Analysis

  • max time kernel
    88s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 09:04

Errors

Reason
Machine shutdown

General

  • Target

    https://gofile.io/d/pHSQ9S

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMwOTc3OTA0NDc1NzQwOTc5Mg.GqRjHM.OrOqdkb_0kY0TAalo3nn0l0anYPKxq5LviVRiA

  • server_id

    1309037779530940456

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Discordrat family
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/pHSQ9S
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff82668cc40,0x7ff82668cc4c,0x7ff82668cc58
      2⤵
        PID:4684
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,1846020995641343298,5514592963056612008,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1956 /prefetch:2
        2⤵
          PID:2440
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,1846020995641343298,5514592963056612008,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:3
          2⤵
            PID:4544
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,1846020995641343298,5514592963056612008,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2444 /prefetch:8
            2⤵
              PID:1408
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,1846020995641343298,5514592963056612008,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
              2⤵
                PID:1708
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,1846020995641343298,5514592963056612008,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
                2⤵
                  PID:1964
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4392,i,1846020995641343298,5514592963056612008,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4496 /prefetch:1
                  2⤵
                    PID:3884
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3124,i,1846020995641343298,5514592963056612008,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:8
                    2⤵
                      PID:4428
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4704,i,1846020995641343298,5514592963056612008,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:1
                      2⤵
                        PID:888
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4588,i,1846020995641343298,5514592963056612008,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5020 /prefetch:8
                        2⤵
                          PID:1560
                      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                        1⤵
                          PID:2308
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                          1⤵
                            PID:1768
                          • C:\Windows\System32\rundll32.exe
                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                            1⤵
                              PID:632
                            • C:\Windows\system32\OpenWith.exe
                              C:\Windows\system32\OpenWith.exe -Embedding
                              1⤵
                              • Modifies registry class
                              • Suspicious use of SetWindowsHookEx
                              PID:676
                            • C:\Windows\system32\OpenWith.exe
                              C:\Windows\system32\OpenWith.exe -Embedding
                              1⤵
                              • Modifies registry class
                              • Suspicious use of SetWindowsHookEx
                              PID:2376
                            • C:\Program Files\7-Zip\7zG.exe
                              "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Loader\" -ad -an -ai#7zMap3632:74:7zEvent21015
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              PID:228
                            • C:\Users\Admin\Downloads\Loader\Loader\Loader.exe
                              "C:\Users\Admin\Downloads\Loader\Loader\Loader.exe"
                              1⤵
                              • Executes dropped EXE
                              PID:1072
                            • C:\Users\Admin\Downloads\Loader\Loader\Driver\Overlay Driver.exe
                              "C:\Users\Admin\Downloads\Loader\Loader\Driver\Overlay Driver.exe"
                              1⤵
                              • Executes dropped EXE
                              • Writes to the Master Boot Record (MBR)
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of SetWindowsHookEx
                              PID:2856

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                              Filesize

                              649B

                              MD5

                              f5284b8e9e8d6d66468e90f0259d6106

                              SHA1

                              25ea7fc41267596b4e43cd6847c1444be2f46f47

                              SHA256

                              c943809bbee88eb1aa0c71662bfbee53298ccf8f25c0f21d82c7288bcba4fe93

                              SHA512

                              961ab2770737d3ce7c892dafc03a5b3565fbeebf1cf87c55b7c4d494fc63ae2d584532014af37fd41b32efaa8e6be617b910bcc5d9f81a1bf48a54f2fbdf2e72

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                              Filesize

                              336B

                              MD5

                              7159faa04cabe0656ca70e0a75c57437

                              SHA1

                              fee74960cde46965958f04ecc4b47cb00c25b483

                              SHA256

                              12999bf3306eb573f1a5f41a2be435169c5a6147544b26ff8dd1c33bc415f5ea

                              SHA512

                              3ce3d14c9de55d13d1223cd2a41db3d3eaebe481639fbbb8d233d37ef89b83d319e7e604733e1cdfa1d2c8547eaa43cea565c382ecb0a0f49b9004bdbba8a692

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                              Filesize

                              2KB

                              MD5

                              9996160294e40407c65167fc0d5a4fc3

                              SHA1

                              c299b8778df785a8a19c12625ffa105091c62189

                              SHA256

                              41123f4e6a708ddbc5a3b48d83c9dce688a5d01d6cebdae4c608e0b965c740f0

                              SHA512

                              ce24287a5ecd0467309d3bbe57a3bc5d3138c13aaf2ab10c53051b3f9095dc51cd04c0b4f177f218f9c28fc7774d661913a774ae48c5e1fb4f7b4423ab108230

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                              Filesize

                              2B

                              MD5

                              d751713988987e9331980363e24189ce

                              SHA1

                              97d170e1550eee4afc0af065b78cda302a97674c

                              SHA256

                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                              SHA512

                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                              Filesize

                              690B

                              MD5

                              af9c9e5612f308dc2530960858c69d8a

                              SHA1

                              2209266f409271393b6647db619d494dc360399a

                              SHA256

                              704dc72850d26a277807b65e5c72f199758fb0dea92e39d871bdc8970e5b55d0

                              SHA512

                              abc5a4ffa8552dd8ea7d656644e5f819dafeb72644f7af8644ac3aecfe017ee1e3b4ece34f357a8c4a02b7407eaf6a6a2fc6c406cfa70bdf3dfaf97b3aa93392

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                              Filesize

                              9KB

                              MD5

                              baddf02383122e9d5f1d592a26dfd044

                              SHA1

                              6e9d1ac652390c90a06357d2c056075e37f8a9e5

                              SHA256

                              e4ccf616996f9a31b7d1ff06983d4be02f853e36ceda5165b047b83d17e25a5b

                              SHA512

                              0dfb796288cf0f3fedcf3e56421b05a904eb3b1a136f690121a6bdbb3b98c349e241e882c77736eadda9b1a6a4d3e17ec82532222500bb96ebb31b9ab10d7ab0

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                              Filesize

                              9KB

                              MD5

                              9c67e3902b1d2fcbe8836eb236444489

                              SHA1

                              74f6fd773508d8829788ad6e86701ee2147aeed8

                              SHA256

                              17ccd7012d8a1dc8b39ef300f2c1cf729f1bb7360f9917618bf997ddbe670dfb

                              SHA512

                              cd193a4fb9d3dc5216ecce449411256b5aa7780f02e31c17a1ea7420953099268161358277c6fb1742193c505049cf28f2aadd3393e2b01d7cf72fe6a5381265

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                              Filesize

                              9KB

                              MD5

                              6b090e3802f515acb7d6d45c2c5df8df

                              SHA1

                              103bd5b3ee6aa939751dc19f7137ec4a03f2d6dd

                              SHA256

                              a10b5246090030c9ccbb2a11f2dc10c2aca9fd1a45ffff6ee6fb3e229d9973f4

                              SHA512

                              117363a03f431147387345ffd98c5d2ac74e2ee9053865c3d9692cd115b9eb0609e512c60331e1d6285dc9f7cfcd9a026ee2836e354dfa3c627dc67666e9aed6

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                              Filesize

                              9KB

                              MD5

                              7023ce986c90ee4b93659dd620417270

                              SHA1

                              61df591bf0822ca9316a3a9a988270cd3a3b0844

                              SHA256

                              95ad629bb3731088033481b6f17ada219de2f114036a430b7a0a413c212316a6

                              SHA512

                              2bd107b912d68bcecf7dbcd9527a94f57697897aa860d8af531103662e2d2cce6877c35908e420ba3928fcc63efd70f51a40500a70e202b0047f371d21d4350a

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                              Filesize

                              9KB

                              MD5

                              ed75cc8696f7e01afa84eda5a314cc07

                              SHA1

                              5361b0d540cce99ddbc55445752668507a4e538f

                              SHA256

                              d757f80a043d5e7438b262d683bd3273bbabe70ae670007686cbb34024f6cf0a

                              SHA512

                              5d4f8e5e9c64a36a451e20c14e289e2d4e3b368d3dfaac64991947f5043442dc83f7a99199749a34eebe3590d1eb8d538fa36c939047c5f014088a43334719f6

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                              Filesize

                              9KB

                              MD5

                              3d7555742c995d946f280ae43fa4d02a

                              SHA1

                              77a5ccafc98df6dd96f7f2b4d4f7e73f16b68d11

                              SHA256

                              938bf85174788785b19321890a6bfcc7a24ab13324c7588ae0ebddc73084518e

                              SHA512

                              e030a6a0ffc3fa1efa0ab0567e61de1a05442bea5be851ad9ac5a12605d6e7acb52cb1f02b4d2921d8ca554b9ac2cb70911ed0fefbaa1c11d663b1eb75e51f23

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                              Filesize

                              116KB

                              MD5

                              04977fc0bd058e6656d1c8b00587447a

                              SHA1

                              18d2286dcac05986a65567c986942c1d0507c16c

                              SHA256

                              6f3fdb6da1d39a9375fd73786b4b49b89b8ed446c4192e86b2f37dd3bd8c37eb

                              SHA512

                              89c3ea72354e5df919e524f2d5215f2627f9f8d415e0337d46f801839ad78bb0dd6acbf66e733efc295604e7a882642a6fde672862c14bc01c52fe9b7e5ebc71

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                              Filesize

                              116KB

                              MD5

                              e4f5658fe0e7fd772e8339f9ab8431ec

                              SHA1

                              96baf958f2805118189db33b7cc3069cb1bc665d

                              SHA256

                              9e06deae4d7ad6c2b7982dea176797d792554ad63c83a2a847f41f7e1b688c40

                              SHA512

                              42d0620b94df91f5e4287705a2b10b3c266efce4d7cfafb8bfaef6a7a3a926a190c5e8de2fbcc22a289b9aa83810e0302da4563c7f1679da4447996312e45678

                            • C:\Users\Admin\Downloads\Loader.rar.crdownload

                              Filesize

                              142KB

                              MD5

                              f486d0087fcd477eb89dc185de0ba31e

                              SHA1

                              d4905dec472044b2196253cd7d73e726e4b6dd5b

                              SHA256

                              6393db2668667452aba9455725016d2cfd914860d4b45c17dd03822e2f35a5d5

                              SHA512

                              4b963177a20d741eadde48d881c98ea6ac882d4a11aa72205a12e0c1414c102b11b31d03a5a4a2f214db3e37e03cd7b83c95e5768b32901070dbe372cd77ea14

                            • C:\Users\Admin\Downloads\Loader\Loader\Driver\Overlay Driver.exe

                              Filesize

                              225KB

                              MD5

                              af2379cc4d607a45ac44d62135fb7015

                              SHA1

                              39b6d40906c7f7f080e6befa93324dddadcbd9fa

                              SHA256

                              26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

                              SHA512

                              69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

                            • C:\Users\Admin\Downloads\Loader\Loader\Loader.exe

                              Filesize

                              78KB

                              MD5

                              04391246093a291e862e95fe85bb6d99

                              SHA1

                              6e8f09d32e367a5dc6edc2f0dd63a5e3bb3f8b61

                              SHA256

                              47be613828c1076fb90ab64a4901f928b612c61bf625817671c242f000badb4c

                              SHA512

                              870ee7e7bbffc355c6d6f56415e8430a27161e4820dbb44cdc2669e1d45582a941ed5b6c0d7dbeba141c42309ad1542dd24a56d4befac58e82df8608c8cc1d19

                            • memory/1072-122-0x000001D141820000-0x000001D141838000-memory.dmp

                              Filesize

                              96KB

                            • memory/1072-123-0x000001D15BE90000-0x000001D15C052000-memory.dmp

                              Filesize

                              1.8MB

                            • memory/1072-124-0x000001D15C6D0000-0x000001D15CBF8000-memory.dmp

                              Filesize

                              5.2MB