Analysis

  • max time kernel
    34s
  • max time network
    43s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 17:01

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    ca1f1d216f30fe7fc9096c8ec4b3df84

  • SHA1

    64d1b2d48fddcff124356d18a6bbc26ffa4c8c66

  • SHA256

    e3e6dda056e1e6da30a765b26a1a4aad2f77736403a475f549612c5836f950cc

  • SHA512

    a086b0e2491b1a732e1ace9c175b7e2fd3db2cdc007519c32b719f0952fde771ecd4e081691abe74946539d74e36f72c167e5f7dbf67d38b4e8232b071dc7184

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+SPIC:5Zv5PDwbjNrmAE+eIC

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMyNDczMzg3Mzc1Nzc1MzM0NA.Gkn033.OQQv_AbqqPbf6kzNj7tP1oqqRytPV4DTChievM

  • server_id

    1324733732040740955

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Discordrat family
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2276
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d3ba46f8,0x7ff9d3ba4708,0x7ff9d3ba4718
      2⤵
        PID:3716
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,5843249935454584677,3226590429550963952,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
        2⤵
          PID:4484
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,5843249935454584677,3226590429550963952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4316
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,5843249935454584677,3226590429550963952,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
          2⤵
            PID:4584
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5843249935454584677,3226590429550963952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
            2⤵
              PID:1456
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5843249935454584677,3226590429550963952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
              2⤵
                PID:3808
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5843249935454584677,3226590429550963952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
                2⤵
                  PID:3192
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5843249935454584677,3226590429550963952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
                  2⤵
                    PID:4672
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:4224
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:1332

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      Filesize

                      152B

                      MD5

                      61cef8e38cd95bf003f5fdd1dc37dae1

                      SHA1

                      11f2f79ecb349344c143eea9a0fed41891a3467f

                      SHA256

                      ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

                      SHA512

                      6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      Filesize

                      152B

                      MD5

                      0a9dc42e4013fc47438e96d24beb8eff

                      SHA1

                      806ab26d7eae031a58484188a7eb1adab06457fc

                      SHA256

                      58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

                      SHA512

                      868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                      Filesize

                      5KB

                      MD5

                      0f237446d608d64a0970afa19f9cc10b

                      SHA1

                      a9ff692315538ad8eb12bfcebded8e0b9753acaf

                      SHA256

                      613707d29bb608a959673a97a33dafcc0f634357870fb2d2045788c45dec5308

                      SHA512

                      ef67ffede79c242baf4e04eaec73a19760e47162dafe0373aac4a9f9357af713272ced1990b662fb742edbcfd3d2a04137bcfa1a014c5345b523cf0542c0ef8c

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a7326d1f-3279-4046-be33-a014876b09fc.tmp

                      Filesize

                      6KB

                      MD5

                      32b80000fcf0880b1f476d4aa1054b47

                      SHA1

                      a2aaa10a815a0bd9d0b41cf57d330fb072d681a8

                      SHA256

                      10bfe3c029d1b8c295bc334ff231d6fb27b4e86a4f11ae590b35567c12753af1

                      SHA512

                      451bc8c3521482ea9d14aa8181b6b9240dac62dcbaca7baaef6e7f27ad05b0d92f6e7fa29a2a6354ee28009bc23a6cdebfddd692237e607642d4ce45c7e78826

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                      Filesize

                      10KB

                      MD5

                      b3622b69a9b1933e44c6df24fbcad274

                      SHA1

                      e3be58db701a2f9e4a29c660552a522da85f920d

                      SHA256

                      391b299e52425588fac0ca52afec810e0e2782e4db0044b5e52cd2e832d51341

                      SHA512

                      d5eb14ff1aabdee12f960d2828191555dd6a152086fcb235e6549be79cda98cba21a4769975d5b9c4c11d1ad289e4a77fe232a0391948baf962fdf64a22ce7f0

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

                      Filesize

                      264KB

                      MD5

                      f50f89a0a91564d0b8a211f8921aa7de

                      SHA1

                      112403a17dd69d5b9018b8cede023cb3b54eab7d

                      SHA256

                      b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                      SHA512

                      bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                    • memory/2276-3-0x00007FF9D9B20000-0x00007FF9DA5E1000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/2276-6-0x00007FF9D9B20000-0x00007FF9DA5E1000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/2276-5-0x00007FF9D9B23000-0x00007FF9D9B25000-memory.dmp

                      Filesize

                      8KB

                    • memory/2276-4-0x000002007CC80000-0x000002007D1A8000-memory.dmp

                      Filesize

                      5.2MB

                    • memory/2276-0-0x00007FF9D9B23000-0x00007FF9D9B25000-memory.dmp

                      Filesize

                      8KB

                    • memory/2276-2-0x000002007C340000-0x000002007C502000-memory.dmp

                      Filesize

                      1.8MB

                    • memory/2276-1-0x0000020079D00000-0x0000020079D18000-memory.dmp

                      Filesize

                      96KB