Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-11-2024 14:29
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win11-20241007-en
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
5294e84c734fbf9f34110e233b094b98
-
SHA1
2a2dc9fa78e3c80f7c425dc2d70daad6e0e2f6c2
-
SHA256
4abd3eb46f7ea1d4f698e5e35f6ce12cffbc131c994f842733aa4a4a6fc1654a
-
SHA512
ac67c08d7e1eb2d0c8b5f8928541c423d249094bbb72bf920a365f2afe9e3a034923c14cc9a667a899dcc4691b79c45b7eb352acd7f2e08a75bcbabe4cef2bcd
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+pPIC:5Zv5PDwbjNrmAE+ZIC
Malware Config
Extracted
discordrat
-
discord_token
MTMwODc5Nzk2NTYxNTQ5NzM1Nw.GBpC5A.89Z5f6lFNt0ykOCJ3xjQcB6vyTHT36DHCa_Du0
-
server_id
1308798365948969031
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 4 discord.com 6 discord.com 8 raw.githubusercontent.com 9 discord.com 29 discord.com 23 discord.com 24 discord.com 28 discord.com 1 discord.com 7 raw.githubusercontent.com 10 discord.com 11 discord.com 12 discord.com -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133765867293033478" chrome.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2732 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2596 chrome.exe 2596 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 3492 Client-built.exe Token: SeShutdownPrivilege 2596 chrome.exe Token: SeCreatePagefilePrivilege 2596 chrome.exe Token: SeShutdownPrivilege 2596 chrome.exe Token: SeCreatePagefilePrivilege 2596 chrome.exe Token: SeShutdownPrivilege 2596 chrome.exe Token: SeCreatePagefilePrivilege 2596 chrome.exe Token: SeShutdownPrivilege 2596 chrome.exe Token: SeCreatePagefilePrivilege 2596 chrome.exe Token: SeShutdownPrivilege 2596 chrome.exe Token: SeCreatePagefilePrivilege 2596 chrome.exe Token: SeShutdownPrivilege 2596 chrome.exe Token: SeCreatePagefilePrivilege 2596 chrome.exe Token: SeShutdownPrivilege 2596 chrome.exe Token: SeCreatePagefilePrivilege 2596 chrome.exe Token: SeShutdownPrivilege 2596 chrome.exe Token: SeCreatePagefilePrivilege 2596 chrome.exe Token: SeShutdownPrivilege 2596 chrome.exe Token: SeCreatePagefilePrivilege 2596 chrome.exe Token: SeShutdownPrivilege 2596 chrome.exe Token: SeCreatePagefilePrivilege 2596 chrome.exe Token: SeShutdownPrivilege 2596 chrome.exe Token: SeCreatePagefilePrivilege 2596 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe 2596 chrome.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2596 wrote to memory of 3896 2596 chrome.exe 83 PID 2596 wrote to memory of 3896 2596 chrome.exe 83 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 4724 2596 chrome.exe 84 PID 2596 wrote to memory of 3560 2596 chrome.exe 85 PID 2596 wrote to memory of 3560 2596 chrome.exe 85 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86 PID 2596 wrote to memory of 3424 2596 chrome.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\StartExpand.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2732
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff979b9cc40,0x7ff979b9cc4c,0x7ff979b9cc582⤵PID:3896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1776,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1772 /prefetch:22⤵PID:4724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1960,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:32⤵PID:3560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2332 /prefetch:82⤵PID:3424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:4652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:2680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4400,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4496 /prefetch:12⤵PID:1180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4888 /prefetch:82⤵PID:3604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4920,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5040 /prefetch:82⤵PID:1588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4312,i,6887513997608106393,14838099578985666781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3584 /prefetch:12⤵PID:4456
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD50bb2d889156d7b438933ae86bdd3686c
SHA1ef5e632727ea91a81bd47d612784d3bfed841341
SHA2564df42f3be1d041f69cbe695c691820b46b5bec820c593647d3b493f6be108007
SHA512bfafcd163168cbe5289167b2bdb10c3bf5192260b8d5ced1037fc9905d8f78d111cbc2dd377ff38e4a3da19af5b42ac6e71e8e4f416f457bb7130004025e47f8
-
Filesize
215KB
MD5e579aca9a74ae76669750d8879e16bf3
SHA10b8f462b46ec2b2dbaa728bea79d611411bae752
SHA2566e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf
SHA512df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD5ecfb273580ce8e2fec70e5208d401f21
SHA16c18ae6a19c49768e44e5d09be97be5213f64761
SHA256615896e0e70f58faf85c80833ec4505ff747abe9624de024102f34a4f83e7221
SHA5128c90d98ef92660b1f59185a21860b5eae6eaa61c276acc542bfdad6f64983afbff7b49d311a13cba97ac7f900fb4895898ce066f7e46430fa0ec3b2517e8973b
-
Filesize
233KB
MD5b6208e3b30e1c415113af661f2b33480
SHA153ce8e92c682d7a71abf3817f0e4a3d42b6c9e61
SHA25682bd3c6579b3f982033a3d3363c62c27e0aebd358f9190d485859fe9c41d63bd
SHA5128b8902468bbf6d38fb7de12ffc47fe37edd221a5b3e50eaa41aca1a1e2da94eb788abfc694d61c0812ae8751b8c4d54ec4d041cb0320ea1ff5795621a4e0e6e6
-
Filesize
305B
MD51c71eaf81eb500fe64f4bbb7c082c444
SHA10229ad769fbdd7247a97281de7e18c79b8afd353
SHA2561b439bba0e5ec6282a2cb954ea65370718443d386939407984850f7dfa32fa1d
SHA512b44ec939da0fbfb26936ecacc1005a0054ebe7394627e90d271fd81c3259baa4552c40cc4c67fc641007a5f4ec454731b3fb410d8f2ed8eb46997350f475b81c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD54e48e3ee284d1167470ac1f938d32d27
SHA1f0d187a15108b88659eca6297154ae32e64ef4b8
SHA2568ada8a0314c1588654a1a26765eb8ce986e7cd157bd97529778b6386d3cd38d9
SHA512845b14f4ed43f06ec0fb942fa7bc8197e36cfbaa2a8ecf3ef696dfefd510c744c85378ee048f73bb9dbc858fd560e4b950d766b28258b54aefb9487be001e2e2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5c2e6e185e173f9e1b981ed81b8401741
SHA1b281b69f52d83a93f1e485f6623273318833aeb6
SHA256518aa1837a97cb84d260e6422979964f0c5b5de12c344e8d42f5b72c1d9348e0
SHA5125177b339cab10af6182c5d008fdce1c3ee426ae2bfa17423af29c12114cf706f189ae46b125159a3c0f410fe76a3c1f47067c9085571b53c96a4891e773d56a0