Analysis

  • max time kernel
    72s
  • max time network
    70s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2024 02:08

General

  • Target

    912ijefLKJ3oihf.exe

  • Size

    78KB

  • MD5

    8e2a08a30601efe0489e3bdfc60df63e

  • SHA1

    93fac04750bf0151ae239878b8b324db562a7296

  • SHA256

    a6cd9664203ed92223bf661281907633cb58bf4fedcb7dd654564c22e5c948fc

  • SHA512

    20d7b59a88b983249f7cf7940dc922a5bd02add33a564a7004557a5d4028893bf69e2c895c98c81675cecbb0da63d7ffa559325ee4a0aec8bb52323ca0e64619

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+DPIC:5Zv5PDwbjNrmAE+bIC

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI5Njk2MDM2Mzc4NjY3MDA4MQ.Gp0SoB.c1yuGjTHVTrM7j-h8dQiCGvwdpgR3x1ZzLeLl0

  • server_id

    1286795217923608729

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Discordrat family
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\912ijefLKJ3oihf.exe
    "C:\Users\Admin\AppData\Local\Temp\912ijefLKJ3oihf.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2816
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc786fcc40,0x7ffc786fcc4c,0x7ffc786fcc58
      2⤵
        PID:4408
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1744,i,4210483167942615474,11597039292527118524,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=604 /prefetch:2
        2⤵
          PID:4728
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,4210483167942615474,11597039292527118524,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2132 /prefetch:3
          2⤵
            PID:4784
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,4210483167942615474,11597039292527118524,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2472 /prefetch:8
            2⤵
              PID:1700
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,4210483167942615474,11597039292527118524,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
              2⤵
                PID:4968
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,4210483167942615474,11597039292527118524,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
                2⤵
                  PID:2412
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4704,i,4210483167942615474,11597039292527118524,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4684 /prefetch:1
                  2⤵
                    PID:2844
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4400,i,4210483167942615474,11597039292527118524,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
                    2⤵
                      PID:1080
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5484,i,4210483167942615474,11597039292527118524,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5536 /prefetch:8
                      2⤵
                        PID:1076
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5260,i,4210483167942615474,11597039292527118524,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:8
                        2⤵
                          PID:4676
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5584,i,4210483167942615474,11597039292527118524,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5564 /prefetch:8
                          2⤵
                            PID:412
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5580,i,4210483167942615474,11597039292527118524,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5440 /prefetch:8
                            2⤵
                              PID:4824
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5436,i,4210483167942615474,11597039292527118524,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:8
                              2⤵
                                PID:1316
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4912,i,4210483167942615474,11597039292527118524,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8
                                2⤵
                                  PID:412
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4816,i,4210483167942615474,11597039292527118524,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5808 /prefetch:2
                                  2⤵
                                    PID:5024
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                  1⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:4136
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc786fcc40,0x7ffc786fcc4c,0x7ffc786fcc58
                                    2⤵
                                      PID:1636
                                  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                    1⤵
                                      PID:4840
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                      1⤵
                                        PID:1604

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                                        Filesize

                                        40B

                                        MD5

                                        b65d667045a646269e3eb65f457698f1

                                        SHA1

                                        a263ce582c0157238655530107dbec05a3475c54

                                        SHA256

                                        23848757826358c47263fa65d53bb5ec49286b717f7f2c9c8e83192a39e35bb6

                                        SHA512

                                        87f10412feee145f16f790fbbcf0353db1b0097bda352c2cd147028db69a1e98779be880e133fed17af6ed73eb615a51e5616966c8a7b7de364ec75f37c67567

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                                        Filesize

                                        649B

                                        MD5

                                        39cd5c97ea4cd891c88e73d8f56e7d62

                                        SHA1

                                        749e46e7cda46b93dd5aa5327cf10d42a1320588

                                        SHA256

                                        45b5a5d3f70e46fe82afcff4e3ec80acd9af5ad7f34d7cebc6f6ce315a622f8c

                                        SHA512

                                        f0b7ffae705a063093593e7ca274d05890e2831a16ed191038c3a8ad182486ff52e94530e1b507e803ff0f73be56e8e97495aa0f4fa601091a7d36004512648b

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

                                        Filesize

                                        215KB

                                        MD5

                                        e579aca9a74ae76669750d8879e16bf3

                                        SHA1

                                        0b8f462b46ec2b2dbaa728bea79d611411bae752

                                        SHA256

                                        6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

                                        SHA512

                                        df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

                                        Filesize

                                        851B

                                        MD5

                                        07ffbe5f24ca348723ff8c6c488abfb8

                                        SHA1

                                        6dc2851e39b2ee38f88cf5c35a90171dbea5b690

                                        SHA256

                                        6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

                                        SHA512

                                        7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

                                        Filesize

                                        854B

                                        MD5

                                        4ec1df2da46182103d2ffc3b92d20ca5

                                        SHA1

                                        fb9d1ba3710cf31a87165317c6edc110e98994ce

                                        SHA256

                                        6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

                                        SHA512

                                        939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                        Filesize

                                        2B

                                        MD5

                                        d751713988987e9331980363e24189ce

                                        SHA1

                                        97d170e1550eee4afc0af065b78cda302a97674c

                                        SHA256

                                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                        SHA512

                                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                        Filesize

                                        356B

                                        MD5

                                        fbe0323bb91f0651a177d8b99519fbb0

                                        SHA1

                                        c0077d903158266a9f35c576c12c20dad2204f88

                                        SHA256

                                        b519e10d9415c9bdad0a0404dd1b0f2a1ed1b6bff3bd6d1176b1236ab8d34da5

                                        SHA512

                                        a879340cc4cd2b486395f1ae06ad8a222832a8e0a455d34b072494f79304749ee7146827617ec70325182338c447320bfb76da1f056e3a1b26ed9a584a812e5b

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                        Filesize

                                        9KB

                                        MD5

                                        b3103b46f9414de93e14fc5ab0c61ecb

                                        SHA1

                                        5fff64ae2f1d2cbf540305288871473f6993f3b3

                                        SHA256

                                        9568d9e7e3134142ac2c5aec689ee1606c30e004cc164e0d3f22bb717290f3db

                                        SHA512

                                        82720ef4434b7c7d397f6fbfbadc73f69a4893604f9e519f60eaaf93861bcb589d193c539e85d1d13753f0bc35d77ab919ab97e27093f55619b5730b98918531

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                        Filesize

                                        232KB

                                        MD5

                                        ee439d59eaf41cb77f4079102e5584e3

                                        SHA1

                                        c63b1e06343c83bf457135c3241ea17a01f56674

                                        SHA256

                                        c4f771db4769694f07c779abeb2e5e3bdb3573db50c994d8891c6aac6ca574f3

                                        SHA512

                                        7b21f62f060c55acd7129b67f262dc1163f46f1c0cf813d8942f47ad3726da01a42a7d53cce49739cc79d6f14a123879e8284c1142ca18e28c9167d028b7d919

                                      • C:\Users\Admin\AppData\Local\Temp\scoped_dir2592_886976283\CRX_INSTALL\_locales\en_CA\messages.json

                                        Filesize

                                        711B

                                        MD5

                                        558659936250e03cc14b60ebf648aa09

                                        SHA1

                                        32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

                                        SHA256

                                        2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

                                        SHA512

                                        1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

                                      • C:\Users\Admin\AppData\Local\Temp\scoped_dir2592_886976283\e9464e27-59bd-41f7-bdaf-5a24288cc79d.tmp

                                        Filesize

                                        132KB

                                        MD5

                                        da75bb05d10acc967eecaac040d3d733

                                        SHA1

                                        95c08e067df713af8992db113f7e9aec84f17181

                                        SHA256

                                        33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

                                        SHA512

                                        56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

                                      • memory/2816-0-0x00007FFC7EB33000-0x00007FFC7EB35000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/2816-6-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

                                        Filesize

                                        10.8MB

                                      • memory/2816-5-0x00007FFC7EB33000-0x00007FFC7EB35000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/2816-4-0x000001F13ACB0000-0x000001F13B1D8000-memory.dmp

                                        Filesize

                                        5.2MB

                                      • memory/2816-3-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

                                        Filesize

                                        10.8MB

                                      • memory/2816-2-0x000001F13A4B0000-0x000001F13A672000-memory.dmp

                                        Filesize

                                        1.8MB

                                      • memory/2816-1-0x000001F11FED0000-0x000001F11FEE8000-memory.dmp

                                        Filesize

                                        96KB