Analysis
-
max time kernel
38s -
max time network
41s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
02-12-2024 12:02
General
-
Target
https://mega.nz/folder/AeMzGRyZ#xTt-KzNRdV527KKpj7dHuQ
Malware Config
Extracted
discordrat
-
discord_token
MTI5OTEzNTM5MDMyOTg2ODM4MA.GSXT4J.l1NwkThNC0WguODQ7jZyklX5sQTedQ0j6SqCuY
-
server_id
1215457022309306480
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Executes dropped EXE 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 57 IoCs
-
Suspicious use of SendNotifyMessage 46 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/folder/AeMzGRyZ#xTt-KzNRdV527KKpj7dHuQ1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffcfba546f8,0x7ffcfba54708,0x7ffcfba547182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12486930396927434979,532887820120276557,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,12486930396927434979,532887820120276557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,12486930396927434979,532887820120276557,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12486930396927434979,532887820120276557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12486930396927434979,532887820120276557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,12486930396927434979,532887820120276557,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4992 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,12486930396927434979,532887820120276557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff718115460,0x7ff718115470,0x7ff7181154803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,12486930396927434979,532887820120276557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,12486930396927434979,532887820120276557,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5668 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12486930396927434979,532887820120276557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,12486930396927434979,532887820120276557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,12486930396927434979,532887820120276557,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6812 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\Client-built.exe"C:\Users\Admin\Downloads\Client-built.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12486930396927434979,532887820120276557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2724 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12486930396927434979,532887820120276557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1944 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f4 0x2d01⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56dda6e078b56bc17505e368f3e845302
SHA145fbd981fbbd4f961bf72f0ac76308fc18306cba
SHA256591bf3493eb620a3851c0cd65bff79758a09c61e9a22ea113fa0480404a38b15
SHA5129e460013fd043cee9bdbcdaf96ac2f7e21a08e88ddb754dddbd8378ee2288d50271e66b42092d84a12e726469465185be11a6fafab6ed4236a244524bd60f502
-
Filesize
152B
MD5f6126b3cef466f7479c4f176528a9348
SHA187855913d0bfe2c4559dd3acb243d05c6d7e4908
SHA256588138bf57e937e1dec203a5073c3edb1e921c066779e893342e79e3d160e0b4
SHA512ef622b26c8cee1f767def355b2d7bffb2b28e7a653c09b7e2d33f6468a453fff39fd120cacbffd79ce35722592af0f3fb7d5054e2dca06310e44dc460533f3d8
-
Filesize
48B
MD5f442660499104b14d2ebec68c7667597
SHA1364c47be91eb23dce0f1c185e9e1adf8594da8a8
SHA256ab8c05812fb09c85eadb4e4456f9b69297f6236560893c7727eff9c79da526a5
SHA5120c960241d203220f7883bdd489fda10140b25851b3724a8843460ebeb2b20c4e6f3b36d1b5741ba75fdfd85db7836ce6bfb24f913ede05f5c8955a275a16a85a
-
Filesize
72B
MD5724c4d4eb2f8546ae9ecc10824e34f90
SHA102296ad127d42a9e914ded7f0427f79992de1eb8
SHA256cf40f21d7667187d40b452d68d3c488145e6707c8d08835bf3a7808d3e5adb87
SHA51272450c2ed0b77550fc11e0ea37140cc4c3d5d63b0fc9538fd3953178a17ec5ec7407243141f196d12489e56550d8968e30568f0b2bbbd01a61f43eccfb31445c
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
5KB
MD554efc035fb7145f38b630ef4cb926967
SHA111a19075c43773eb3c136f14c56332e042b90528
SHA2564e77a568e768327a757e0712097e7a4a80eaeba744fd8e221acfb57db8c33074
SHA5124fc709322c098439ca756e2b8b776ed3c256bc9a3d416f4a2e88431f649e8bc93a7580db55f1c447f3e46d365dbfb980dfd255f730cf61d8f12f81f710041413
-
Filesize
5KB
MD54aab2d28cfa1436a0433913ccdbccf63
SHA1e2c3616602c920f160dd5f26292c217e2765d0b7
SHA2564b0c4d4c9d60e00c6d00ca00ea17b2c3512fd588d9353418483ba936810adf16
SHA5125a5491611e8d9a2da3f76f024e048e9a1bcd020300296274b712996620c1ff414f366f5cf232206786f19948209a87757255e90d66bc129fd5612c75d7a7902a
-
Filesize
5KB
MD5441bde0c658cd2101b203381bd3acb29
SHA12c33d221fd3c54d6f0dd31ccb7d67bf8c7f988ec
SHA256fec092ac3ddd8778d8116ef7400556b49c3af27438b7bb5d7fba428387e8ee5e
SHA5122c9c8073ca32b2f6b2f9c363770945409f70c61ccb7cbb39a1fe2dc6e8a68e8c555cc292f140def216fdedd996b0a2137ce8a5dcac96ca8d2312a6bda45139d8
-
Filesize
5KB
MD5de115e5ca2a72b204081ef3a261141e4
SHA152bea5aabe7449d452dc96ff4dc03be6a5ba47f3
SHA2562f2170f416786b0798bf800ad5909c57276998a8525bc45eeddc8bc08157c3ab
SHA5125caf2fd15007765260a65d5d41802e59545c292d01d9d3c9b82646491b9e8fba3477a1accdadb0a331a244cb105467371ec2bcb8ade2517b6442d7cbf32ba523
-
Filesize
24KB
MD590cc75707c7f427e9bbc8e0553500b46
SHA19034bdd7e7259406811ec8b5b7ce77317b6a2b7e
SHA256f5d76f8630779de1fe82f8802d6d144861e3487171e4b32e3f8fffd2a57725fb
SHA5127ad692bce11aee08bf65bb7c578b89a4a3024211ee1deaf671c925d65cc016943f2caad3d57b365e16d1764c78c36cae35c3c45cef0928dd611a565b0313e511
-
Filesize
24KB
MD50d8c8c98295f59eade1d8c5b0527a5c2
SHA1038269c6a2c432c6ecb5b236d08804502e29cde0
SHA2569148e2a2ba2a3b765c088dc8a1bdcc9b07b129e5e48729a61ebc321cb7b8b721
SHA512885a734a97a6f8c4a8fb5f0efa9fe55742f0685210472ed376466e67f928e82ddf91ba1211389d9c55dd1e03dc064aa7a81d1fca3cf429fbaf8f60db8b1348c6
-
Filesize
72B
MD516cae2671a312944e1169fdd3c6c23c2
SHA172cae7787b5c83d8fb97d238c45c3253ef4930e1
SHA2565fb506b2b647af6bbdcc3ac9867158969c4f971262a99006f87962bc248686b6
SHA51270fdc63628406e541dd26537f006508afb447b70cfa38c4090c502ad4ca942ddb448381a8ebbf39847288da7af1baec7e6a3beea531100a3f4d292fd0c33bf4e
-
Filesize
48B
MD506e153266535cc9f73e1f254a79552ed
SHA1742499fd253f009483b42112e5a02b4314f8325e
SHA256697d860abe18dcd1d8291797ed06434dfac3d05149e01904004b1887d1aa331b
SHA5128f7a301e9c4a10647e23dbace6c31fc859bc4a4e3a467740629aa2dd5074df74ae6a40407f1599cd938b5b67c2ba2db90484e7ddb1ef586bb3b5f61709a7495b
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD58d1000bd9eb2834185ec3985c6285845
SHA1ae406ecc2b99d9e8afca988dd5f4f3078a89bd6a
SHA256fe2e681a8574b9be4b1b46ed6dc7f378f002a80859d8f5d3e28ecf300f30b535
SHA51234136686f7aaea04899305f7ff5275fe3248f00b76be261ba6ae61668054eed6ae484f6910be94ee89e0825b5e448c0174cda7517e68ce2c3385923e497896dc
-
Filesize
10KB
MD54873a73e71257ea45f079f3973d0fd74
SHA1b94eb4640e742d4fd3ae25d8088295091087f2bb
SHA2569ab49bf45b90d6e263de0b1dc573378eab6c189d7778a7a29c8e5693be9bb2c1
SHA512c78a32e5da340600b09b2f986d906cdf86362fb3897fc540f9eb7ce184f9b6619fb709aa1d7c416ef0c0d2c05b1b5a85b21c4d426f563d2918a16d045e4053a0
-
Filesize
10KB
MD51fa205c4b333bed156aa62972068175a
SHA1c8bf20b46561be504b6ab552da4efbf10b911c1c
SHA256230af3207e7ce598064ff5e9a87fa73463a1a8a7f28821278d8c0420b31ae505
SHA5120f4a3c65defe562c8d91e9ac1a22c0a1a92700a261270b2e201b298f387eb4358b28ff27a1518e6d6b6b348575a798352dd822db8ccba87cafd37f0f956aa35e
-
Filesize
3KB
MD535c3464f9f2cefd9a39819606d9e41aa
SHA1972bbd9951b1f7722feca20eb6a1c20995868b70
SHA25609a006fe3d6acecb4d4a6372b80777b67dc109f53b99cdfd58886e26080efced
SHA512f1ed3e2a6207b840b801ebf046cfa22e0daa6cd8bf062ef2a216feba0c0575f765d95888b78b7e2a1a71c69e987175b11544e313135d8f7c941923b71872853d
-
Filesize
3KB
MD59e2bf8592dab0ab36ecf911833fcf6e9
SHA11d722adb801e07d3589b9cc25bdecb114bf0a47d
SHA25674dbc60096476dbd068a63ad3ec22e38c9484494194e3b8e47ead759842c238c
SHA5120263fb039b1bd5ac2ebd390b50eb5466d512a2360af2e54b6c0815a09c086724e5a7bdc6cd43204bccff60bc36642ef6af894ee6f3294265fdbd442b0a518fa6
-
Filesize
78KB
MD593f25fd89524c78ba07d5465e4cd335f
SHA19abebdf8fe6c710edf86a8b0fa18a853d929900d
SHA256445efaeb06cd5448531b3243c5ae2c1af1458545ba0059fdd6fe9466d23423ea
SHA512fe0f000f743ba91cd7cfe14a8cdf2a64f2b6401c4514aa00818c932cee61c958af1434dae7fcc7db842cda6c576f1f14dca0653c8b5c8dd6fafb14d68131d97b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB