discordrat | bbaa30ea37df3080078f35ccd41e6e1c3fe66c81d7c80dda3cf5299af988122c

Analysis

max time kernel
224s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 15:57

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

6de48dc636e876d997534aa3c5a1b368
SHA1

02b08b739531593ac72dd2aa92b75e3466428b11
SHA256

bbaa30ea37df3080078f35ccd41e6e1c3fe66c81d7c80dda3cf5299af988122c
SHA512

23b1cdbfbc45b95e205f43e48028e5943a3a7c7c9960291e16ce34dafcb53e0e679523f30cb739bf8926355d3eb7d817d5b97c1fc722b192d9cac2925cb6380c
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+WwPIC:5Zv5PDwbjNrmAE+W0IC

Score

10^/10

discordrat defense_evasion persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4NjcwOTYwMTQwNzg2MDc3Nw.GdbB5d.SstzGRfJxvsS7oS6I1M3fQK9g8R5_he-FnX100
server_id
1286709234360385586

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 64 created 316	64	WerFault.exe	13

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 1612 created 616	1612	Client-built.exe	5
PID 832 created 616	832	svchost.exe	5
PID 832 created 672	832	svchost.exe	7
PID 832 created 316	832	svchost.exe	13

Downloads MZ/PE file

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
57	discord.com
18	discord.com
21	discord.com
37	discord.com
17	discord.com
59	raw.githubusercontent.com
60	discord.com
62	discord.com
64	discord.com
39	discord.com
58	raw.githubusercontent.com
63	raw.githubusercontent.com
56	discord.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1612 set thread context of 4964	1612	Client-built.exe	92

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1612	Client-built.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
1612	Client-built.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
3468	WerFault.exe
3468	WerFault.exe
4964	dllhost.exe
4964	dllhost.exe
224	WerFault.exe
224	WerFault.exe
4964	dllhost.exe
4964	dllhost.exe
1612	Client-built.exe
832	svchost.exe
832	svchost.exe
832	svchost.exe
832	svchost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
1932	WerFault.exe
1932	WerFault.exe
1612	Client-built.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
1612	Client-built.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
1612	Client-built.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe
4964	dllhost.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	Client-built.exe
Token: SeDebugPrivilege	1612	Client-built.exe
Token: SeDebugPrivilege	4964	dllhost.exe
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeAuditPrivilege	2760	svchost.exe
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3504	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 4964	1612	Client-built.exe	92
PID 1612 wrote to memory of 4964	1612	Client-built.exe	92
PID 1612 wrote to memory of 4964	1612	Client-built.exe	92
PID 1612 wrote to memory of 4964	1612	Client-built.exe	92
PID 1612 wrote to memory of 4964	1612	Client-built.exe	92
PID 1612 wrote to memory of 4964	1612	Client-built.exe	92
PID 1612 wrote to memory of 4964	1612	Client-built.exe	92
PID 1612 wrote to memory of 4964	1612	Client-built.exe	92
PID 1612 wrote to memory of 4964	1612	Client-built.exe	92
PID 1612 wrote to memory of 4964	1612	Client-built.exe	92
PID 1612 wrote to memory of 4964	1612	Client-built.exe	92
PID 4964 wrote to memory of 616	4964	dllhost.exe	5
PID 4964 wrote to memory of 672	4964	dllhost.exe	7
PID 4964 wrote to memory of 960	4964	dllhost.exe	12
PID 4964 wrote to memory of 316	4964	dllhost.exe	13
PID 4964 wrote to memory of 516	4964	dllhost.exe	16
PID 4964 wrote to memory of 1136	4964	dllhost.exe	17
PID 4964 wrote to memory of 1144	4964	dllhost.exe	18
PID 4964 wrote to memory of 1152	4964	dllhost.exe	19
PID 4964 wrote to memory of 1212	4964	dllhost.exe	20
PID 4964 wrote to memory of 1224	4964	dllhost.exe	21
PID 4964 wrote to memory of 1284	4964	dllhost.exe	22
PID 4964 wrote to memory of 1364	4964	dllhost.exe	23
PID 4964 wrote to memory of 1388	4964	dllhost.exe	24
PID 4964 wrote to memory of 1464	4964	dllhost.exe	25
PID 4964 wrote to memory of 1572	4964	dllhost.exe	26
PID 4964 wrote to memory of 1580	4964	dllhost.exe	27
PID 4964 wrote to memory of 1660	4964	dllhost.exe	28
PID 4964 wrote to memory of 1720	4964	dllhost.exe	29
PID 4964 wrote to memory of 1752	4964	dllhost.exe	30
PID 4964 wrote to memory of 1760	4964	dllhost.exe	31
PID 4964 wrote to memory of 1856	4964	dllhost.exe	32
PID 4964 wrote to memory of 1968	4964	dllhost.exe	33
PID 4964 wrote to memory of 1976	4964	dllhost.exe	34
PID 4964 wrote to memory of 2000	4964	dllhost.exe	35
PID 4964 wrote to memory of 1616	4964	dllhost.exe	36
PID 4964 wrote to memory of 1884	4964	dllhost.exe	37
PID 4964 wrote to memory of 2140	4964	dllhost.exe	38
PID 4964 wrote to memory of 2156	4964	dllhost.exe	39
PID 4964 wrote to memory of 2252	4964	dllhost.exe	41
PID 4964 wrote to memory of 2488	4964	dllhost.exe	42
PID 4964 wrote to memory of 2504	4964	dllhost.exe	43
PID 4964 wrote to memory of 2628	4964	dllhost.exe	44
PID 4964 wrote to memory of 2636	4964	dllhost.exe	45
PID 4964 wrote to memory of 2652	4964	dllhost.exe	46
PID 4964 wrote to memory of 2708	4964	dllhost.exe	47
PID 4964 wrote to memory of 2760	4964	dllhost.exe	48
PID 4964 wrote to memory of 2796	4964	dllhost.exe	49
PID 4964 wrote to memory of 2816	4964	dllhost.exe	50
PID 4964 wrote to memory of 2824	4964	dllhost.exe	51
PID 4964 wrote to memory of 2840	4964	dllhost.exe	52
PID 4964 wrote to memory of 2964	4964	dllhost.exe	53
PID 4964 wrote to memory of 3396	4964	dllhost.exe	55
PID 4964 wrote to memory of 3504	4964	dllhost.exe	56
PID 4964 wrote to memory of 3612	4964	dllhost.exe	57
PID 4964 wrote to memory of 3804	4964	dllhost.exe	58
PID 4964 wrote to memory of 3956	4964	dllhost.exe	60
PID 4964 wrote to memory of 4188	4964	dllhost.exe	62
PID 4964 wrote to memory of 4444	4964	dllhost.exe	65
PID 4964 wrote to memory of 4392	4964	dllhost.exe	67
PID 4964 wrote to memory of 3204	4964	dllhost.exe	68
PID 4964 wrote to memory of 4452	4964	dllhost.exe	69
PID 4964 wrote to memory of 4128	4964	dllhost.exe	70
PID 4964 wrote to memory of 4680	4964	dllhost.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 316 -s 2684
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1932
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6b5ffcb7-1986-47bd-aa61-84d8f677cc50}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4964
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 616 -s 1140
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:224

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 672 -s 4356
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1364
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2488
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3836
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1640
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3164
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3192
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4952
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2140

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2840

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3396

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3504
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3804

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3204

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4452

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5116

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1344

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:832
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 484 -p 316 -ip 316
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:64
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 532 -p 616 -ip 616
  2⤵
  PID:440
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 560 -p 672 -ip 672
  2⤵
  PID:4776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER15C0.tmp.csv

Filesize
31KB

MD5
e82dc2e019283f2017f4928777111c73

SHA1
54b51da5de02c5376102565ada7634d7ba2ae565

SHA256
23bb543c4f5c2c57b16c4af30c371262681b9ca436d67e1b5454bf62bf176bc2

SHA512
04053282a5b8471220cb0d9e1cd34e2d3c907d9f28c4267380c7aec4f2179648656309e16f465c3f244e67de552431f1adaa83b4a9ada38b02aa15ec7b4bff46

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER15E0.tmp.txt

Filesize
13KB

MD5
209aa3a88e7ecda0b9d582b0b25cd8a7

SHA1
380b18ead44798a53bef5f48e318fd32c0233f68

SHA256
d567c6d55560d2906c0a3a192ebdf40e6a61bc78cd8762fb6bb22398b75067a9

SHA512
e836b3f5a033ff16baf1dcb6432e826a9c6586c002d7842f9e1312319136943d1d17227ea15ba3c720d1af515c81e533bac054f011aba12ad967eb643b9c82cf

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER408.tmp.csv

Filesize
36KB

MD5
521cd9406e97eb46fb43bf4a325d63b7

SHA1
8a39b8243487eb96018ca08ac91f5fb272e07e69

SHA256
42d36d2550bb63684fd2064792a5008a6f54e4745c8b24d0bc6311dceea463ef

SHA512
3bada8dff7435369c727dc6ac49a0d9803eb52c1fa0faebff625a61e39a6b9505a7e96d532d49f4ec8f5bc9311002844935b7ae0bc07e10601150888d5bc7849

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER429.tmp.txt

Filesize
13KB

MD5
553790f878759733fb35b1c477ce6a1d

SHA1
9893f83d44e1f65451e5a90600c18bb0779df080

SHA256
3b874d2c56cc23cbda56dee681df5c3bbb37feda736c26e9cd0d0e35de653563

SHA512
2e89b764849974ba6a5fa039b72c2a49a65dd7800162a188f8230cba033f73c78b96441bd16f2c9ff57ac14ef29aa274ad4aa9228fb07fd8ca44ab5d8299d3f7

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER42A.tmp.csv

Filesize
36KB

MD5
68828124cbc8a375676206a0332d2d61

SHA1
c1575301c7c43d1840a8c9d6a385666754641bfe

SHA256
7a8e6bf9b599338d9c28a17a903b5c4816305d758b59563beb96892e04ac3473

SHA512
0d83e6b094581f76a2f48d25d40138894e6f3b01e7a1b7d9537389373e0c9c65cec978c599a3db0db1e7c5ee559d10ff3218d9d5938531fe432fc7101ed9569e

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER44A.tmp.txt

Filesize
13KB

MD5
08a9ae996867f3bbb51634e29adcb3dc

SHA1
9b02daf7c176d17b37a461196c8278e1cac38410

SHA256
2ddad288fa4e7ed46878d82863540f9b457ad2d7835027ed5b887b7b62b3be57

SHA512
0e054e929b5c2f731370968d7f44c9089fa90382a4dbd5bc64e5e5e58962a7e25babb3b3e8e8ca013abf3fd954e59c118ef8a512630f620d3c86b47c2c43815a

Download Submit
memory/316-356-0x00007FFB8402C000-0x00007FFB8402D000-memory.dmp

Filesize
4KB

Download
memory/316-358-0x000001FAEDAB0000-0x000001FAEDADA000-memory.dmp

Filesize
168KB

Download
memory/316-70-0x000001FAEDAB0000-0x000001FAEDADA000-memory.dmp

Filesize
168KB

Download
memory/316-31-0x000001FAEDAB0000-0x000001FAEDADA000-memory.dmp

Filesize
168KB

Download
memory/616-52-0x00007FFB8402F000-0x00007FFB84030000-memory.dmp

Filesize
4KB

Download
memory/616-328-0x00007FFB8402C000-0x00007FFB8402D000-memory.dmp

Filesize
4KB

Download
memory/616-19-0x000002A5E2E50000-0x000002A5E2E73000-memory.dmp

Filesize
140KB

Download
memory/616-21-0x000002A5E2E80000-0x000002A5E2EAA000-memory.dmp

Filesize
168KB

Download
memory/616-46-0x000002A5E2E80000-0x000002A5E2EAA000-memory.dmp

Filesize
168KB

Download
memory/616-48-0x00007FFB8402D000-0x00007FFB8402E000-memory.dmp

Filesize
4KB

Download
memory/672-59-0x00007FFB8402D000-0x00007FFB8402E000-memory.dmp

Filesize
4KB

Download
memory/672-57-0x000001F1058B0000-0x000001F1058DA000-memory.dmp

Filesize
168KB

Download
memory/672-22-0x000001F1058B0000-0x000001F1058DA000-memory.dmp

Filesize
168KB

Download
memory/672-24-0x00007FFB44010000-0x00007FFB44020000-memory.dmp

Filesize
64KB

Download
memory/1612-0-0x00007FFB65F53000-0x00007FFB65F55000-memory.dmp

Filesize
8KB

Download
memory/1612-10-0x00007FFB838C0000-0x00007FFB8397E000-memory.dmp

Filesize
760KB

Download
memory/1612-1-0x0000014B5AB70000-0x0000014B5AB88000-memory.dmp

Filesize
96KB

Download
memory/1612-2-0x0000014B751E0000-0x0000014B753A2000-memory.dmp

Filesize
1.8MB

Download
memory/1612-3-0x00007FFB65F50000-0x00007FFB66A11000-memory.dmp

Filesize
10.8MB

Download
memory/1612-4-0x0000014B759E0000-0x0000014B75F08000-memory.dmp

Filesize
5.2MB

Download
memory/1612-423-0x00007FFB65F50000-0x00007FFB66A11000-memory.dmp

Filesize
10.8MB

Download
memory/1612-5-0x00007FFB65F53000-0x00007FFB65F55000-memory.dmp

Filesize
8KB

Download
memory/1612-6-0x00007FFB65F50000-0x00007FFB66A11000-memory.dmp

Filesize
10.8MB

Download
memory/1612-7-0x0000014B75630000-0x0000014B758FA000-memory.dmp

Filesize
2.8MB

Download
memory/1612-8-0x0000014B75170000-0x0000014B751AE000-memory.dmp

Filesize
248KB

Download
memory/1612-9-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/3504-75-0x0000000002900000-0x000000000292A000-memory.dmp

Filesize
168KB

Download
memory/3504-76-0x00007FFB44010000-0x00007FFB44020000-memory.dmp

Filesize
64KB

Download
memory/3504-154-0x0000000002900000-0x000000000292A000-memory.dmp

Filesize
168KB

Download
memory/4964-11-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4964-17-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4964-12-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4964-13-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4964-14-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4964-15-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/4964-16-0x00007FFB838C0000-0x00007FFB8397E000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads