Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2023, 15:49

General

  • Target

    Unlock All Billy.exe

  • Size

    78KB

  • MD5

    b4a57479c7754d98d3c24184136244e0

  • SHA1

    5b7a8ffeef085170e1b1476d34ae711a2755d03f

  • SHA256

    b02aab2d452a0d14905e4604585e468df404df4a1e3ff976242c9a1649cb79e1

  • SHA512

    1202d809558cbf9335237b68d8bcf5b8664541cfc73cf775592ff295c0a614813b9fa860cb5616cea91a477cbae0611bc67bcb2c40d4882507462c4a64354a46

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+dPIC:5Zv5PDwbjNrmAE+NIC

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTE1NTYxNDI0OTExMzEwMDUxMg.GlI09c.PPYEfwNkQ35akO73sP2AoFyaLNHOiyxqGQ7HJQ

  • server_id

    1155588687292285040

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Unlock All Billy.exe
    "C:\Users\Admin\AppData\Local\Temp\Unlock All Billy.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2232 -s 596
      2⤵
        PID:2440

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2232-0-0x000000013FBE0000-0x000000013FBF8000-memory.dmp

      Filesize

      96KB

    • memory/2232-1-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

      Filesize

      9.9MB

    • memory/2232-2-0x000000001B870000-0x000000001B8F0000-memory.dmp

      Filesize

      512KB

    • memory/2232-3-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

      Filesize

      9.9MB