Analysis Overview
SHA256
07f0a68cf4af26e9355c1349bc5c60ae802630faff552081f2785a250ac6284d
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Discord RAT
Discordrat family
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-01-02 21:16
Signatures
Discordrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-02 21:16
Reported
2025-01-02 21:18
Platform
win11-20241007-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Discord RAT
Discordrat family
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 162.159.135.234:443 | gateway.discord.gg | tcp |
| GB | 88.221.134.249:443 | tcp | |
| GB | 88.221.134.249:443 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 95.101.143.210:443 | r.bing.com | tcp |
| GB | 95.101.143.210:443 | r.bing.com | tcp |
| GB | 95.101.143.210:443 | r.bing.com | tcp |
| GB | 95.101.143.210:443 | r.bing.com | tcp |
| GB | 95.101.143.210:443 | r.bing.com | tcp |
| GB | 95.101.143.210:443 | r.bing.com | tcp |
| US | 52.168.117.168:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 95.101.143.203:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.143.101.95.in-addr.arpa | udp |
Files
memory/2948-0-0x00007FFA50573000-0x00007FFA50575000-memory.dmp
memory/2948-1-0x000001D0D9510000-0x000001D0D9528000-memory.dmp
memory/2948-2-0x000001D0F3EF0000-0x000001D0F40B2000-memory.dmp
memory/2948-3-0x00007FFA50570000-0x00007FFA51032000-memory.dmp
memory/2948-4-0x000001D0F5070000-0x000001D0F5598000-memory.dmp
memory/2948-5-0x00007FFA50573000-0x00007FFA50575000-memory.dmp
memory/2948-6-0x00007FFA50570000-0x00007FFA51032000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\9369d663-2126-4e8c-919a-dac443ffe67b.down_data
| MD5 | 5683c0028832cae4ef93ca39c8ac5029 |
| SHA1 | 248755e4e1db552e0b6f8651b04ca6d1b31a86fb |
| SHA256 | 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e |
| SHA512 | aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 77a8b2c86dd26c214bc11c989789b62d |
| SHA1 | 8b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499 |
| SHA256 | e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8 |
| SHA512 | c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e |