Analysis
-
max time kernel
34s -
max time network
43s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-01-2025 17:01
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win10v2004-20241007-en
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
ca1f1d216f30fe7fc9096c8ec4b3df84
-
SHA1
64d1b2d48fddcff124356d18a6bbc26ffa4c8c66
-
SHA256
e3e6dda056e1e6da30a765b26a1a4aad2f77736403a475f549612c5836f950cc
-
SHA512
a086b0e2491b1a732e1ace9c175b7e2fd3db2cdc007519c32b719f0952fde771ecd4e081691abe74946539d74e36f72c167e5f7dbf67d38b4e8232b071dc7184
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+SPIC:5Zv5PDwbjNrmAE+eIC
Malware Config
Extracted
discordrat
-
discord_token
MTMyNDczMzg3Mzc1Nzc1MzM0NA.Gkn033.OQQv_AbqqPbf6kzNj7tP1oqqRytPV4DTChievM
-
server_id
1324733732040740955
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 36 discord.com 7 discord.com 8 discord.com 19 discord.com 35 discord.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4316 msedge.exe 4316 msedge.exe 2100 msedge.exe 2100 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2276 Client-built.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 3716 2100 msedge.exe 101 PID 2100 wrote to memory of 3716 2100 msedge.exe 101 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4484 2100 msedge.exe 102 PID 2100 wrote to memory of 4316 2100 msedge.exe 103 PID 2100 wrote to memory of 4316 2100 msedge.exe 103 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104 PID 2100 wrote to memory of 4584 2100 msedge.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d3ba46f8,0x7ff9d3ba4708,0x7ff9d3ba47182⤵PID:3716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,5843249935454584677,3226590429550963952,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:22⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,5843249935454584677,3226590429550963952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,5843249935454584677,3226590429550963952,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:82⤵PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5843249935454584677,3226590429550963952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:1456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5843249935454584677,3226590429550963952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵PID:3808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5843249935454584677,3226590429550963952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:12⤵PID:3192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5843249935454584677,3226590429550963952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵PID:4672
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4224
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
Filesize
152B
MD50a9dc42e4013fc47438e96d24beb8eff
SHA1806ab26d7eae031a58484188a7eb1adab06457fc
SHA25658d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f
-
Filesize
5KB
MD50f237446d608d64a0970afa19f9cc10b
SHA1a9ff692315538ad8eb12bfcebded8e0b9753acaf
SHA256613707d29bb608a959673a97a33dafcc0f634357870fb2d2045788c45dec5308
SHA512ef67ffede79c242baf4e04eaec73a19760e47162dafe0373aac4a9f9357af713272ced1990b662fb742edbcfd3d2a04137bcfa1a014c5345b523cf0542c0ef8c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a7326d1f-3279-4046-be33-a014876b09fc.tmp
Filesize6KB
MD532b80000fcf0880b1f476d4aa1054b47
SHA1a2aaa10a815a0bd9d0b41cf57d330fb072d681a8
SHA25610bfe3c029d1b8c295bc334ff231d6fb27b4e86a4f11ae590b35567c12753af1
SHA512451bc8c3521482ea9d14aa8181b6b9240dac62dcbaca7baaef6e7f27ad05b0d92f6e7fa29a2a6354ee28009bc23a6cdebfddd692237e607642d4ce45c7e78826
-
Filesize
10KB
MD5b3622b69a9b1933e44c6df24fbcad274
SHA1e3be58db701a2f9e4a29c660552a522da85f920d
SHA256391b299e52425588fac0ca52afec810e0e2782e4db0044b5e52cd2e832d51341
SHA512d5eb14ff1aabdee12f960d2828191555dd6a152086fcb235e6549be79cda98cba21a4769975d5b9c4c11d1ad289e4a77fe232a0391948baf962fdf64a22ce7f0
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58