Overview

overview

10

Static

static

10

HaxMods.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1800s
  • max time network
    1136s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28/09/2024, 01:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HaxMods.exe

  • Size

    93KB

  • MD5

    89b417c2e4b949c8888d53ddf7cef561

  • SHA1

    c93f634f3b38888c203c482b1886a741ae4ab649

  • SHA256

    f038831b116966e298441b36162b5603837322726fa82d7e7fa8b4c20d8f7ff4

  • SHA512

    abde9907b47d54ba225271ceb753277879ced5b9f3893f4b81d3c0bb6de84f23d766eddf6f00c2802407c3e49f948448d6171c40cea64c2dd79a8c3cf6a875ed

  • SSDEEP

    1536:F2WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+nPIWttZVx:FZv5PDwbjNrmAE+PIc/

Score
10/10
discordratdefense_evasionevasionpersistenceprivilege_escalationratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI2OTg1MTgzMTc0NDU5Mzk5Mg.GR0WTi.6wJSWraeR-Rzl_I7fZ7aGCVXpAfAzHPpj4n9qM

  • server_id

    976996222277672961

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Disables Task Manager via registry modification
    evasion
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Abuse Elevation Control Mechanism: Bypass User Account Control 1 TTPs 1 IoCs

    UAC Bypass Attempt via SilentCleanup Task.

    defense_evasionprivilege_escalation
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs
  • Drops file in System32 directory 13 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies data under HKEY_USERS 62 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:644
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:544
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{2c4c7ea5-0a67-43c5-b68b-c23220ea9272}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3688
    • C:\Windows\system32\lsass.exe
      C:\Windows\system32\lsass.exe
      1⤵
        PID:700
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
        1⤵
          PID:1004
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
          1⤵
            PID:1028
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
            1⤵
              PID:1044
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
              1⤵
                PID:1088
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                1⤵
                  PID:1168
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
                  1⤵
                    PID:1236
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                    1⤵
                      PID:1288
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                      1⤵
                        PID:1324
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                        1⤵
                          PID:1400
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                          1⤵
                            PID:1472
                            • C:\Windows\system32\sihost.exe
                              sihost.exe
                              2⤵
                                PID:2636
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                              1⤵
                              • Indicator Removal: Clear Windows Event Logs
                              PID:1492
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                              1⤵
                                PID:1628
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                1⤵
                                  PID:1644
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k NetworkService -p
                                  1⤵
                                    PID:1656
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                    1⤵
                                      PID:1756
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                      1⤵
                                        PID:1840
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                        1⤵
                                          PID:1872
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                          1⤵
                                            PID:1216
                                            • C:\Windows\system32\AUDIODG.EXE
                                              C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004D4
                                              2⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2292
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                            1⤵
                                              PID:1868
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                              1⤵
                                                PID:1816
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                1⤵
                                                  PID:2052
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                  1⤵
                                                    PID:2116
                                                  • C:\Windows\System32\spoolsv.exe
                                                    C:\Windows\System32\spoolsv.exe
                                                    1⤵
                                                      PID:2152
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                      1⤵
                                                        PID:2224
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                        1⤵
                                                          PID:2392
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                          1⤵
                                                            PID:2400
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k NetworkService -p
                                                            1⤵
                                                            • Drops file in System32 directory
                                                            • Modifies data under HKEY_USERS
                                                            PID:2436
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                            1⤵
                                                              PID:2516
                                                            • C:\Windows\sysmon.exe
                                                              C:\Windows\sysmon.exe
                                                              1⤵
                                                                PID:2528
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                1⤵
                                                                  PID:2548
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                  1⤵
                                                                    PID:2564
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                    1⤵
                                                                      PID:2600
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                      1⤵
                                                                        PID:2620
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                        1⤵
                                                                          PID:2788
                                                                        • C:\Windows\system32\wbem\unsecapp.exe
                                                                          C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                          1⤵
                                                                            PID:2684
                                                                          • C:\Windows\Explorer.EXE
                                                                            C:\Windows\Explorer.EXE
                                                                            1⤵
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            • Suspicious use of UnmapMainImage
                                                                            PID:3332
                                                                            • C:\Users\Admin\AppData\Local\Temp\HaxMods.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\HaxMods.exe"
                                                                              2⤵
                                                                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                              • Suspicious use of SetThreadContext
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • Suspicious use of WriteProcessMemory
                                                                              PID:2868
                                                                              • C:\Windows\SYSTEM32\SCHTASKS.exe
                                                                                "SCHTASKS.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
                                                                                3⤵
                                                                                • Abuse Elevation Control Mechanism: Bypass User Account Control
                                                                                PID:3520
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                            1⤵
                                                                              PID:3464
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                              1⤵
                                                                                PID:3496
                                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                1⤵
                                                                                  PID:3880
                                                                                • C:\Windows\System32\RuntimeBroker.exe
                                                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                  1⤵
                                                                                    PID:3936
                                                                                  • C:\Windows\system32\DllHost.exe
                                                                                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                    1⤵
                                                                                      PID:4004
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
                                                                                      1⤵
                                                                                        PID:4064
                                                                                      • C:\Windows\system32\DllHost.exe
                                                                                        C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
                                                                                        1⤵
                                                                                          PID:4336
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
                                                                                          1⤵
                                                                                            PID:4408
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                            1⤵
                                                                                              PID:2428
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                              1⤵
                                                                                                PID:2212
                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                1⤵
                                                                                                  PID:1076
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                  1⤵
                                                                                                  • Modifies data under HKEY_USERS
                                                                                                  PID:2172
                                                                                                • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                  "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                  1⤵
                                                                                                  • Drops file in System32 directory
                                                                                                  • Modifies data under HKEY_USERS
                                                                                                  PID:4124
                                                                                                • C:\Windows\system32\SppExtComObj.exe
                                                                                                  C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                  1⤵
                                                                                                    PID:2276
                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                    C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                    1⤵
                                                                                                      PID:4556
                                                                                                    • C:\Windows\system32\DllHost.exe
                                                                                                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                      1⤵
                                                                                                      • Drops file in System32 directory
                                                                                                      PID:4620
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                      1⤵
                                                                                                        PID:3612

                                                                                                      Network

                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                      Replay Monitor

                                                                                                      Loading Replay Monitor...

                                                                                                      Downloads

                                                                                                      • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
                                                                                                        Filesize

                                                                                                        338B

                                                                                                        MD5

                                                                                                        fcf18cdc1dee4ebaf97dd4dfb3e75878

                                                                                                        SHA1

                                                                                                        057ee1641e0c47e589280d8395df4d7ed62654b0

                                                                                                        SHA256

                                                                                                        7224390698088435d3a55fd3528d62632026011c7aa795a09b6c49b9d97a8f28

                                                                                                        SHA512

                                                                                                        70954b53dfdc69ee60d5842484deda48c6b9cedcda529bd6419a6b6f5ff6ef87c375d67a952e1f4912b58a2b4d75ef5d670abc0b3cb89e0eb5e898be8cbdf1c3

                                                                                                        Download Submit

                                                                                                      • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
                                                                                                        Filesize

                                                                                                        420B

                                                                                                        MD5

                                                                                                        f2ced569087e7517aa739d3b071e1289

                                                                                                        SHA1

                                                                                                        79fa717c87b71e96474d0843e1bc28ed47393b1e

                                                                                                        SHA256

                                                                                                        10358621f921ac1bf3d87c8156ec01c6b7e9c2ea4138b50c1b851a9d8a6f5b99

                                                                                                        SHA512

                                                                                                        3ae9a663bf51b81db9241b498ba39e3a9a7dc095d0f14b3fa650a6724ab813f34c5dcf931a5f2772c08e96b9ed81c76495170dc6be048e8478ebdfdbaeff381e

                                                                                                        Download Submit

                                                                                                      • memory/544-37-0x0000021B51030000-0x0000021B5105A000-memory.dmp

                                                                                                        Filesize

                                                                                                        168KB

                                                                                                        Download

                                                                                                      • memory/544-38-0x00007FF9B1090000-0x00007FF9B10A0000-memory.dmp

                                                                                                        Filesize

                                                                                                        64KB

                                                                                                        Download

                                                                                                      • memory/644-33-0x00007FF9B1090000-0x00007FF9B10A0000-memory.dmp

                                                                                                        Filesize

                                                                                                        64KB

                                                                                                        Download

                                                                                                      • memory/644-26-0x000002D364930000-0x000002D364953000-memory.dmp

                                                                                                        Filesize

                                                                                                        140KB

                                                                                                        Download

                                                                                                      • memory/644-32-0x000002D364960000-0x000002D36498A000-memory.dmp

                                                                                                        Filesize

                                                                                                        168KB

                                                                                                        Download

                                                                                                      • memory/700-28-0x0000023CF95C0000-0x0000023CF95EA000-memory.dmp

                                                                                                        Filesize

                                                                                                        168KB

                                                                                                        Download

                                                                                                      • memory/700-29-0x00007FF9B1090000-0x00007FF9B10A0000-memory.dmp

                                                                                                        Filesize

                                                                                                        64KB

                                                                                                        Download

                                                                                                      • memory/1004-40-0x00000266FD8D0000-0x00000266FD8FA000-memory.dmp

                                                                                                        Filesize

                                                                                                        168KB

                                                                                                        Download

                                                                                                      • memory/1004-41-0x00007FF9B1090000-0x00007FF9B10A0000-memory.dmp

                                                                                                        Filesize

                                                                                                        64KB

                                                                                                        Download

                                                                                                      • memory/2868-12-0x00007FF9D01A0000-0x00007FF9D0C62000-memory.dmp

                                                                                                        Filesize

                                                                                                        10.8MB

                                                                                                        Download

                                                                                                      • memory/2868-23-0x00007FF9EFD61000-0x00007FF9EFDDE000-memory.dmp

                                                                                                        Filesize

                                                                                                        500KB

                                                                                                        Download

                                                                                                      • memory/2868-14-0x00007FF9F1000000-0x00007FF9F1209000-memory.dmp

                                                                                                        Filesize

                                                                                                        2.0MB

                                                                                                        Download

                                                                                                      • memory/2868-15-0x00007FF9EFD60000-0x00007FF9EFE1D000-memory.dmp

                                                                                                        Filesize

                                                                                                        756KB

                                                                                                        Download

                                                                                                      • memory/2868-280-0x00007FF9D01A0000-0x00007FF9D0C62000-memory.dmp

                                                                                                        Filesize

                                                                                                        10.8MB

                                                                                                        Download

                                                                                                      • memory/2868-1-0x0000017BA0040000-0x0000017BA005C000-memory.dmp

                                                                                                        Filesize

                                                                                                        112KB

                                                                                                        Download

                                                                                                      • memory/2868-0-0x00007FF9D01A3000-0x00007FF9D01A5000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2868-8-0x00007FF9D01A0000-0x00007FF9D0C62000-memory.dmp

                                                                                                        Filesize

                                                                                                        10.8MB

                                                                                                        Download

                                                                                                      • memory/2868-7-0x0000017BBB4E0000-0x0000017BBB58A000-memory.dmp

                                                                                                        Filesize

                                                                                                        680KB

                                                                                                        Download

                                                                                                      • memory/2868-6-0x00007FF9D01A0000-0x00007FF9D0C62000-memory.dmp

                                                                                                        Filesize

                                                                                                        10.8MB

                                                                                                        Download

                                                                                                      • memory/2868-5-0x00007FF9D01A3000-0x00007FF9D01A5000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2868-4-0x0000017BBBA10000-0x0000017BBBF38000-memory.dmp

                                                                                                        Filesize

                                                                                                        5.2MB

                                                                                                        Download

                                                                                                      • memory/2868-3-0x00007FF9D01A0000-0x00007FF9D0C62000-memory.dmp

                                                                                                        Filesize

                                                                                                        10.8MB

                                                                                                        Download

                                                                                                      • memory/2868-2-0x0000017BBA790000-0x0000017BBA952000-memory.dmp

                                                                                                        Filesize

                                                                                                        1.8MB

                                                                                                        Download

                                                                                                      • memory/2868-258-0x00007FF9D01A0000-0x00007FF9D0C62000-memory.dmp

                                                                                                        Filesize

                                                                                                        10.8MB

                                                                                                        Download

                                                                                                      • memory/2868-13-0x0000017BBB730000-0x0000017BBB76E000-memory.dmp

                                                                                                        Filesize

                                                                                                        248KB

                                                                                                        Download

                                                                                                      • memory/2868-19-0x00007FF9D01A0000-0x00007FF9D0C62000-memory.dmp

                                                                                                        Filesize

                                                                                                        10.8MB

                                                                                                        Download

                                                                                                      • memory/3332-78-0x00000000036D0000-0x00000000036FA000-memory.dmp

                                                                                                        Filesize

                                                                                                        168KB

                                                                                                        Download

                                                                                                      • memory/3332-79-0x00007FF9B1090000-0x00007FF9B10A0000-memory.dmp

                                                                                                        Filesize

                                                                                                        64KB

                                                                                                        Download

                                                                                                      • memory/3688-18-0x0000000140000000-0x0000000140040000-memory.dmp

                                                                                                        Filesize

                                                                                                        256KB

                                                                                                        Download

                                                                                                      • memory/3688-21-0x00007FF9EFD60000-0x00007FF9EFE1D000-memory.dmp

                                                                                                        Filesize

                                                                                                        756KB

                                                                                                        Download

                                                                                                      • memory/3688-16-0x0000000140000000-0x0000000140040000-memory.dmp

                                                                                                        Filesize

                                                                                                        256KB

                                                                                                        Download

                                                                                                      • memory/3688-17-0x0000000140000000-0x0000000140040000-memory.dmp

                                                                                                        Filesize

                                                                                                        256KB

                                                                                                        Download

                                                                                                      • memory/3688-20-0x00007FF9F1000000-0x00007FF9F1209000-memory.dmp

                                                                                                        Filesize

                                                                                                        2.0MB

                                                                                                        Download

                                                                                                      • memory/3688-22-0x0000000140000000-0x0000000140040000-memory.dmp

                                                                                                        Filesize

                                                                                                        256KB

                                                                                                        Download