njrat | 7471944a136673044e47c277341a4b31d46434a433e902cb2d2bd19b1a79b845

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	New Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	discord.exe

Drops startup file 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.exe	discord.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.url	discord.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\discord.url	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.exe	discord.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.exe	discord.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.url	discord.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.exe	discord.exe

Executes dropped EXE 7 IoCs

pid	Process
4536	discord.exe
4032	discord.exe
1360	discord.exe
4144	discord.exe
3200	discord.exe
4956	discord.exe
3144	discord.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\discord.exe\" .."	discord.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\discord.exe\" .."	discord.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\discord.exe\" .."	discord.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\discord.exe\" .."	discord.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
20	0.tcp.eu.ngrok.io
45	0.tcp.eu.ngrok.io
57	0.tcp.eu.ngrok.io
59	0.tcp.eu.ngrok.io
185	0.tcp.eu.ngrok.io

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
380	PING.EXE
3756	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4668	taskkill.exe
2536	taskkill.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\mscfile	discord.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\mscfile\shell	discord.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\mscfile\shell\open\command\ = "%SystemRoot%\\system32\\mmc.exe \"%1\" %*"	discord.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{5E5F6CD6-BE06-4B9E-AAAE-ED7EE97F3C8A}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\mscfile\shell\open\command	discord.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\mscfile\shell\open	discord.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\mscfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\discord.exe"	discord.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	discord.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OpenWith.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
380	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1536	schtasks.exe
1212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
3508	taskmgr.exe
3508	taskmgr.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe
4536	discord.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	taskmgr.exe
Token: SeSystemProfilePrivilege	4792	taskmgr.exe
Token: SeCreateGlobalPrivilege	4792	taskmgr.exe
Token: SeDebugPrivilege	4536	discord.exe
Token: 33	4536	discord.exe
Token: SeIncBasePriorityPrivilege	4536	discord.exe
Token: SeDebugPrivilege	3508	taskmgr.exe
Token: SeSystemProfilePrivilege	3508	taskmgr.exe
Token: SeCreateGlobalPrivilege	3508	taskmgr.exe
Token: 33	4536	discord.exe
Token: SeIncBasePriorityPrivilege	4536	discord.exe
Token: 33	4536	discord.exe
Token: SeIncBasePriorityPrivilege	4536	discord.exe
Token: 33	4536	discord.exe
Token: SeIncBasePriorityPrivilege	4536	discord.exe
Token: 33	4536	discord.exe
Token: SeIncBasePriorityPrivilege	4536	discord.exe
Token: 33	4536	discord.exe
Token: SeIncBasePriorityPrivilege	4536	discord.exe
Token: 33	4536	discord.exe
Token: SeIncBasePriorityPrivilege	4536	discord.exe
Token: SeSecurityPrivilege	2856	mmc.exe
Token: 33	2856	mmc.exe
Token: SeIncBasePriorityPrivilege	2856	mmc.exe
Token: 33	2856	mmc.exe
Token: SeIncBasePriorityPrivilege	2856	mmc.exe
Token: 33	2856	mmc.exe
Token: SeIncBasePriorityPrivilege	2856	mmc.exe
Token: 33	2856	mmc.exe
Token: SeIncBasePriorityPrivilege	2856	mmc.exe
Token: 33	2856	mmc.exe
Token: SeIncBasePriorityPrivilege	2856	mmc.exe
Token: 33	2856	mmc.exe
Token: SeIncBasePriorityPrivilege	2856	mmc.exe
Token: 33	2856	mmc.exe
Token: SeIncBasePriorityPrivilege	2856	mmc.exe
Token: 33	2856	mmc.exe
Token: SeIncBasePriorityPrivilege	2856	mmc.exe
Token: 33	2856	mmc.exe
Token: SeIncBasePriorityPrivilege	2856	mmc.exe
Token: 33	2856	mmc.exe
Token: SeIncBasePriorityPrivilege	2856	mmc.exe
Token: 33	2856	mmc.exe
Token: SeIncBasePriorityPrivilege	2856	mmc.exe
Token: 33	2856	mmc.exe
Token: SeIncBasePriorityPrivilege	2856	mmc.exe
Token: 33	2856	mmc.exe
Token: SeIncBasePriorityPrivilege	2856	mmc.exe
Token: 33	2856	mmc.exe
Token: SeIncBasePriorityPrivilege	2856	mmc.exe
Token: 33	2856	mmc.exe
Token: SeIncBasePriorityPrivilege	2856	mmc.exe
Token: 33	2856	mmc.exe
Token: SeIncBasePriorityPrivilege	2856	mmc.exe
Token: SeSecurityPrivilege	2856	mmc.exe
Token: SeDebugPrivilege	1360	discord.exe
Token: 33	1360	discord.exe
Token: SeIncBasePriorityPrivilege	1360	discord.exe
Token: 33	1360	discord.exe
Token: SeIncBasePriorityPrivilege	1360	discord.exe
Token: 33	1360	discord.exe
Token: SeIncBasePriorityPrivilege	1360	discord.exe
Token: 33	1360	discord.exe
Token: SeIncBasePriorityPrivilege	1360	discord.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
4792	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
3508	taskmgr.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4536	discord.exe
2856	mmc.exe
2856	mmc.exe
1996	OpenWith.exe
1776	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 4536	3980	New Client.exe	85
PID 3980 wrote to memory of 4536	3980	New Client.exe	85
PID 3980 wrote to memory of 1040	3980	New Client.exe	86
PID 3980 wrote to memory of 1040	3980	New Client.exe	86
PID 1040 wrote to memory of 2692	1040	cmd.exe	88
PID 1040 wrote to memory of 2692	1040	cmd.exe	88
PID 4536 wrote to memory of 4668	4536	discord.exe	94
PID 4536 wrote to memory of 4668	4536	discord.exe	94
PID 4536 wrote to memory of 4924	4536	discord.exe	96
PID 4536 wrote to memory of 4924	4536	discord.exe	96
PID 4536 wrote to memory of 1536	4536	discord.exe	98
PID 4536 wrote to memory of 1536	4536	discord.exe	98
PID 4536 wrote to memory of 3496	4536	discord.exe	109
PID 4536 wrote to memory of 3496	4536	discord.exe	109
PID 3496 wrote to memory of 2856	3496	eventvwr.exe	110
PID 3496 wrote to memory of 2856	3496	eventvwr.exe	110
PID 1360 wrote to memory of 2536	1360	discord.exe	112
PID 1360 wrote to memory of 2536	1360	discord.exe	112
PID 1360 wrote to memory of 2408	1360	discord.exe	114
PID 1360 wrote to memory of 2408	1360	discord.exe	114
PID 1360 wrote to memory of 1212	1360	discord.exe	116
PID 1360 wrote to memory of 1212	1360	discord.exe	116
PID 1360 wrote to memory of 380	1360	discord.exe	120
PID 1360 wrote to memory of 380	1360	discord.exe	120
PID 380 wrote to memory of 2508	380	cmd.exe	122
PID 380 wrote to memory of 2508	380	cmd.exe	122
PID 2508 wrote to memory of 5056	2508	msedge.exe	124
PID 2508 wrote to memory of 5056	2508	msedge.exe	124
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125
PID 2508 wrote to memory of 1228	2508	msedge.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\New Client.exe
"C:\Users\Admin\AppData\Local\Temp\New Client.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Users\Admin\AppData\Roaming\discord.exe
  "C:\Users\Admin\AppData\Roaming\discord.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:4668
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4924
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1536
- - C:\Windows\System32\eventvwr.exe
    "C:\Windows\System32\eventvwr.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
      4⤵
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 5
    3⤵
    PID:2692

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4792

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3508

C:\Users\Admin\AppData\Roaming\discord.exe
C:\Users\Admin\AppData\Roaming\discord.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Users\Admin\AppData\Roaming\discord.exe
C:\Users\Admin\AppData\Roaming\discord.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\system32\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - Kills process with taskkill
  PID:2536
- C:\Windows\system32\schtasks.exe
  schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
  2⤵
  PID:2408
- C:\Windows\system32\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1212
- C:\Windows\system32\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://soundcloud.com/discover
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdce9646f8,0x7ffdce964708,0x7ffdce964718
      4⤵
      PID:5056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,12434065254435359360,1374700032213299608,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
      4⤵
      PID:1228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,12434065254435359360,1374700032213299608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
      4⤵
      PID:1844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,12434065254435359360,1374700032213299608,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
      4⤵
      PID:4400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,12434065254435359360,1374700032213299608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      PID:4484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,12434065254435359360,1374700032213299608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
      4⤵
      PID:3972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1988,12434065254435359360,1374700032213299608,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3852 /prefetch:8
      4⤵
      PID:1400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1988,12434065254435359360,1374700032213299608,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4876 /prefetch:8
      4⤵
      Modifies registry class
      PID:5004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,12434065254435359360,1374700032213299608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
      4⤵
      PID:4780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,12434065254435359360,1374700032213299608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
      4⤵
      PID:5028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,12434065254435359360,1374700032213299608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
      4⤵
      PID:1748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,12434065254435359360,1374700032213299608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
      4⤵
      PID:4448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,12434065254435359360,1374700032213299608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
      4⤵
      PID:3336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,12434065254435359360,1374700032213299608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
      4⤵
      PID:1056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,12434065254435359360,1374700032213299608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
      4⤵
      PID:388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,12434065254435359360,1374700032213299608,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4648 /prefetch:2
      4⤵
      PID:4948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\df78c3f9e2764f65801e202beab76d66.bat" "
  2⤵
  PID:3684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://soundcloud.com/discover
    3⤵
    PID:1940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdce9646f8,0x7ffdce964708,0x7ffdce964718
      4⤵
      PID:1848
- C:\Windows\system32\cmd.exe
  cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Roaming\discord.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3756
- - C:\Windows\system32\PING.EXE
    ping 0 -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:380

C:\Users\Admin\AppData\Roaming\discord.exe
C:\Users\Admin\AppData\Roaming\discord.exe
1⤵
- Executes dropped EXE
PID:4144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:872

C:\Users\Admin\AppData\Roaming\discord.exe
C:\Users\Admin\AppData\Roaming\discord.exe
1⤵
- Executes dropped EXE
PID:3200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Users\Admin\AppData\Roaming\discord.exe
C:\Users\Admin\AppData\Roaming\discord.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3560

C:\Users\Admin\AppData\Roaming\discord.exe
C:\Users\Admin\AppData\Roaming\discord.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery