Analysis
-
max time kernel
157s -
max time network
159s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-09-2024 22:29
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win11-20240802-en
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
46408fe27686b8558668eb2e4804f780
-
SHA1
8673f873dcd9107f4ba65599e48274e59e492c68
-
SHA256
d07fab9f9877d6292ad8cb4de9fde55f86e702bb622c0d10ebfa93f4f1cb8664
-
SHA512
0906a14110a7b804e76f74dccde960e65634ea00825b2d0da7aef6fb07e7452ecd39182f877e54b05c3fc802ac186737b8ea22595abb617c2957e6eacdc79517
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+fPIC:5Zv5PDwbjNrmAE+nIC
Malware Config
Extracted
discordrat
-
discord_token
MTI4MjgyNzA4MTIyMjE5NzI1OA.GMjoP6.vacI2P1p61WUHpyhg8BHvjL8CxlOzPywWrwJVg
-
server_id
1282683459751510098
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Client-built.exedescription pid process target process PID 2356 created 644 2356 Client-built.exe winlogon.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
Processes:
flow ioc 10 discord.com 1 raw.githubusercontent.com 2 discord.com 4 discord.com 6 discord.com 9 discord.com 1 discord.com 7 discord.com 8 discord.com 11 raw.githubusercontent.com 13 discord.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Client-built.exedescription pid process target process PID 2356 set thread context of 764 2356 Client-built.exe dllhost.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
Client-built.exedllhost.exepid process 2356 Client-built.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 2356 Client-built.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 2356 Client-built.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 2356 Client-built.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe 764 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Client-built.exedllhost.exedescription pid process Token: SeDebugPrivilege 2356 Client-built.exe Token: SeDebugPrivilege 2356 Client-built.exe Token: SeDebugPrivilege 764 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Client-built.exedllhost.exedescription pid process target process PID 2356 wrote to memory of 764 2356 Client-built.exe dllhost.exe PID 2356 wrote to memory of 764 2356 Client-built.exe dllhost.exe PID 2356 wrote to memory of 764 2356 Client-built.exe dllhost.exe PID 2356 wrote to memory of 764 2356 Client-built.exe dllhost.exe PID 2356 wrote to memory of 764 2356 Client-built.exe dllhost.exe PID 2356 wrote to memory of 764 2356 Client-built.exe dllhost.exe PID 2356 wrote to memory of 764 2356 Client-built.exe dllhost.exe PID 2356 wrote to memory of 764 2356 Client-built.exe dllhost.exe PID 2356 wrote to memory of 764 2356 Client-built.exe dllhost.exe PID 2356 wrote to memory of 764 2356 Client-built.exe dllhost.exe PID 2356 wrote to memory of 764 2356 Client-built.exe dllhost.exe PID 764 wrote to memory of 644 764 dllhost.exe winlogon.exe PID 764 wrote to memory of 692 764 dllhost.exe lsass.exe PID 764 wrote to memory of 988 764 dllhost.exe svchost.exe PID 764 wrote to memory of 468 764 dllhost.exe dwm.exe PID 764 wrote to memory of 540 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1072 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1080 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1132 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1144 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1232 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1288 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1392 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1512 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1520 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1624 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1632 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1644 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1760 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1792 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1844 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1912 764 dllhost.exe svchost.exe PID 764 wrote to memory of 2024 764 dllhost.exe svchost.exe PID 764 wrote to memory of 2040 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1956 764 dllhost.exe svchost.exe PID 764 wrote to memory of 1996 764 dllhost.exe svchost.exe PID 764 wrote to memory of 2132 764 dllhost.exe spoolsv.exe PID 764 wrote to memory of 2252 764 dllhost.exe svchost.exe PID 764 wrote to memory of 2388 764 dllhost.exe svchost.exe PID 764 wrote to memory of 2396 764 dllhost.exe svchost.exe PID 764 wrote to memory of 2444 764 dllhost.exe svchost.exe PID 764 wrote to memory of 2496 764 dllhost.exe svchost.exe PID 764 wrote to memory of 2504 764 dllhost.exe svchost.exe PID 764 wrote to memory of 2536 764 dllhost.exe sysmon.exe PID 764 wrote to memory of 2564 764 dllhost.exe svchost.exe PID 764 wrote to memory of 2592 764 dllhost.exe svchost.exe PID 764 wrote to memory of 2608 764 dllhost.exe svchost.exe PID 764 wrote to memory of 3016 764 dllhost.exe sihost.exe PID 764 wrote to memory of 3028 764 dllhost.exe svchost.exe PID 764 wrote to memory of 3112 764 dllhost.exe unsecapp.exe PID 764 wrote to memory of 3280 764 dllhost.exe Explorer.EXE PID 764 wrote to memory of 3432 764 dllhost.exe svchost.exe PID 764 wrote to memory of 3452 764 dllhost.exe svchost.exe PID 764 wrote to memory of 3812 764 dllhost.exe RuntimeBroker.exe PID 764 wrote to memory of 3868 764 dllhost.exe RuntimeBroker.exe PID 764 wrote to memory of 3944 764 dllhost.exe DllHost.exe PID 764 wrote to memory of 3984 764 dllhost.exe svchost.exe PID 764 wrote to memory of 4176 764 dllhost.exe DllHost.exe PID 764 wrote to memory of 4372 764 dllhost.exe svchost.exe PID 764 wrote to memory of 5112 764 dllhost.exe svchost.exe PID 764 wrote to memory of 4760 764 dllhost.exe svchost.exe PID 764 wrote to memory of 3328 764 dllhost.exe svchost.exe PID 764 wrote to memory of 2272 764 dllhost.exe svchost.exe PID 764 wrote to memory of 4348 764 dllhost.exe OfficeClickToRun.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:644
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:468
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{55ae77dd-42e1-4148-b350-b5c22a706f89}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:988
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:540
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1144
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1288
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1392
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3016
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1512
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1624
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1760
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1844
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1912
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2024
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1956
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1996
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2132
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2444
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2504
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2536
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3028
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3112
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3452
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3812
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3868
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3944
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:3984
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:5112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:4760
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3328
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:2272
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:4348
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:1592
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3428
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:404
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:5068