discordrat | 8b65d7656d0881a2727ea57981a5b851a6f06a3dbad1f44accbcbf9e0d21ba1b

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/03/2025, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Builder.exe
Size

200KB
MD5

ac85ff97508f5d096a0b89251bcd5b33
SHA1

cf09f37eb3ab8ab28fced295b7068a5f97124f23
SHA256

0283982b9ca1259e8f2a9d1e650cf7baa7a7d4d939179d634aef8a4a271b2a9a
SHA512

b22e117ce51a1a21cc5dcfb2e1d408dc8cc538228c0d3fc5773e0808523f93cbbbdeba8be7217ccc281adca80a011151e90f1097a824cd61f6063bcd71aa2c5f
SSDEEP

6144:xV28ou9f4wIPuBDnxPMhU3YnOQO9xPOYC12oS:xo3wvhMrO9xm9AoS

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer trojan upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTEwMTIwNjIwODE3NTY3MzUxNA.GxRTwM.GCvslMQeJGlG702rniWyui2HFdhthM9sE98y3E
server_id
1101173030589300938

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Executes dropped EXE 25 IoCs

pid	Process
2252	main.exe
1056	main.exe
2040	main.exe
676	main.exe
1432	main.exe
1100	main.exe
2116	main.exe
2464	main.exe
812	main.exe
856	main.exe
372	main.exe
2044	main.exe
1972	main.exe
2020	main.exe
1624	main.exe
2732	main.exe
316	main.exe
348	main.exe
1768	main.exe
1588	main.exe
2804	main.exe
932	main.exe
1040	main.exe
2892	main.exe
1872	main.exe

Loads dropped DLL 64 IoCs

pid	Process
536	cmd.exe
3068	WerFault.exe
3068	WerFault.exe
3068	WerFault.exe
3068	WerFault.exe
3068	WerFault.exe
536	cmd.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
536	cmd.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
536	cmd.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
536	cmd.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
536	cmd.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe
536	cmd.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
536	cmd.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
536	cmd.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
536	cmd.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
536	cmd.exe
2776	WerFault.exe
2776	WerFault.exe
2776	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Desployer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Builder.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Desployer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Builder.exe"	reg.exe

Deobfuscate/Decode Files or Information 1 TTPs 3 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
3044	certutil.exe
2968	certutil.exe
2580	certutil.exe

Enumerates processes with tasklist 1 TTPs 25 IoCs

discovery

Process Discovery

T1057

pid	Process
2684	tasklist.exe
2932	tasklist.exe
1800	tasklist.exe
2316	tasklist.exe
2156	tasklist.exe
2284	tasklist.exe
2748	tasklist.exe
348	tasklist.exe
2240	tasklist.exe
2796	tasklist.exe
1652	tasklist.exe
3020	tasklist.exe
2692	tasklist.exe
2908	tasklist.exe
2912	tasklist.exe
2704	tasklist.exe
2712	tasklist.exe
1380	tasklist.exe
2144	tasklist.exe
1796	tasklist.exe
2736	tasklist.exe
588	tasklist.exe
2260	tasklist.exe
1980	tasklist.exe
2572	tasklist.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1632-0-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1632-1893-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Builder.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2244	schtasks.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	tasklist.exe
Token: SeDebugPrivilege	2748	tasklist.exe
Token: SeDebugPrivilege	2908	tasklist.exe
Token: SeDebugPrivilege	1796	tasklist.exe
Token: SeDebugPrivilege	2932	tasklist.exe
Token: SeDebugPrivilege	2912	tasklist.exe
Token: SeDebugPrivilege	348	tasklist.exe
Token: SeDebugPrivilege	2240	tasklist.exe
Token: SeDebugPrivilege	2736	tasklist.exe
Token: SeDebugPrivilege	2704	tasklist.exe
Token: SeDebugPrivilege	2712	tasklist.exe
Token: SeDebugPrivilege	588	tasklist.exe
Token: SeDebugPrivilege	2796	tasklist.exe
Token: SeDebugPrivilege	2260	tasklist.exe
Token: SeDebugPrivilege	1652	tasklist.exe
Token: SeDebugPrivilege	1800	tasklist.exe
Token: SeDebugPrivilege	1380	tasklist.exe
Token: SeDebugPrivilege	3020	tasklist.exe
Token: SeDebugPrivilege	2316	tasklist.exe
Token: SeDebugPrivilege	1980	tasklist.exe
Token: SeDebugPrivilege	2692	tasklist.exe
Token: SeDebugPrivilege	2572	tasklist.exe
Token: SeDebugPrivilege	2156	tasklist.exe
Token: SeDebugPrivilege	2284	tasklist.exe
Token: SeDebugPrivilege	2144	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 536	1632	Builder.exe	31
PID 1632 wrote to memory of 536	1632	Builder.exe	31
PID 1632 wrote to memory of 536	1632	Builder.exe	31
PID 1632 wrote to memory of 536	1632	Builder.exe	31
PID 536 wrote to memory of 1848	536	cmd.exe	33
PID 536 wrote to memory of 1848	536	cmd.exe	33
PID 536 wrote to memory of 1848	536	cmd.exe	33
PID 536 wrote to memory of 3016	536	cmd.exe	34
PID 536 wrote to memory of 3016	536	cmd.exe	34
PID 536 wrote to memory of 3016	536	cmd.exe	34
PID 536 wrote to memory of 3012	536	cmd.exe	35
PID 536 wrote to memory of 3012	536	cmd.exe	35
PID 536 wrote to memory of 3012	536	cmd.exe	35
PID 536 wrote to memory of 2244	536	cmd.exe	36
PID 536 wrote to memory of 2244	536	cmd.exe	36
PID 536 wrote to memory of 2244	536	cmd.exe	36
PID 536 wrote to memory of 1692	536	cmd.exe	37
PID 536 wrote to memory of 1692	536	cmd.exe	37
PID 536 wrote to memory of 1692	536	cmd.exe	37
PID 536 wrote to memory of 2952	536	cmd.exe	38
PID 536 wrote to memory of 2952	536	cmd.exe	38
PID 536 wrote to memory of 2952	536	cmd.exe	38
PID 536 wrote to memory of 3044	536	cmd.exe	39
PID 536 wrote to memory of 3044	536	cmd.exe	39
PID 536 wrote to memory of 3044	536	cmd.exe	39
PID 536 wrote to memory of 2968	536	cmd.exe	40
PID 536 wrote to memory of 2968	536	cmd.exe	40
PID 536 wrote to memory of 2968	536	cmd.exe	40
PID 536 wrote to memory of 2580	536	cmd.exe	41
PID 536 wrote to memory of 2580	536	cmd.exe	41
PID 536 wrote to memory of 2580	536	cmd.exe	41
PID 536 wrote to memory of 2568	536	cmd.exe	42
PID 536 wrote to memory of 2568	536	cmd.exe	42
PID 536 wrote to memory of 2568	536	cmd.exe	42
PID 536 wrote to memory of 2684	536	cmd.exe	44
PID 536 wrote to memory of 2684	536	cmd.exe	44
PID 536 wrote to memory of 2684	536	cmd.exe	44
PID 536 wrote to memory of 2092	536	cmd.exe	45
PID 536 wrote to memory of 2092	536	cmd.exe	45
PID 536 wrote to memory of 2092	536	cmd.exe	45
PID 2568 wrote to memory of 2720	2568	cmd.exe	46
PID 2568 wrote to memory of 2720	2568	cmd.exe	46
PID 2568 wrote to memory of 2720	2568	cmd.exe	46
PID 536 wrote to memory of 1492	536	cmd.exe	48
PID 536 wrote to memory of 1492	536	cmd.exe	48
PID 536 wrote to memory of 1492	536	cmd.exe	48
PID 536 wrote to memory of 2252	536	cmd.exe	49
PID 536 wrote to memory of 2252	536	cmd.exe	49
PID 536 wrote to memory of 2252	536	cmd.exe	49
PID 2252 wrote to memory of 3068	2252	main.exe	50
PID 2252 wrote to memory of 3068	2252	main.exe	50
PID 2252 wrote to memory of 3068	2252	main.exe	50
PID 536 wrote to memory of 2748	536	cmd.exe	51
PID 536 wrote to memory of 2748	536	cmd.exe	51
PID 536 wrote to memory of 2748	536	cmd.exe	51
PID 536 wrote to memory of 2888	536	cmd.exe	52
PID 536 wrote to memory of 2888	536	cmd.exe	52
PID 536 wrote to memory of 2888	536	cmd.exe	52
PID 536 wrote to memory of 1064	536	cmd.exe	53
PID 536 wrote to memory of 1064	536	cmd.exe	53
PID 536 wrote to memory of 1064	536	cmd.exe	53
PID 536 wrote to memory of 1056	536	cmd.exe	54
PID 536 wrote to memory of 1056	536	cmd.exe	54
PID 536 wrote to memory of 1056	536	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Builder.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E5FC.tmp\E5FD.tmp\E5FE.bat C:\Users\Admin\AppData\Local\Temp\Builder.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:1848
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Desployer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Builder.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3016
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Desployer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Builder.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3012
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /tn "Desployer" /sc onlogon /rl HIGHEST /RU administrator /tr "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2244
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
    3⤵
    - UAC bypass
    PID:1692
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
    3⤵
    - UAC bypass
    PID:2952
- - C:\Windows\system32\certutil.exe
    certutil -decode temp.txt main.exe
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:3044
- - C:\Windows\system32\certutil.exe
    certutil -decode temp.txt builder.py
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:2968
- - C:\Windows\system32\certutil.exe
    certutil -decode temp.txt build.bat
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:2580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K build.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\system32\mode.com
      mode con: cols=100 lines=30
      4⤵
      PID:2720
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:2092
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:1492
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2252 -s 596
      4⤵
      Loads dropped DLL
      PID:3068
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:2888
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:1064
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:1056
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1056 -s 604
      4⤵
      Loads dropped DLL
      PID:2532
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:2356
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:2008
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:2040
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2040 -s 600
      4⤵
      Loads dropped DLL
      PID:824
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:2076
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:1676
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:676
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 676 -s 596
      4⤵
      Loads dropped DLL
      PID:1484
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:1800
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:1832
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:1432
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1432 -s 596
      4⤵
      Loads dropped DLL
      PID:2220
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:2992
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:1544
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:1100
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1100 -s 596
      4⤵
      Loads dropped DLL
      PID:1824
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:348
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:1512
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:2396
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:2116
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2116 -s 596
      4⤵
      Loads dropped DLL
      PID:572
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:1648
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:2460
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:2464
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2464 -s 596
      4⤵
      Loads dropped DLL
      PID:1700
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:2152
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:860
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:812
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 812 -s 600
      4⤵
      Loads dropped DLL
      PID:2804
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:2860
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:2852
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:856
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 856 -s 596
      4⤵
      Loads dropped DLL
      PID:2928
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:2684
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:372
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 372 -s 596
      4⤵
      Loads dropped DLL
      PID:2776
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:2884
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:2364
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:2044
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2044 -s 600
      4⤵
      PID:2756
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:2636
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:336
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:1972
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1972 -s 584
      4⤵
      PID:852
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:2100
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:1276
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:2020
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2020 -s 600
      4⤵
      PID:2476
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:1788
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:1132
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:1624
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1624 -s 584
      4⤵
      PID:1804
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:1832
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:920
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:2732
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2732 -s 600
      4⤵
      PID:1712
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:376
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:3040
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:316
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 316 -s 596
      4⤵
      PID:2236
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:1784
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:1644
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:348
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 348 -s 596
      4⤵
      PID:2380
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:1448
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:2320
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:1768
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1768 -s 588
      4⤵
      PID:2240
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:1688
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:1588
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1588 -s 600
      4⤵
      PID:2640
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:1692
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:2816
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:2804
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2804 -s 600
      4⤵
      PID:2552
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:2548
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:2344
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:932
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 932 -s 596
      4⤵
      PID:2928
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:2712
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:3000
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:1040
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1040 -s 584
      4⤵
      PID:3056
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:2780
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:600
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:2892
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2892 -s 600
      4⤵
      PID:2772
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:2060
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:596
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    PID:1872
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1872 -s 600
      4⤵
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Deobfuscate/Decode Files or Information

T1140

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E5FC.tmp\E5FD.tmp\E5FE.bat

Filesize
153KB

MD5
06b1f4c1dc6696dca6f41d1544095dd3

SHA1
a1a573ff8350cf00580e7f80a0c1a3b5eae3dc11

SHA256
8816e39795c3a00fe10ad49ea317b1babb48827e4a374a1a8e3f0d9fb1b5fbfc

SHA512
4d9df7a6e766ef4d9d912d05f1b7bcfc7419472388b47009474acec78a1d22a38cafb9c30e2171b5cca6daa6e54a222559867a99b49739745f77c699003fe4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.bat

Filesize
664B

MD5
85857405eca41f5e898322bf94400313

SHA1
f5d0e3170eea75ca0d19e237a9c9becd6e7988a2

SHA256
d26347df3e03141a940477d79848e5322bbdb2a71dc6c603f2d980c862421ab3

SHA512
16f4c957d1d4c07292e3bb0ed75874b7ecad7716bcb134d29a07bfcc96531c6775869996631eb74910d4e32c9513f54345e79fdb65534b2925ff82fefeca36c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
78KB

MD5
89b128970f04bdac02e869530cc6ca9d

SHA1
d64ca1bd7b3e37c371083634d734077fc35556eb

SHA256
0b1f297a18e9acc0bc7a610ea59812a2f20299f2b859826c6dfb4395c64e1537

SHA512
72d7ce321a47b6f56e5b210d616aaa319aa7ba9ac30d5ed2aa5de179b1dc49480d5b8c595a549d335757ad366767d2b7be6d7f7acd58222717425536a2798e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
109KB

MD5
846f8f4c504e1c6624df6a4093f4b7e4

SHA1
caf0f4e5e42f5d71dad29564af301543e5f622fd

SHA256
9dc5d600b3ee1863525e4c45af9a192083243068422865a80f9a8b4d54914675

SHA512
f2c3bcac544b77e76719c8d097c002481d71bfbefb8851c72d01489f167a594c0a0cd91554ccbe6c9a70224a5a6fc862c35353b8024f2f35a4da178669b061e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
4KB

MD5
a1fb4fb51c6e1f2ded0b20557e9cd39e

SHA1
bff4d82d9b3d1c878390a1fd33f0789d84148193

SHA256
c072be213981e1e335839502e1f56faccebb75c1bbb8b1d5f37729d3deb24593

SHA512
3e245c59dd90fd7ec6e9b1b2e4d4edd105ea7a022d08405805254b936c4def39b21d797807fc8b7586db68117b356ad49fcbcce5a41ae491b4b6a49cfab22138

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
4KB

MD5
dc9bdb1c6d4f66e63e11ab4e6c7b4b78

SHA1
c19b0491c783f9e774964fe18b86fee68a6c0370

SHA256
a6aec085063581c787c3f441d7a90fd433ec021a808d377e396bca0c60e01875

SHA512
b071d948db311cabfcede03c967bbd535d0a6cbbe4ba4242a0b05cd81ca4e7bf5be1f66da5232b338a544af6f432514cc6f28a0c23c855a4c97e71f63c3fc88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
11KB

MD5
49d9459efd4f5f224f565e2435838c00

SHA1
ef51f1437a75bf8a4f634fda7a459d70c8614176

SHA256
4b46262bb976d378acdb93c645afdfb13f12d761df9957cc922637fb41695dd5

SHA512
4faaa73e819435ccac1061f2f2634c99f2d5c98e01129a85dbc479ccf39468fb32787fa3ca9a566506c43939dc8017899e278401fe8b64869448f3b2493adac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
930B

MD5
d3a281ac54921d6da009f6f606064aad

SHA1
68cc1e926c86f40eff452063b36e06c4e4f253d8

SHA256
c40e41173f74464e05d5d91ccef913b0e869998958e195c0ee3f2edf0888bff8

SHA512
b38c32cda08b4c823e81c621fe6482f3cd65b8fd11202491310993593063f41a9f52399e7fe56c0a9a6f46f78a9448fc4af35a5cac60d5b616e328bb10180723

Download Submit
memory/316-1960-0x000000013FE20000-0x000000013FE38000-memory.dmp

Filesize
96KB

Download
memory/348-1962-0x000000013F140000-0x000000013F158000-memory.dmp

Filesize
96KB

Download
memory/372-1951-0x000000013FD30000-0x000000013FD48000-memory.dmp

Filesize
96KB

Download
memory/676-1904-0x000000013FCB0000-0x000000013FCC8000-memory.dmp

Filesize
96KB

Download
memory/812-1948-0x000000013F1F0000-0x000000013F208000-memory.dmp

Filesize
96KB

Download
memory/856-1949-0x000000013F6C0000-0x000000013F6D8000-memory.dmp

Filesize
96KB

Download
memory/932-1969-0x000000013F6E0000-0x000000013F6F8000-memory.dmp

Filesize
96KB

Download
memory/1040-1970-0x000000013F8C0000-0x000000013F8D8000-memory.dmp

Filesize
96KB

Download
memory/1056-1887-0x000000013F840000-0x000000013F858000-memory.dmp

Filesize
96KB

Download
memory/1100-1922-0x000000013F290000-0x000000013F2A8000-memory.dmp

Filesize
96KB

Download
memory/1432-1913-0x000000013FC20000-0x000000013FC38000-memory.dmp

Filesize
96KB

Download
memory/1588-1965-0x000000013F9D0000-0x000000013F9E8000-memory.dmp

Filesize
96KB

Download
memory/1624-1957-0x000000013FEA0000-0x000000013FEB8000-memory.dmp

Filesize
96KB

Download
memory/1632-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1632-1893-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1768-1964-0x000000013F100000-0x000000013F118000-memory.dmp

Filesize
96KB

Download
memory/1872-1973-0x000000013F0A0000-0x000000013F0B8000-memory.dmp

Filesize
96KB

Download
memory/1972-1954-0x000000013F320000-0x000000013F338000-memory.dmp

Filesize
96KB

Download
memory/2020-1956-0x000000013F990000-0x000000013F9A8000-memory.dmp

Filesize
96KB

Download
memory/2040-1896-0x000000013FE00000-0x000000013FE18000-memory.dmp

Filesize
96KB

Download
memory/2044-1952-0x000000013FCE0000-0x000000013FCF8000-memory.dmp

Filesize
96KB

Download
memory/2116-1930-0x000000013FBD0000-0x000000013FBE8000-memory.dmp

Filesize
96KB

Download
memory/2252-1879-0x000000013F070000-0x000000013F088000-memory.dmp

Filesize
96KB

Download
memory/2464-1939-0x000000013F930000-0x000000013F948000-memory.dmp

Filesize
96KB

Download
memory/2732-1959-0x000000013FE90000-0x000000013FEA8000-memory.dmp

Filesize
96KB

Download
memory/2804-1967-0x000000013FE30000-0x000000013FE48000-memory.dmp

Filesize
96KB

Download
memory/2892-1972-0x000000013F900000-0x000000013F918000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads