discordrat | 27a1137b8d934f10c2166261ddf2b424e4803102809c446d36767d581b533a96

Resubmissions

26/01/2025, 09:00

250126-kytzpsynbm 10

26/01/2025, 08:54

250126-kvck9aymej 10

Analysis

max time kernel
142s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2025, 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mtree‮gpj.exe
Size

1.3MB
MD5

b8b0baac29daa1eff8ecb046fe91f104
SHA1

c6ece29c90cb57bca393139e44d70b029bc1f677
SHA256

27a1137b8d934f10c2166261ddf2b424e4803102809c446d36767d581b533a96
SHA512

5501afad683faeb9e174487caf6f5280aab51050b366334c56539ef7977248c7bb05c8b48c9f5e6198ac728703921dbb29f9bf17e37162410a64caf1e662b3c0
SSDEEP

24576:ZuDXTIGaPhEYzUzA0qBc+ZKhmVbC9eabpmkmZ3IaezdKcMYwFL+bGljFIh0aTOS7:8Djlabwz9AjABbpmHmapcMYJo0TOI

Score

10^/10

discordrat defense_evasion discovery persistence privilege_escalation ransomware rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMjk5NDEwMjkwMzU3MDU0Mw.GjHo9c.uUUeJljLrRcuIvW_FlFF0o4Eh6h5i-SEDWYry8
server_id
1332539766268231760

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
812	NetSh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	mtree‮gpj.exe

Executes dropped EXE 1 IoCs

pid	Process
4464	Client-built.exe

Abuse Elevation Control Mechanism: Bypass User Account Control 1 TTPs 1 IoCs

UAC Bypass Attempt via SilentCleanup Task.

defense_evasion privilege_escalation

Bypass User Account Control

T1548.002

pid	Process
2308	SCHTASKS.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
24	discord.com
48	discord.com
49	discord.com
62	discord.com
65	discord.com
18	discord.com
19	discord.com
53	discord.com
54	discord.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp2C85.tmp.png"	Client-built.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4684	msedge.exe
4684	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4464	Client-built.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4464	Client-built.exe
4464	Client-built.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 4464	1168	mtree‮gpj.exe	84
PID 1168 wrote to memory of 4464	1168	mtree‮gpj.exe	84
PID 4464 wrote to memory of 812	4464	Client-built.exe	105
PID 4464 wrote to memory of 812	4464	Client-built.exe	105
PID 4464 wrote to memory of 2308	4464	Client-built.exe	108
PID 4464 wrote to memory of 2308	4464	Client-built.exe	108
PID 432 wrote to memory of 2912	432	msedge.exe	124
PID 432 wrote to memory of 2912	432	msedge.exe	124
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4308	432	msedge.exe	126
PID 432 wrote to memory of 4684	432	msedge.exe	127
PID 432 wrote to memory of 4684	432	msedge.exe	127
PID 432 wrote to memory of 3096	432	msedge.exe	128
PID 432 wrote to memory of 3096	432	msedge.exe	128
PID 432 wrote to memory of 3096	432	msedge.exe	128
PID 432 wrote to memory of 3096	432	msedge.exe	128
PID 432 wrote to memory of 3096	432	msedge.exe	128
PID 432 wrote to memory of 3096	432	msedge.exe	128
PID 432 wrote to memory of 3096	432	msedge.exe	128
PID 432 wrote to memory of 3096	432	msedge.exe	128
PID 432 wrote to memory of 3096	432	msedge.exe	128
PID 432 wrote to memory of 3096	432	msedge.exe	128
PID 432 wrote to memory of 3096	432	msedge.exe	128
PID 432 wrote to memory of 3096	432	msedge.exe	128
PID 432 wrote to memory of 3096	432	msedge.exe	128
PID 432 wrote to memory of 3096	432	msedge.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\mtree‮gpj.exe
"C:\Users\Admin\AppData\Local\Temp\mtree‮gpj.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:812
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
    3⤵
    - Abuse Elevation Control Mechanism: Bypass User Account Control
    PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultc55e5ef0h67f4h47c5ha73dhebfc9e0e4287
1⤵
- Suspicious use of WriteProcessMemory
PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8507546f8,0x7ff850754708,0x7ff850754718
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4693949325300515975,1765052444608238372,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,4693949325300515975,1765052444608238372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,4693949325300515975,1765052444608238372,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:3096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d265c19336330ead06c850d9c0f2fdf8

SHA1
f275b4a433bc8342d85038cacf4f15b53d534962

SHA256
c465402360796bfc9a488752c5a591f896bdb122961edbe13571980489b71d15

SHA512
f72e9f6166f6e601d700edc37287d337b721da7ee590d174f19a773fdf90a3a54dca77848b9571a74af16c2f50ff9b435490e65d0df7eb2acbca6258c50fa009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
78e94f12ef31bf00c43c01b6af5bf635

SHA1
92dcfd9680fae02395381ce461360bf159f382a7

SHA256
cf9f3e9125e6ebb1c54aeca3d82d985b6937a5f1bc470f50a9a490c2bbea73b3

SHA512
2e4ce1b740264ae82bb2e87bd37dd9cbb18908a19bc2712f5856cb3b4c880bbe4eaba2edce0014efffa43567fb1238d74712fb4f2f5361291ef2b26ea2d214a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
78KB

MD5
cf3c7283d0e6d81dbd48c159d7e9b3b3

SHA1
bdbf22216c154f6ce7271656692aac72d6722ea7

SHA256
8f55bd1762834764908a60c291607ec869cde7609c558edf1f02a4bfa6e39ae5

SHA512
36e8b38288450a9e60437abfe3971b824e128c63c773843c1ac139b52265602012c322cadcc58705215d7d76f08bfb7f983c011b15bcda15b89dfb22df5d9fc6

Download Submit
memory/4464-14-0x00007FF8558C3000-0x00007FF8558C5000-memory.dmp

Filesize
8KB

Download
memory/4464-15-0x00000266998F0000-0x0000026699908000-memory.dmp

Filesize
96KB

Download
memory/4464-16-0x00000266B3EC0000-0x00000266B4082000-memory.dmp

Filesize
1.8MB

Download
memory/4464-17-0x00007FF8558C0000-0x00007FF856381000-memory.dmp

Filesize
10.8MB

Download
memory/4464-18-0x00000266B46C0000-0x00000266B4BE8000-memory.dmp

Filesize
5.2MB

Download
memory/4464-19-0x00007FF8558C3000-0x00007FF8558C5000-memory.dmp

Filesize
8KB

Download
memory/4464-20-0x00007FF8558C0000-0x00007FF856381000-memory.dmp

Filesize
10.8MB

Download