discordrat | 56b13321c915aff2eab83aa707194ab42f8ff8e59bcb305a51a41ab89344b016

Analysis

max time kernel
133s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 10:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

750fdf2a326c6db022bc41d9d8902b59
SHA1

072cdc8d086316129dc5228d66e4c7b401513c5f
SHA256

56b13321c915aff2eab83aa707194ab42f8ff8e59bcb305a51a41ab89344b016
SHA512

cded66eb7c75b262c183d6d459cd19dbb602574cddcea69107001e11a0c9258ec708710513a2a9692dc3101d59ac8cb14d1aa43bb21681ad3c3318e2666aafbb
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+EPIC:5Zv5PDwbjNrmAE+YIC

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2ODk2NDIwNTMzMjAwOTA4MQ.G2VQO3.rLYaZ6YXS_2cD32yjU_EpC30Zspp6IkmC0MMuU
server_id
1283852429145804882

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
7	discord.com
12	discord.com
77	discord.com
78	discord.com
80	discord.com
82	discord.com
83	discord.com
6	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3088	msedge.exe
3088	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	Client-built.exe
Token: SeShutdownPrivilege	3812	shutdown.exe
Token: SeRemoteShutdownPrivilege	3812	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2632	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 2968	4792	msedge.exe	105
PID 4792 wrote to memory of 2968	4792	msedge.exe	105
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 1640	4792	msedge.exe	106
PID 4792 wrote to memory of 3088	4792	msedge.exe	107
PID 4792 wrote to memory of 3088	4792	msedge.exe	107
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108
PID 4792 wrote to memory of 5108	4792	msedge.exe	108

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2956
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault8357c6dfha521h422ah89f0h9b971da1c064
1⤵
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x9c,0x12c,0x7fff4c2046f8,0x7fff4c204708,0x7fff4c204718
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1336,17893904368966669749,17010760670824071931,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1336,17893904368966669749,17010760670824071931,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1336,17893904368966669749,17010760670824071931,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:5108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultfe18ee4fh1798h4dedh8db0h168f99895fed
1⤵
PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff4c2046f8,0x7fff4c204708,0x7fff4c204718
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1076195485471247738,6797580553461709869,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,1076195485471247738,6797580553461709869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,1076195485471247738,6797580553461709869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:4896

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395c855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9bc3192f22809de13578c504dd85aa18

SHA1
bb546d1ee73a09c4ea6f88647ed32b0681022de9

SHA256
ed120d48306672375f7d1f935073ef2fc344bf0c84c3ef9bd1b798f210439502

SHA512
e6c40762c1f2a13d5b871ad5a6cfd0156dfa1b7e132fd88a7ab19a9d226a27ec93f6d9467ddb85736d18ffc84ee0837703c022058b51822ddfc6edb672f887b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
8c9c55fb2a58b52a988ad9e20519eb12

SHA1
462a8ea8188268a0f7d55ae3e72fd99011451314

SHA256
90e4e120285ac857bd5201bea854cbab7cdda04200b97eadebd46fca49315649

SHA512
75ffae9da0a4163317a3fbfc419586dd0a22b4c6b6560717b7139ed37d5dfc2baa8b125dd791278a6681a0844396e4537d56a454c4ceb6b12d6616f220d8d05c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
05651fcde846eaccc4c3451d00c774c6

SHA1
46db3244022635b908fbf9c9d0dd226dc04cf8ff

SHA256
8781cb2191791616d023d3ef091c8df50a4846bd273afe34607cf51f003e7f24

SHA512
bd4dd13db0ace8bd3dce67c21d6b205482dd3ea8507a105198d4c9b3807def3bc9306f3720a14cc1effa730e8f17f324b394a163e2377effddaedb3a92a67a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f10fda93e6927b658a8732b44a11ea9f

SHA1
ae8a01cea8128d478262b2cb879fff9801c2336b

SHA256
8c3c27c1612e12b4d7e308f58bbb300f211da3bbb110766f6d7b8c3cdd86279f

SHA512
397929c124ee15fb749ad8a37570e22e09316d6026bfe42c7c0678735a0cf9ec2a05a4bada15f22e409b97cf2445d769fc7eab669a8f67847b4eb0fda7ecf92f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
memory/2956-0-0x00007FFF544B3000-0x00007FFF544B5000-memory.dmp

Filesize
8KB

Download
memory/2956-6-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download
memory/2956-5-0x00007FFF544B3000-0x00007FFF544B5000-memory.dmp

Filesize
8KB

Download
memory/2956-4-0x0000019271CD0000-0x00000192721F8000-memory.dmp

Filesize
5.2MB

Download
memory/2956-3-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download
memory/2956-2-0x00000192715D0000-0x0000019271792000-memory.dmp

Filesize
1.8MB

Download
memory/2956-1-0x0000019256DF0000-0x0000019256E08000-memory.dmp

Filesize
96KB

Download
memory/2956-109-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download