Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-11-2024 14:29

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    5294e84c734fbf9f34110e233b094b98

  • SHA1

    2a2dc9fa78e3c80f7c425dc2d70daad6e0e2f6c2

  • SHA256

    4abd3eb46f7ea1d4f698e5e35f6ce12cffbc131c994f842733aa4a4a6fc1654a

  • SHA512

    ac67c08d7e1eb2d0c8b5f8928541c423d249094bbb72bf920a365f2afe9e3a034923c14cc9a667a899dcc4691b79c45b7eb352acd7f2e08a75bcbabe4cef2bcd

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+pPIC:5Zv5PDwbjNrmAE+ZIC

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMwODc5Nzk2NTYxNTQ5NzM1Nw.GBpC5A.89Z5f6lFNt0ykOCJ3xjQcB6vyTHT36DHCa_Du0

  • server_id

    1308798365948969031

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Discordrat family
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3492
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\StartExpand.xlsx"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2732
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff979b9cc40,0x7ff979b9cc4c,0x7ff979b9cc58
      2⤵
        PID:3896
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1776,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1772 /prefetch:2
        2⤵
          PID:4724
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1960,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:3
          2⤵
            PID:3560
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2332 /prefetch:8
            2⤵
              PID:3424
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:1
              2⤵
                PID:4652
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1
                2⤵
                  PID:2680
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4400,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4496 /prefetch:1
                  2⤵
                    PID:1180
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4888 /prefetch:8
                    2⤵
                      PID:3604
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4920,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5040 /prefetch:8
                      2⤵
                        PID:1588
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4312,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3584 /prefetch:1
                        2⤵
                          PID:4456
                      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                        1⤵
                          PID:4000
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                          1⤵
                            PID:4432

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                            Filesize

                            649B

                            MD5

                            0bb2d889156d7b438933ae86bdd3686c

                            SHA1

                            ef5e632727ea91a81bd47d612784d3bfed841341

                            SHA256

                            4df42f3be1d041f69cbe695c691820b46b5bec820c593647d3b493f6be108007

                            SHA512

                            bfafcd163168cbe5289167b2bdb10c3bf5192260b8d5ced1037fc9905d8f78d111cbc2dd377ff38e4a3da19af5b42ac6e71e8e4f416f457bb7130004025e47f8

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

                            Filesize

                            215KB

                            MD5

                            e579aca9a74ae76669750d8879e16bf3

                            SHA1

                            0b8f462b46ec2b2dbaa728bea79d611411bae752

                            SHA256

                            6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

                            SHA512

                            df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                            Filesize

                            2B

                            MD5

                            d751713988987e9331980363e24189ce

                            SHA1

                            97d170e1550eee4afc0af065b78cda302a97674c

                            SHA256

                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                            SHA512

                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                            Filesize

                            9KB

                            MD5

                            ecfb273580ce8e2fec70e5208d401f21

                            SHA1

                            6c18ae6a19c49768e44e5d09be97be5213f64761

                            SHA256

                            615896e0e70f58faf85c80833ec4505ff747abe9624de024102f34a4f83e7221

                            SHA512

                            8c90d98ef92660b1f59185a21860b5eae6eaa61c276acc542bfdad6f64983afbff7b49d311a13cba97ac7f900fb4895898ce066f7e46430fa0ec3b2517e8973b

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                            Filesize

                            233KB

                            MD5

                            b6208e3b30e1c415113af661f2b33480

                            SHA1

                            53ce8e92c682d7a71abf3817f0e4a3d42b6c9e61

                            SHA256

                            82bd3c6579b3f982033a3d3363c62c27e0aebd358f9190d485859fe9c41d63bd

                            SHA512

                            8b8902468bbf6d38fb7de12ffc47fe37edd221a5b3e50eaa41aca1a1e2da94eb788abfc694d61c0812ae8751b8c4d54ec4d041cb0320ea1ff5795621a4e0e6e6

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

                            Filesize

                            305B

                            MD5

                            1c71eaf81eb500fe64f4bbb7c082c444

                            SHA1

                            0229ad769fbdd7247a97281de7e18c79b8afd353

                            SHA256

                            1b439bba0e5ec6282a2cb954ea65370718443d386939407984850f7dfa32fa1d

                            SHA512

                            b44ec939da0fbfb26936ecacc1005a0054ebe7394627e90d271fd81c3259baa4552c40cc4c67fc641007a5f4ec454731b3fb410d8f2ed8eb46997350f475b81c

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

                            Filesize

                            1KB

                            MD5

                            4e48e3ee284d1167470ac1f938d32d27

                            SHA1

                            f0d187a15108b88659eca6297154ae32e64ef4b8

                            SHA256

                            8ada8a0314c1588654a1a26765eb8ce986e7cd157bd97529778b6386d3cd38d9

                            SHA512

                            845b14f4ed43f06ec0fb942fa7bc8197e36cfbaa2a8ecf3ef696dfefd510c744c85378ee048f73bb9dbc858fd560e4b950d766b28258b54aefb9487be001e2e2

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

                            Filesize

                            1KB

                            MD5

                            c2e6e185e173f9e1b981ed81b8401741

                            SHA1

                            b281b69f52d83a93f1e485f6623273318833aeb6

                            SHA256

                            518aa1837a97cb84d260e6422979964f0c5b5de12c344e8d42f5b72c1d9348e0

                            SHA512

                            5177b339cab10af6182c5d008fdce1c3ee426ae2bfa17423af29c12114cf706f189ae46b125159a3c0f410fe76a3c1f47067c9085571b53c96a4891e773d56a0

                          • memory/2732-26-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-30-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-9-0x00007FF94F710000-0x00007FF94F720000-memory.dmp

                            Filesize

                            64KB

                          • memory/2732-13-0x00007FF94F710000-0x00007FF94F720000-memory.dmp

                            Filesize

                            64KB

                          • memory/2732-14-0x00007FF94F710000-0x00007FF94F720000-memory.dmp

                            Filesize

                            64KB

                          • memory/2732-11-0x00007FF94F710000-0x00007FF94F720000-memory.dmp

                            Filesize

                            64KB

                          • memory/2732-15-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-16-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-18-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-20-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-21-0x00007FF94CB70000-0x00007FF94CB80000-memory.dmp

                            Filesize

                            64KB

                          • memory/2732-19-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-17-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-55-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-25-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-27-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-28-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-10-0x00007FF94F710000-0x00007FF94F720000-memory.dmp

                            Filesize

                            64KB

                          • memory/2732-31-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-29-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-23-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-22-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-24-0x00007FF94CB70000-0x00007FF94CB80000-memory.dmp

                            Filesize

                            64KB

                          • memory/2732-12-0x00007FF98F723000-0x00007FF98F724000-memory.dmp

                            Filesize

                            4KB

                          • memory/2732-47-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2732-48-0x00007FF98F680000-0x00007FF98F889000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/3492-8-0x00000294B22F0000-0x00000294B230E000-memory.dmp

                            Filesize

                            120KB

                          • memory/3492-0-0x00007FF96E873000-0x00007FF96E875000-memory.dmp

                            Filesize

                            8KB

                          • memory/3492-7-0x00000294B22B0000-0x00000294B22C2000-memory.dmp

                            Filesize

                            72KB

                          • memory/3492-6-0x00000294CD2A0000-0x00000294CD316000-memory.dmp

                            Filesize

                            472KB

                          • memory/3492-5-0x00007FF96E870000-0x00007FF96F332000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3492-4-0x00000294CD750000-0x00000294CDC78000-memory.dmp

                            Filesize

                            5.2MB

                          • memory/3492-3-0x00007FF96E870000-0x00007FF96F332000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3492-2-0x00000294CC4D0000-0x00000294CC692000-memory.dmp

                            Filesize

                            1.8MB

                          • memory/3492-1-0x00000294B1DA0000-0x00000294B1DB8000-memory.dmp

                            Filesize

                            96KB