Analysis Overview
SHA256
d07fab9f9877d6292ad8cb4de9fde55f86e702bb622c0d10ebfa93f4f1cb8664
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Discord RAT
Discordrat family
Indicator Removal: Clear Windows Event Logs
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-09 22:29
Signatures
Discordrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-09 22:29
Reported
2024-09-09 22:32
Platform
win11-20240802-en
Max time kernel
157s
Max time network
159s
Command Line
Signatures
Discord RAT
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2356 created 644 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\system32\winlogon.exe |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2356 set thread context of 764 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\System32\dllhost.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{55ae77dd-42e1-4148-b350-b5c22a706f89}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 162.159.134.234:443 | gateway.discord.gg | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
Files
memory/2356-0-0x00007FFBD43A3000-0x00007FFBD43A5000-memory.dmp
memory/2356-1-0x000001F5E5130000-0x000001F5E5148000-memory.dmp
memory/2356-2-0x000001F5FF780000-0x000001F5FF942000-memory.dmp
memory/2356-3-0x00007FFBD43A0000-0x00007FFBD4E62000-memory.dmp
memory/2356-4-0x000001F5812B0000-0x000001F5817D8000-memory.dmp
memory/2356-5-0x00007FFBD43A3000-0x00007FFBD43A5000-memory.dmp
memory/2356-6-0x00007FFBD43A0000-0x00007FFBD4E62000-memory.dmp
memory/2356-7-0x000001F580DB0000-0x000001F580DEE000-memory.dmp
memory/2356-9-0x00007FFBF46F0000-0x00007FFBF47AD000-memory.dmp
memory/764-10-0x0000000140000000-0x0000000140040000-memory.dmp
memory/2356-8-0x00007FFBF52C0000-0x00007FFBF54C9000-memory.dmp
memory/764-14-0x00007FFBF46F0000-0x00007FFBF47AD000-memory.dmp
memory/764-13-0x00007FFBF52C0000-0x00007FFBF54C9000-memory.dmp
memory/764-12-0x0000000140000000-0x0000000140040000-memory.dmp
memory/764-15-0x0000000140000000-0x0000000140040000-memory.dmp
memory/3280-67-0x00007FFBB5350000-0x00007FFBB5360000-memory.dmp
memory/3280-66-0x0000000002770000-0x000000000279A000-memory.dmp
memory/764-225-0x00007FFBF52C0000-0x00007FFBF54C9000-memory.dmp
memory/468-251-0x00000210C9610000-0x00000210C963A000-memory.dmp
memory/2356-252-0x00007FFBF46F1000-0x00007FFBF476E000-memory.dmp
memory/692-250-0x00000241F6CB0000-0x00000241F6CDA000-memory.dmp
memory/644-249-0x00007FFBF5364000-0x00007FFBF5365000-memory.dmp
memory/644-248-0x000002B295480000-0x000002B2954AA000-memory.dmp
memory/764-209-0x00007FFBF52C1000-0x00007FFBF53EA000-memory.dmp
memory/2356-184-0x00007FFBD43A0000-0x00007FFBD4E62000-memory.dmp
memory/468-28-0x00007FFBB5350000-0x00007FFBB5360000-memory.dmp
memory/468-27-0x00000210C9610000-0x00000210C963A000-memory.dmp
memory/692-23-0x00007FFBB5350000-0x00007FFBB5360000-memory.dmp
memory/692-22-0x00000241F6CB0000-0x00000241F6CDA000-memory.dmp
memory/644-19-0x00007FFBB5350000-0x00007FFBB5360000-memory.dmp
memory/644-18-0x000002B295480000-0x000002B2954AA000-memory.dmp
memory/644-17-0x000002B295450000-0x000002B295473000-memory.dmp
memory/764-11-0x0000000140000000-0x0000000140040000-memory.dmp