Overview

overview

10

Static

static

3

Discord.exe

windows7-x64

10

Discord.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    52s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08-02-2025 21:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Discord.exe

  • Size

    1.8MB

  • MD5

    b5c4fa68d74ab47092a46241d6b10a16

  • SHA1

    e754f10c51933c1ef98782fbf695e8f21198fe7e

  • SHA256

    20e9dafaa42a6b6122ecc150622cf8aabe7a324527df144561de5ba0b486ab2a

  • SHA512

    3ab67cb936cab9eb89bb8275309cbc5f56d7f03e554b5cc7bd54305c282b6e8a0feb4af8c1ebc7073d63c371444751c522b030748b4d57c28a768fd6cfdb5293

  • SSDEEP

    24576:xoGjZgFKRWhFSJVRNkiPmfqbvi5iqOlK565cvugnpQS2/DS7w0KksrSTkdu+vNph:xav+RxbvikJj4npQS2/DSs6YVz7sD

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Discord.exe
    "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HTy5xXriFL.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2112
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:2544
          • C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe
            "C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2232
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2772
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2860
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2752
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2620
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2560
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3048
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:592
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2716
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1140
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1144
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2816
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2496
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2808
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2120
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "DiscordD" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\Discord.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2516
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Discord" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Discord.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "DiscordD" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\Discord.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1976

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe
        Filesize

        1.8MB

        MD5

        b5c4fa68d74ab47092a46241d6b10a16

        SHA1

        e754f10c51933c1ef98782fbf695e8f21198fe7e

        SHA256

        20e9dafaa42a6b6122ecc150622cf8aabe7a324527df144561de5ba0b486ab2a

        SHA512

        3ab67cb936cab9eb89bb8275309cbc5f56d7f03e554b5cc7bd54305c282b6e8a0feb4af8c1ebc7073d63c371444751c522b030748b4d57c28a768fd6cfdb5293

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\HTy5xXriFL.bat
        Filesize

        245B

        MD5

        ab5b38eeebb1726028a7b844800fb577

        SHA1

        c6fd7c7648a3e27643ac42bd3e175265689d5b72

        SHA256

        a0ec6ae13d99f3e65f8215ef2a21413eb0fb85e00ce0f1a243d630230c9b89fe

        SHA512

        32aed530a3d719bfc302af762220b0ad0686ab5c78f4d57462c845cdf6c3f4d70c26471bad65373feea1d6e650321ce83282ff4b6fd8558069459023fb487a20

        Download Submit

      • memory/2232-34-0x0000000000130000-0x0000000000302000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2840-11-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2840-4-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2840-6-0x00000000005F0000-0x00000000005FE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2840-8-0x0000000000620000-0x000000000063C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2840-10-0x0000000000640000-0x0000000000658000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2840-0-0x000007FEF5B13000-0x000007FEF5B14000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2840-14-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2840-3-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2840-23-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2840-25-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2840-2-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2840-31-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2840-1-0x00000000002C0000-0x0000000000492000-memory.dmp

        Filesize

        1.8MB

        Download