discordrat | ddbdfe227d8394d50c28c4b02c39033c4d5d1962fbd1342a5ca5f236e9671619

Analysis

max time kernel
961s
max time network
1037s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/08/2024, 01:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

7d921a8a96e652d5264847bf6645f61c
SHA1

0ef41f617e00919d102098a7c82750f6e90d9b80
SHA256

ddbdfe227d8394d50c28c4b02c39033c4d5d1962fbd1342a5ca5f236e9671619
SHA512

ac86edaf87b61f0f5b6bf3dc2a70150b43a3e5a758ee4e45162c27491b0ba02f01203446af87666d7c2346169e5445e88027cffd8fcfa64543730078d8c7aed0
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+FPIC:5Zv5PDwbjNrmAE+VIC

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI3MzA1MTEwNzEyMzI2OTczNQ.G7UQQo.CWRWd5HJJ8bVumSGiyWc2pDdjavw4VinikkJMg
server_id
1273454211354464348

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	discord.com
15	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007314e0d2b4eeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133681599567263490"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007146efd1b4eeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a0eb6d1b4eeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000265d0ed2b4eeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e60651d2b4eeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046ba23d2b4eeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000265d0ed2b4eeda01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4108	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	Client-built.exe
Token: 33	2540	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4992	OpenWith.exe
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 3756	2540	SearchIndexer.exe	105
PID 2540 wrote to memory of 3756	2540	SearchIndexer.exe	105
PID 2540 wrote to memory of 440	2540	SearchIndexer.exe	106
PID 2540 wrote to memory of 440	2540	SearchIndexer.exe	106
PID 4604 wrote to memory of 2108	4604	chrome.exe	109
PID 4604 wrote to memory of 2108	4604	chrome.exe	109
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 3496	4604	chrome.exe	110
PID 4604 wrote to memory of 4084	4604	chrome.exe	111
PID 4604 wrote to memory of 4084	4604	chrome.exe	111
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112
PID 4604 wrote to memory of 1976	4604	chrome.exe	112

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:396

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3756
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x124,0x128,0x12c,0xf4,0x130,0x7fff3e3acc40,0x7fff3e3acc4c,0x7fff3e3acc58
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,6951237663580194339,6494089439717286633,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2212,i,6951237663580194339,6494089439717286633,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,6951237663580194339,6494089439717286633,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,6951237663580194339,6494089439717286633,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,6951237663580194339,6494089439717286633,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4284,i,6951237663580194339,6494089439717286633,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,6951237663580194339,6494089439717286633,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5100,i,6951237663580194339,6494089439717286633,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:4340

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2020

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4992

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ResolveUpdate.csv"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7c1e9af0a1e245630406329d320a8fe6

SHA1
7e581bb14e4adb204037acbc810a0ef77e2ee40b

SHA256
3e254d9f4e04a1c7a87fb77800de4023bb87cd599596433785a2d7ca12d124e0

SHA512
3207058cea76dd7374ac5b171d0be4c760c6f1a422587c882500cc1daa625436e56f78f7fd3c1ad919d78229291c1b8398ae86432a12b49ab38492cfcfed67ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bf9771fa75f7f8a0a0c3f0f271da9705

SHA1
fc554befeb96ded8bd3f5823706a98b0f0e42fff

SHA256
784bc2cb8e9b23307abc71914ea6849d7892bf1873b3c4cd192f4c8d72137409

SHA512
a74ea929a359af77eedb7078435f61c789f3e542bbd484907fc8c43b4f65f722b16ed4bb3a011c83ec20fb6ae1d882d619971cb0aa8fba651edf68be5bc43d41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
f5430bf665f235b3af902e4e6ad363aa

SHA1
7f4bf91ece0ad2f5ebe7942c19034da74f77b4ee

SHA256
776533a7cd8072cd230254b5122e6a370be1acf0a391f542d0b03d69e33dfdd9

SHA512
4ace339df8581f174e5bb116166ed6a39c63fb6c831fa19c8e12bd872c874f5cd1954d5b41540c1fb22f7de16fadd8f25ed34890fc0587203f41a51afe92ee51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c58f293b4dec451dd5be544f04725923

SHA1
f50b57c707064767d92ceac388092a9fe2cee4a2

SHA256
c600d38faafe2e70befe4b9822957eafa3bc51d5f374836c45ac801e4786a9ca

SHA512
2e95d3a01a79384a5551e3c31af7469a100ec3eda9937757a1f615ab8ac9f67d923f3931cc2db380943558a09115dc87f0f04ef71e669aa0300672fdd545fdf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
24b11fba1932649f3ddd99a7625dc456

SHA1
c03cfcdec671acac053bcd6db8d4fed6c54f2a60

SHA256
ccbcb5d7afb91bb1eda4b67c37e7a02eb1f185e486fea9ffeeab7f881afd0048

SHA512
9a14f7be377086831672916da587bd89a0d103764922c3d044c0fc595b6c53b1e6173328b96d689bd6388abc06067f60f9b182b406193380b09e88d1b3385ced

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
924c3cd374125e210eac2816232adb07

SHA1
9b7593c8760fcffe9673eca13f7a97d2dc110831

SHA256
e7329f5e7dc78f1af6dc560fdabb8daeaa0679da4f334dad13a937eebe2ae6fd

SHA512
7262191bd99ce094f60fe31c64bafd27ed3b35c7e16373c06516841d9fe1e8875eb7c622d01afe77db55178c759363abc05738e2cb70ddad12fb1996f28cf991

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
374B

MD5
be96403e7e9328f0a721715d34175a12

SHA1
5aee106c04eb57db0efb7dd41a43c4dbad42f874

SHA256
120d056ec64ce30d00b08f13a9fb9f7d1b7e082773a17539fc21191976188373

SHA512
8e005fd91a142c637c18579587d13e368b1892ed0a47538b908a306a2b073a9178449670e44280f4dd652f6ed788170faae1451acb61c19295648c4af08b9aa0

Download Submit
memory/440-64-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-69-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-51-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-55-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-54-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-57-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-59-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-58-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-56-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-53-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-52-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-60-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-61-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-62-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-44-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-63-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-65-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-66-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-67-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-50-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-68-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-71-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-73-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-72-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-70-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-47-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-48-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-49-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-46-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/440-45-0x0000022D0BC70000-0x0000022D0BC80000-memory.dmp

Filesize
64KB

Download
memory/2540-42-0x0000014310460000-0x0000014310468000-memory.dmp

Filesize
32KB

Download
memory/2540-38-0x000001430ED10000-0x000001430ED18000-memory.dmp

Filesize
32KB

Download
memory/2540-22-0x000001430A820000-0x000001430A830000-memory.dmp

Filesize
64KB

Download
memory/2540-6-0x000001430A720000-0x000001430A730000-memory.dmp

Filesize
64KB

Download
memory/3036-0-0x000001D154B80000-0x000001D154B98000-memory.dmp

Filesize
96KB

Download
memory/3036-2-0x000001D16F260000-0x000001D16F422000-memory.dmp

Filesize
1.8MB

Download
memory/3036-1-0x00007FFF447A3000-0x00007FFF447A5000-memory.dmp

Filesize
8KB

Download
memory/3036-3-0x00007FFF447A0000-0x00007FFF45261000-memory.dmp

Filesize
10.8MB

Download
memory/3036-4-0x000001D16FAA0000-0x000001D16FFC8000-memory.dmp

Filesize
5.2MB

Download
memory/3036-5-0x00007FFF447A0000-0x00007FFF45261000-memory.dmp

Filesize
10.8MB

Download