discordrat | b6c7009dd8b089a584aeb6ba37fb75c11a415d63512347beece251e69da5c63b

Resubmissions

02-02-2025 02:35

250202-c21mnatkcq 10

02-02-2025 02:32

250202-c1ezka1ngt 10

02-02-2025 02:21

250202-ctafhasqbl 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NebulaExecutor.rar
Size

27KB
MD5

f44ba3369f118e9cc2611886494cc3f8
SHA1

ecfcbd5f3149762e00298980c79137ee3299be3a
SHA256

b6c7009dd8b089a584aeb6ba37fb75c11a415d63512347beece251e69da5c63b
SHA512

b31cd82c9c490e5dc0358459e7d81f12e2ba4ca092d71e27d078d740475fc5857e758b1c3e3996e69ee989bcf21e0acde9c6eeaaba6f30c9f1ea1bcb1eb3cac1
SSDEEP

768:2/Dgm33+7HbJRN4FnxT+nugwNwlG+sbiVTRsn:1Ou7Hbh4Ftou9zfbmRu

Score

10^/10

discordrat persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzNTM0MTMyNTUxMTU1NzE5MQ.GJnF0Z.22Phw5o1Gt-WE6QFl0-J7NOftNtcUB5FqXmuQE
server_id
1334897427899093072

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4408 created 616	4408	NebulaExecutor.exe	5

Downloads MZ/PE file 2 IoCs

flow	pid	Process
46	4408	NebulaExecutor.exe
53	4408	NebulaExecutor.exe

Executes dropped EXE 1 IoCs

pid	Process
4408	NebulaExecutor.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
21	discord.com
25	discord.com
28	discord.com
29	discord.com
45	raw.githubusercontent.com
46	raw.githubusercontent.com
47	discord.com
20	discord.com
30	discord.com
31	discord.com
53	raw.githubusercontent.com
54	discord.com
55	discord.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4408 set thread context of 4608	4408	NebulaExecutor.exe	95

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1738463806"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 02 Feb 2025 02:36:46 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={1BEECCB4-8C6D-4CB0-814F-750175E1F477}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4408	NebulaExecutor.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4408	NebulaExecutor.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4408	NebulaExecutor.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4408	NebulaExecutor.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4408	NebulaExecutor.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4408	NebulaExecutor.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4608	dllhost.exe
4408	NebulaExecutor.exe
4608	dllhost.exe
4608	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2860	7zFM.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	2860	7zFM.exe
Token: 35	2860	7zFM.exe
Token: SeSecurityPrivilege	2860	7zFM.exe
Token: SeDebugPrivilege	4408	NebulaExecutor.exe
Token: SeDebugPrivilege	4408	NebulaExecutor.exe
Token: SeDebugPrivilege	4608	dllhost.exe
Token: SeShutdownPrivilege	336	dwm.exe
Token: SeCreatePagefilePrivilege	336	dwm.exe
Token: SeShutdownPrivilege	3540	Explorer.EXE
Token: SeCreatePagefilePrivilege	3540	Explorer.EXE
Token: SeShutdownPrivilege	3540	Explorer.EXE
Token: SeCreatePagefilePrivilege	3540	Explorer.EXE
Token: SeShutdownPrivilege	3540	Explorer.EXE
Token: SeCreatePagefilePrivilege	3540	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2860	7zFM.exe
2860	7zFM.exe

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
4144	RuntimeBroker.exe
3540	Explorer.EXE
4024	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 4408	2860	7zFM.exe	87
PID 2860 wrote to memory of 4408	2860	7zFM.exe	87
PID 4408 wrote to memory of 4608	4408	NebulaExecutor.exe	95
PID 4408 wrote to memory of 4608	4408	NebulaExecutor.exe	95
PID 4408 wrote to memory of 4608	4408	NebulaExecutor.exe	95
PID 4408 wrote to memory of 4608	4408	NebulaExecutor.exe	95
PID 4408 wrote to memory of 4608	4408	NebulaExecutor.exe	95
PID 4408 wrote to memory of 4608	4408	NebulaExecutor.exe	95
PID 4408 wrote to memory of 4608	4408	NebulaExecutor.exe	95
PID 4408 wrote to memory of 4608	4408	NebulaExecutor.exe	95
PID 4408 wrote to memory of 4608	4408	NebulaExecutor.exe	95
PID 4408 wrote to memory of 4608	4408	NebulaExecutor.exe	95
PID 4408 wrote to memory of 4608	4408	NebulaExecutor.exe	95
PID 4608 wrote to memory of 616	4608	dllhost.exe	5
PID 4608 wrote to memory of 688	4608	dllhost.exe	7
PID 4608 wrote to memory of 960	4608	dllhost.exe	12
PID 4608 wrote to memory of 336	4608	dllhost.exe	13
PID 4608 wrote to memory of 744	4608	dllhost.exe	14
PID 4608 wrote to memory of 1032	4608	dllhost.exe	16
PID 4608 wrote to memory of 1116	4608	dllhost.exe	17
PID 4608 wrote to memory of 1144	4608	dllhost.exe	18
PID 4608 wrote to memory of 1156	4608	dllhost.exe	19
PID 4608 wrote to memory of 1220	4608	dllhost.exe	20
PID 4608 wrote to memory of 1256	4608	dllhost.exe	21
PID 4608 wrote to memory of 1320	4608	dllhost.exe	22
PID 4608 wrote to memory of 1344	4608	dllhost.exe	23
PID 4608 wrote to memory of 1476	4608	dllhost.exe	24
PID 4608 wrote to memory of 1500	4608	dllhost.exe	25
PID 4608 wrote to memory of 1512	4608	dllhost.exe	26
PID 4608 wrote to memory of 1520	4608	dllhost.exe	27
PID 4608 wrote to memory of 1652	4608	dllhost.exe	28
PID 4608 wrote to memory of 1696	4608	dllhost.exe	29
PID 4608 wrote to memory of 1728	4608	dllhost.exe	30
PID 4608 wrote to memory of 1800	4608	dllhost.exe	31
PID 4608 wrote to memory of 1828	4608	dllhost.exe	32
PID 4608 wrote to memory of 1976	4608	dllhost.exe	33
PID 4608 wrote to memory of 1992	4608	dllhost.exe	34
PID 4608 wrote to memory of 2036	4608	dllhost.exe	35
PID 4608 wrote to memory of 1884	4608	dllhost.exe	36
PID 4608 wrote to memory of 1960	4608	dllhost.exe	37
PID 4608 wrote to memory of 2172	4608	dllhost.exe	38
PID 4608 wrote to memory of 2208	4608	dllhost.exe	39
PID 4608 wrote to memory of 2304	4608	dllhost.exe	41
PID 4608 wrote to memory of 2524	4608	dllhost.exe	42
PID 4608 wrote to memory of 2544	4608	dllhost.exe	43
PID 4608 wrote to memory of 2628	4608	dllhost.exe	44
PID 4608 wrote to memory of 2648	4608	dllhost.exe	45
PID 4608 wrote to memory of 2664	4608	dllhost.exe	46
PID 4608 wrote to memory of 2728	4608	dllhost.exe	47
PID 4608 wrote to memory of 2796	4608	dllhost.exe	48
PID 4608 wrote to memory of 2812	4608	dllhost.exe	49
PID 4608 wrote to memory of 2832	4608	dllhost.exe	50
PID 4608 wrote to memory of 2848	4608	dllhost.exe	51
PID 4608 wrote to memory of 2876	4608	dllhost.exe	52
PID 4608 wrote to memory of 2328	4608	dllhost.exe	53
PID 4608 wrote to memory of 3416	4608	dllhost.exe	55
PID 4608 wrote to memory of 3540	4608	dllhost.exe	56
PID 4608 wrote to memory of 3672	4608	dllhost.exe	57
PID 4608 wrote to memory of 3864	4608	dllhost.exe	58
PID 4608 wrote to memory of 4024	4608	dllhost.exe	60
PID 4608 wrote to memory of 4144	4608	dllhost.exe	62
PID 4608 wrote to memory of 4496	4608	dllhost.exe	65
PID 4608 wrote to memory of 4056	4608	dllhost.exe	67
PID 4608 wrote to memory of 1364	4608	dllhost.exe	68

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{864297d9-a04a-4f89-9eda-472942c180a6}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4608

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1156
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1476
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2172

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2796

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2876

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3416

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3540
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NebulaExecutor.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\7zOC2B427F7\NebulaExecutor.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC2B427F7\NebulaExecutor.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3864

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4024

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3608

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2844

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3260

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:396

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2804

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4488

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOC2B427F7\NebulaExecutor.exe

Filesize
78KB

MD5
1f7c55917fc1e27a77bcaa3497156e87

SHA1
81f89045a559a1836a3fac0a36a7f7076c995339

SHA256
399b3c64845039ef901bd16539ee97688cc75eba8f9aae39353784dcd0d5f0f7

SHA512
381d354b71987339a78acf6d1df8db883b617e8da66ad54179a4f9940cf319d866f602ca09cb409cc95764c5f502dca24b96134e2305aa7feacc124d3ca05f8e

Download Submit
memory/336-39-0x00007FFD15190000-0x00007FFD151A0000-memory.dmp

Filesize
64KB

Download
memory/336-38-0x000001615A210000-0x000001615A23A000-memory.dmp

Filesize
168KB

Download
memory/616-31-0x00007FFD15190000-0x00007FFD151A0000-memory.dmp

Filesize
64KB

Download
memory/616-28-0x000001DB6E840000-0x000001DB6E863000-memory.dmp

Filesize
140KB

Download
memory/616-30-0x000001DB6EC30000-0x000001DB6EC5A000-memory.dmp

Filesize
168KB

Download
memory/688-36-0x00007FFD15190000-0x00007FFD151A0000-memory.dmp

Filesize
64KB

Download
memory/688-35-0x000001B1F08A0000-0x000001B1F08CA000-memory.dmp

Filesize
168KB

Download
memory/744-45-0x0000024E4BC60000-0x0000024E4BC8A000-memory.dmp

Filesize
168KB

Download
memory/744-46-0x00007FFD15190000-0x00007FFD151A0000-memory.dmp

Filesize
64KB

Download
memory/960-42-0x00007FFD15190000-0x00007FFD151A0000-memory.dmp

Filesize
64KB

Download
memory/960-41-0x00000225ED650000-0x00000225ED67A000-memory.dmp

Filesize
168KB

Download
memory/1032-53-0x000002B0D70D0000-0x000002B0D70FA000-memory.dmp

Filesize
168KB

Download
memory/1032-54-0x00007FFD15190000-0x00007FFD151A0000-memory.dmp

Filesize
64KB

Download
memory/1116-57-0x00007FFD15190000-0x00007FFD151A0000-memory.dmp

Filesize
64KB

Download
memory/1116-56-0x0000024982990000-0x00000249829BA000-memory.dmp

Filesize
168KB

Download
memory/1144-59-0x000001ACAC6C0000-0x000001ACAC6EA000-memory.dmp

Filesize
168KB

Download
memory/1144-60-0x00007FFD15190000-0x00007FFD151A0000-memory.dmp

Filesize
64KB

Download
memory/1156-62-0x0000020C4C930000-0x0000020C4C95A000-memory.dmp

Filesize
168KB

Download
memory/1156-63-0x00007FFD15190000-0x00007FFD151A0000-memory.dmp

Filesize
64KB

Download
memory/1220-66-0x00007FFD15190000-0x00007FFD151A0000-memory.dmp

Filesize
64KB

Download
memory/1220-65-0x000001F0CDB50000-0x000001F0CDB7A000-memory.dmp

Filesize
168KB

Download
memory/1256-70-0x00007FFD15190000-0x00007FFD151A0000-memory.dmp

Filesize
64KB

Download
memory/1256-69-0x00000249D94F0000-0x00000249D951A000-memory.dmp

Filesize
168KB

Download
memory/1320-80-0x00007FFD15190000-0x00007FFD151A0000-memory.dmp

Filesize
64KB

Download
memory/1320-79-0x0000021542D90000-0x0000021542DBA000-memory.dmp

Filesize
168KB

Download
memory/1344-82-0x0000013FF9530000-0x0000013FF955A000-memory.dmp

Filesize
168KB

Download
memory/1344-83-0x00007FFD15190000-0x00007FFD151A0000-memory.dmp

Filesize
64KB

Download
memory/4408-15-0x00007FFD36570000-0x00007FFD37031000-memory.dmp

Filesize
10.8MB

Download
memory/4408-12-0x00007FFD36573000-0x00007FFD36575000-memory.dmp

Filesize
8KB

Download
memory/4408-17-0x00007FFD36573000-0x00007FFD36575000-memory.dmp

Filesize
8KB

Download
memory/4408-16-0x000001FF413D0000-0x000001FF418F8000-memory.dmp

Filesize
5.2MB

Download
memory/4408-18-0x00007FFD36570000-0x00007FFD37031000-memory.dmp

Filesize
10.8MB

Download
memory/4408-21-0x00007FFD53300000-0x00007FFD533BE000-memory.dmp

Filesize
760KB

Download
memory/4408-20-0x00007FFD55110000-0x00007FFD55305000-memory.dmp

Filesize
2.0MB

Download
memory/4408-19-0x000001FF28290000-0x000001FF282CE000-memory.dmp

Filesize
248KB

Download
memory/4408-294-0x000001FF40B40000-0x000001FF40B5E000-memory.dmp

Filesize
120KB

Download
memory/4408-293-0x000001FF28110000-0x000001FF28122000-memory.dmp

Filesize
72KB

Download
memory/4408-292-0x000001FF429B0000-0x000001FF42A26000-memory.dmp

Filesize
472KB

Download
memory/4408-13-0x000001FF26420000-0x000001FF26438000-memory.dmp

Filesize
96KB

Download
memory/4408-14-0x000001FF40BD0000-0x000001FF40D92000-memory.dmp

Filesize
1.8MB

Download
memory/4608-24-0x00007FFD55110000-0x00007FFD55305000-memory.dmp

Filesize
2.0MB

Download
memory/4608-26-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4608-23-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4608-25-0x00007FFD53300000-0x00007FFD533BE000-memory.dmp

Filesize
760KB

Download
memory/4608-22-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download