4631e0feb810f119c5119e5c6e6a88fb50c7dd2dfcf09f0953d03cbbf117b
SHA5128fe02ced67ed3936c6dd340c239d264a432f83cb95856f157cad075752f0da43b3811b78365fce2c585e9ece39de8acc1a876697120299a33f532bf7751ecc6b
-
Filesize
8KB
MD5c7d3cad34859c4876c3654c584af5812
SHA1856506bc55f7b1ccdb1bed8098e0ace6c48a7dd5
SHA256482bf8ab8eaaa338cde41812b1001b01bc3457c88312083045aca2fec15313a5
SHA51254edee7bf99dc67a2a67ba669f83dcbdb9da70020a2e8908274e3dd6e4ef6063e440246e1e3b6e1ff6a320dbf91556beee9b87bde9edefdf6a660b01a711ed20
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5c90011a9874d8ae7d14511ff52fa09fa
SHA1fb2dafa4f20614b98917921f9d1ce306991bc318
SHA256f5d5bd0e49919db0f6450c171b1536898ddefd54f8dc8c5acd2571aa07971601
SHA51266e8f8b90bf3e14ec8987d0cbece3de1780088dcdb555bbfaa3c1941dace5ae5eeb4630312900e09ea58e62f0cd3b08e32e37379c8913dd33ced8fca2d29f929
-
Filesize
11KB
MD5077f21ff9c30698da0ed034e0eb8d813
SHA1d7c53e57a6d1fa79e6c6d788c920597ffe025f03
SHA25635698d6bf11ff282acea69d367c54661ac809508f313c76e3c224f96695a10c6
SHA5128ec945745eaf1008bee00cc3d38012c4561ada363f5e172ebb3c840adc549e61751ed3be73c5b600619e27ff545d42aef63a8492f62f9c70dc86bd54fad7b4ac
-
Filesize
10KB
MD51015d2fd919a3b62e193194c7bfafbef
SHA1f7f3314dd817edcee90f87491f74825b197f476b
SHA256990002e556b74d16e89d7f6c8be6ac5870e9be8b904ec52e87d92631fa09467b
SHA512ffc7702179fb30851f4646f26a53e87c0215e320e117901c726a6294bf428540134e1fd14fce37a0b430e8379b4c56d6f57b582efff5654e2ed4624453762bea
-
Filesize
49KB
MD5ec66d375a70559eb6b4ce9aa8f28767a
SHA19df2a19dfb8d344c466ab5e1eebd19549c352f1e
SHA256e08b2618739a86f8e36676a718080b5f90912945d949dee8b480882012a31945
SHA512ad446fe5f117d31dd37a89c0b40411a6af6e035486c512781f3a5d5a170b405cd59bfb6223bca2babc77c2a226a602594044b74a317921c4ad9f24960acb8a94
-
Filesize
270B
MD5c5b2f7ec43ef0bfdc34fa74d5a05d2f9
SHA13cfba6cfdd4c9979e5bb09f5dc41f32a17571ad6
SHA25633af127d8de82623521ddfb88910dfda7beffae5e70981491f7718c4cab85658
SHA5124c1117c05848916f20db3996d710c7c1cbf37e6f1eaae16676cf59fb373828d814409bb5931369ff1e07b72e3136786a2d6100da0198c6d40e38978a02b05246
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
96KB