Analysis Overview
SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97
Threat Level: Known bad
The file release.zip was found to be: Known bad.
Malicious Activity Summary
Discordrat family
Discord RAT
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Browser Information Discovery
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-24 11:35
Signatures
Discordrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-24 11:35
Reported
2024-08-24 11:39
Platform
win11-20240802-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Discord RAT
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133689730839034720" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe
"C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffa9c9ecc40,0x7ffa9c9ecc4c,0x7ffa9c9ecc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1796,i,18164280836566823934,8499426715956140995,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1792 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,18164280836566823934,8499426715956140995,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2136 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,18164280836566823934,8499426715956140995,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2184 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,18164280836566823934,8499426715956140995,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3268 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,18164280836566823934,8499426715956140995,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4444,i,18164280836566823934,8499426715956140995,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4452 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4664,i,18164280836566823934,8499426715956140995,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,18164280836566823934,8499426715956140995,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4996 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4876,i,18164280836566823934,8499426715956140995,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4988 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.134.234:443 | gateway.discord.gg | tcp |
| FR | 142.250.179.68:443 | www.google.com | udp |
| FR | 142.250.179.68:443 | www.google.com | tcp |
| FR | 142.250.179.68:443 | www.google.com | tcp |
| FR | 142.250.179.68:443 | www.google.com | tcp |
| FR | 142.250.179.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 68.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chrome.google.com | udp |
| FR | 172.217.20.206:443 | chrome.google.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| FR | 172.217.18.206:443 | clients2.google.com | udp |
| FR | 172.217.18.206:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 163.214.58.216.in-addr.arpa | udp |
| FR | 142.250.179.74:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 131.178.250.142.in-addr.arpa | udp |
| FR | 216.58.215.35:443 | beacons.gcp.gvt2.com | tcp |
Files
memory/784-0-0x00007FFAA0653000-0x00007FFAA0655000-memory.dmp
memory/784-1-0x00000275B4140000-0x00000275B4158000-memory.dmp
memory/784-2-0x00000275CE780000-0x00000275CE942000-memory.dmp
memory/784-3-0x00007FFAA0650000-0x00007FFAA1112000-memory.dmp
memory/784-4-0x00000275CFB50000-0x00000275D0078000-memory.dmp
memory/784-5-0x00007FFAA0650000-0x00007FFAA1112000-memory.dmp
\??\pipe\crashpad_3620_QHXGPQDYCXAUXAIY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 3516264cc8eb5e836fae23a1aba063a7 |
| SHA1 | 2ff211b2c863a5f64b24816aaea0a9751612ee49 |
| SHA256 | 4aebf0ad56d7986510a6866b52ad9c771cd2259346fd08cf97bdea6cd44025b2 |
| SHA512 | 50c854f0ecb03fec05629a8be998ad0085edf1467736a7293b4a35c9ad14441b71ed0656669db1ea90eac235a0994ded2733f3cc03bacd4a36a498e9ac381e6b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | e8fd365fb048161812b03e576183c65d |
| SHA1 | 86f347289aff8da9ee77859857f9c7913e5327fb |
| SHA256 | 4cb5f93c1db3301efde1643930c58d8cbbf064d51d736c59d58444de00ac95c9 |
| SHA512 | dfae0ce45b9a33b4f680ec359175aaae68ecd094d20b85e89d0afdb0e2b29aac4af3ae43648f78aeb23cd3a4d0abb2de86d0a7167e2c80c86c553a2d3ab19c33 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ddcb46e3e1302d93aa85b403c7754f21 |
| SHA1 | 0b6d884a83b1917f73bf7048a4e286da8b06b3dc |
| SHA256 | 18ddcfac7781346c6311d36e9b2f9fff599f313a2ae45763c6e366dd8f3ac410 |
| SHA512 | 265cd3eb2c79ce99324ba087a2fff3b328aa0741eda2bb497d4da7bfe13e7edfac736bdef7745f5b386ca0c9683b6d0c485c422375a60afe1affcb9f6aa2edba |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 7206bd85c8bdacc99e0338e9842255a6 |
| SHA1 | 668c29ae6720ff4c01e2a4e5452b219e0124f550 |
| SHA256 | 014fba86957f73d7716d685580a00b0e95e25c983ac454cc33c59c1f7cd7f015 |
| SHA512 | 79f5b58c257dbd9565285b25fb2a6a39bb21f3edc9aa7275b5a4a0965fa63f3149df43ba85dae9a80e81c22b121d1e9ebf273ed559c2ff98d4a1307de51607cf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | b49e325f640b7095e5ff5aa43bf6cf40 |
| SHA1 | 03974493c3f50c68d86af2682e04811f84aa3f51 |
| SHA256 | 0a99a5fc046bfac6f919b4a4f571bc4c573df04e6107a6f16564e2c0a48967ea |
| SHA512 | cd1b859fd830db2ddae154b5f02f83ca37e58585f7f7c549f40dc639ba3fe1ef746605e850b55123b9d89972374c412f76d8b6660839b07628a470534a49bb9f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001
| MD5 | 2257803a7e34c3abd90ec6d41fd76a5a |
| SHA1 | f7a32e6635d8513f74bd225f55d867ea56ae4803 |
| SHA256 | af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174 |
| SHA512 | e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 09a5927258be7e6d3aad5ce165b729ab |
| SHA1 | 24bf61631a2a22383d410307ff66dec2a69529cd |
| SHA256 | 3cc6ee383e0a00692e399e7222b650e37408622958936f40f922dc29d93c55c2 |
| SHA512 | bea291e32e5964ed84151008778d9cf6d850474db36cf9662bc8e683ab0bd59a49b0b1788de46ce8836ed28f2161ccb80f9caffc07ac88a0facbb676abd14781 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 317d01dd3d833067c9f83b01f80d0b5c |
| SHA1 | ebf94c0a4922cd79e8992adf4a52621fde227f10 |
| SHA256 | 57d728b925b3479b2e52a01bdab33c5082f53a68cafb94f0fabd025512822547 |
| SHA512 | 9d118cef1720f662c0c0747a53db85108692afd42eb2dd6c61040288b53fc841befef025f18d04f2abdffc75b91b78091cf11383145fcbe667c52585613ecc4d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6fdc2e3142f5b021d1b18c1667a8bfdb |
| SHA1 | 32e89b74e1e710de4d3350f599d2881e0559f07c |
| SHA256 | 9cf7d5d36e7e8b47eb6853ee86671286bdc7e2f1819cb9da54bf77e912d3c11d |
| SHA512 | 50b43b4ce6c929aa98e67dcbe5ae0ebdc5311af68dac57da2bccb8e71a06da63909bae551b5be8854638147c1ea48b3842f026121ad9c73f8371000f7c43a975 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 0438462e6ab156b943ec1089431561eb |
| SHA1 | f933dd7a4d336c59c6627e6342e7e511778645d7 |
| SHA256 | 4544af13cfd2b09d49ff333b1f0972a1df2b08b8a1d69b0f78b2d7220cfe84f4 |
| SHA512 | 570685730b951871387538fed7f03421601fb1ef7d81b41b14d2d5edb9d23bbbf853a2a06d2e1edcb39402ed5425e5fb47281d5f60859be035f2490e9e8e1af6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 48fba7dfe5cb5487788c6796e8c936a0 |
| SHA1 | fae2a609e7f950503da4e5e7383f8ca95b85dc26 |
| SHA256 | 284b3fe43ccd25fb3ce65db22d3a67a73df350d93a9dcb684cc571070efda1f6 |
| SHA512 | 9686a436a3620095a63e8c44ec9ad174b409bc9d6714d3148fb5fc5c09edc993690298365fd41cff805c2da28aff9b894ce943ca0f5e2bdd91b743416c2aa202 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 450896d83c81dfd49d8a3a5bffd5dcec |
| SHA1 | 278d07b28b9a72bc9a0bacb58d91ff96a8ccc149 |
| SHA256 | ee8b34635e18ceef762ea7745f127520e7fed27ce24c226ab48682935d451868 |
| SHA512 | eb796be7b57463b1d83bfe1d78d045fc88030a162d99045a654250717cd7a95865612f6441f070b1c1c953eed8c8f5ea6b286eb4a144aa833ffaf737ee193098 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9d0113314da07002fe1f70709b35e55a |
| SHA1 | b31ed51a8c6d5a478ea40ae901a233d6fbefdef0 |
| SHA256 | d20816b49281270a769d222b12e74e9d4a9090d407616354e25721cdb0f2dcde |
| SHA512 | d43cf838aa5bc2d7de759c811f8780cf5379681272277751fcdc1a1c58833caab62511c36e110c0946b259846cbdb30fed85696e87f82ebddc9fc127d46ac3dd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | ede0fc527fbf7b50cc454fb6be4e62a3 |
| SHA1 | db0e98aa332d2c7f4fedf4fd31e16838c3e04548 |
| SHA256 | 13af2146b4b73928a70860f0f99d05c5f3786c9fb30a72327a59a8379cda4fed |
| SHA512 | af84c875c5cd49fd9a3c04ab8d5527c8d5ff4ea4bc8675e16f04465c98baa13208454b4237d055e2df7da76a957b2b889ab852a4c5579c698c32b72b8d3be09f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-24 11:35
Reported
2024-08-24 11:39
Platform
win11-20240802-en
Max time kernel
98s
Max time network
101s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\builder.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
Network
Files
memory/3316-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmp
memory/3316-1-0x0000000000B20000-0x0000000000B28000-memory.dmp
memory/3316-2-0x0000000005BD0000-0x0000000006176000-memory.dmp
memory/3316-3-0x0000000005620000-0x00000000056B2000-memory.dmp
memory/3316-4-0x0000000074F90000-0x0000000075741000-memory.dmp
memory/3316-5-0x00000000055D0000-0x00000000055DA000-memory.dmp
memory/3316-6-0x0000000074F9E000-0x0000000074F9F000-memory.dmp
memory/3316-7-0x0000000074F90000-0x0000000075741000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-24 11:35
Reported
2024-08-24 11:39
Platform
win11-20240802-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dnlib.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |