Analysis Overview
SHA256
b39337904af234ce5ab04051a009b9a8c60fa46bccc76d449800be886c123e0b
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Discordrat family
Suspicious use of NtCreateUserProcessOtherParentProcess
Discord RAT
Credentials from Password Stores: Credentials from Web Browsers
Reads user/profile data of web browsers
Indicator Removal: Clear Windows Event Logs
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-09 22:20
Signatures
Discordrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-09 22:20
Reported
2024-09-09 22:22
Platform
win11-20240802-en
Max time kernel
79s
Max time network
74s
Command Line
Signatures
Discord RAT
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1356 created 636 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\system32\winlogon.exe |
Credentials from Password Stores: Credentials from Web Browsers
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1356 set thread context of 644 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\System32\dllhost.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b15c098a-0de5-4fc8-b599-1658c6219cdf}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.136.234:443 | gateway.discord.gg | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
Files
memory/1356-0-0x00007FFC2EC73000-0x00007FFC2EC75000-memory.dmp
memory/1356-1-0x0000027648070000-0x0000027648088000-memory.dmp
memory/1356-2-0x00000276627A0000-0x0000027662962000-memory.dmp
memory/1356-3-0x00007FFC2EC70000-0x00007FFC2F732000-memory.dmp
memory/1356-4-0x0000027663C20000-0x0000027664148000-memory.dmp
memory/1356-5-0x00007FFC2EC73000-0x00007FFC2EC75000-memory.dmp
memory/1356-6-0x00007FFC2EC70000-0x00007FFC2F732000-memory.dmp
memory/1356-7-0x0000027662720000-0x000002766275E000-memory.dmp
memory/1356-8-0x00007FFC4FD80000-0x00007FFC4FF89000-memory.dmp
memory/1356-9-0x00007FFC4E7E0000-0x00007FFC4E89D000-memory.dmp
memory/1356-10-0x00007FFC2EC70000-0x00007FFC2F732000-memory.dmp
memory/1356-12-0x00007FFC2EC70000-0x00007FFC2F732000-memory.dmp
memory/644-11-0x0000000140000000-0x0000000140040000-memory.dmp
memory/644-15-0x00007FFC4FD80000-0x00007FFC4FF89000-memory.dmp
memory/644-16-0x00007FFC4E7E0000-0x00007FFC4E89D000-memory.dmp
memory/644-19-0x00007FFC4FD80000-0x00007FFC4FF89000-memory.dmp
memory/644-18-0x00007FFC4FD81000-0x00007FFC4FEAA000-memory.dmp
memory/644-17-0x0000000140000000-0x0000000140040000-memory.dmp
memory/644-14-0x0000000140000000-0x0000000140040000-memory.dmp
memory/644-13-0x0000000140000000-0x0000000140040000-memory.dmp
memory/476-33-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp
memory/1036-45-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp
memory/1348-68-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp
memory/1348-67-0x00000190A6910000-0x00000190A693A000-memory.dmp
memory/1308-65-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp
memory/1308-64-0x000001E9EBBC0000-0x000001E9EBBEA000-memory.dmp
memory/1192-60-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp
memory/1192-59-0x0000020275000000-0x000002027502A000-memory.dmp
memory/1156-57-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp
memory/1156-56-0x000001E97A860000-0x000001E97A88A000-memory.dmp
memory/1068-54-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp
memory/1068-53-0x0000024392FA0000-0x0000024392FCA000-memory.dmp
memory/1060-48-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp
memory/1060-47-0x00000274E5FB0000-0x00000274E5FDA000-memory.dmp
memory/1036-44-0x000001ADC7340000-0x000001ADC736A000-memory.dmp
memory/984-40-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp
memory/984-39-0x000001FB05890000-0x000001FB058BA000-memory.dmp
memory/476-38-0x000002355A420000-0x000002355A44A000-memory.dmp
memory/688-37-0x000002319A330000-0x000002319A35A000-memory.dmp
memory/636-36-0x00007FFC4FE24000-0x00007FFC4FE25000-memory.dmp
memory/636-35-0x00000296AAD20000-0x00000296AAD4A000-memory.dmp
memory/476-32-0x000002355A420000-0x000002355A44A000-memory.dmp
memory/688-28-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp
memory/688-27-0x000002319A330000-0x000002319A35A000-memory.dmp
memory/636-24-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp
memory/636-23-0x00000296AAD20000-0x00000296AAD4A000-memory.dmp
memory/636-22-0x00000296AACF0000-0x00000296AAD13000-memory.dmp
memory/1060-259-0x00000274E5FB0000-0x00000274E5FDA000-memory.dmp
memory/1036-258-0x000001ADC7340000-0x000001ADC736A000-memory.dmp
memory/984-260-0x000001FB05890000-0x000001FB058BA000-memory.dmp
memory/1356-261-0x00007FFC2EC70000-0x00007FFC2F732000-memory.dmp
memory/1356-262-0x00007FFC2EC70000-0x00007FFC2F732000-memory.dmp
memory/644-263-0x00007FFC4FD80000-0x00007FFC4FF89000-memory.dmp
memory/1356-264-0x0000027665F70000-0x0000027665FE6000-memory.dmp
memory/1356-265-0x0000027649EE0000-0x0000027649EF2000-memory.dmp
memory/1356-266-0x0000027665EF0000-0x0000027665F0E000-memory.dmp