Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

This is no...us.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    187s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 09:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    This is not my main pc I know this is a virus.exe

  • Size

    78KB

  • MD5

    4d601804a894428ce8719bac6de75a8b

  • SHA1

    c00c79b6b910d124d122686f5f348dcafa058f2d

  • SHA256

    239cd0cb22333078e84b78099c6ad692aba19a73c84a538beee8afd9d784c1ba

  • SHA512

    d918bc15045ddca604fb32de7f2aaa7898564720758f8be27f2c3a1e4569855ba6604bf19460f4cb5679cc700f51bea1682ba3f3124bbb694035f74d677345a6

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+lRPIC:5Zv5PDwbjNrmAE+lBIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIxMzQxNjI3NDA2MzkyMTIxMg.GA4uge.tcXtwnv2CLe92YrwuBSNwmd7Rtkm0NQUrT_j4E

  • server_id

    1213412110172823603

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\This is not my main pc I know this is a virus.exe
    "C:\Users\Admin\AppData\Local\Temp\This is not my main pc I know this is a virus.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1180
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3956.0.302845513\300194122" -parentBuildID 20221007134813 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {525c9024-4a1c-4995-acbe-0141486d55dc} 3956 "\\.\pipe\gecko-crash-server-pipe.3956" 2008 22447ad7758 gpu
        3⤵
          PID:4396
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3956.1.504308444\1033224672" -parentBuildID 20221007134813 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b5efcd6-8a0d-4ada-9173-42d05c4fed53} 3956 "\\.\pipe\gecko-crash-server-pipe.3956" 2412 2243b172858 socket
          3⤵
          • Checks processor information in registry
          PID:2304
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3956.2.1911225805\545518550" -childID 1 -isForBrowser -prefsHandle 3068 -prefMapHandle 3100 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {164aa06e-2d96-4605-9617-a736e3482ab3} 3956 "\\.\pipe\gecko-crash-server-pipe.3956" 2864 2244ba88258 tab
          3⤵
            PID:4772
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3956.3.1071554511\1496931585" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 2932 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {365ee5fc-d8b7-4927-bc1a-5607b20e868f} 3956 "\\.\pipe\gecko-crash-server-pipe.3956" 3576 2244a510b58 tab
            3⤵
              PID:4272
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3956.4.1693860957\1915352953" -childID 3 -isForBrowser -prefsHandle 4332 -prefMapHandle 4036 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4341c676-eb04-4015-8a82-5c5a67c97364} 3956 "\\.\pipe\gecko-crash-server-pipe.3956" 4340 2244cdf8058 tab
              3⤵
                PID:3728
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3956.5.837076872\91098956" -childID 4 -isForBrowser -prefsHandle 5060 -prefMapHandle 5092 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93846c2c-f8e9-44e1-ad93-f0a1c6cb3e38} 3956 "\\.\pipe\gecko-crash-server-pipe.3956" 5048 2244dbc4758 tab
                3⤵
                  PID:720
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3956.6.342057851\785793112" -childID 5 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {990bbae6-6bec-4e21-9b24-86ae422f78ce} 3956 "\\.\pipe\gecko-crash-server-pipe.3956" 5208 2244dcb0658 tab
                  3⤵
                    PID:3816
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3956.7.2141095620\63470542" -childID 6 -isForBrowser -prefsHandle 5424 -prefMapHandle 5428 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {744b419e-bafd-41e9-bfcb-710190f2d3d5} 3956 "\\.\pipe\gecko-crash-server-pipe.3956" 5416 2244dcb0c58 tab
                    3⤵
                      PID:632

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  2KB

                  MD5

                  d7f2f52c27d22967c6705579db5e32d9

                  SHA1

                  ee763c2e284a470e5c8af5165cbd01e43d7be80f

                  SHA256

                  7addd282b8d935848cdb7fc7b56def05355040bdf10b99ace475950ef7466325

                  SHA512

                  121d16be7a112469936ed15d6ec7f08781d468efab912926489ffc8204344e1a835dc3386dd5f16cf4e875e67b32a1c69470f1612f00d6705d440871d9276daf

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\datareporting\glean\pending_pings\13738997-b68d-4c3f-908e-5597e9d88d6c
                  Filesize

                  11KB

                  MD5

                  5b986020798c887457dcb8bebfc6b88e

                  SHA1

                  5c40040f51fd668efaedf374e04000e47b0295e3

                  SHA256

                  50a1720fb6947af7a0567ac908842cf7f5d72bd7cebdb804576523f506470442

                  SHA512

                  a265b75f28e9e96b2007682b9fb8f6a2aa5758e773a82f095b5624de6c9303ea3c0096bd3ea7f7e971e24b542e71687eab4541fc31379fff6bae2effee2ff4e3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\datareporting\glean\pending_pings\fe49fd71-b2b7-491d-a218-43c2e71f030a
                  Filesize

                  746B

                  MD5

                  491e715ba87ec747ca92d02d4e468247

                  SHA1

                  c5501f61ca22711e7e7ee728e8ccc168dbcc8ce2

                  SHA256

                  1ffd2c428a963dd33a225b7b6d658c9cfb90902c6dad9b89bc0be5b823b3640b

                  SHA512

                  88fbb54e57710163323737cedfd483cfebed0c83d56fe85b1e3aadf944976b4d96629ffa64c18ef372078cba59170eb658e3d07681cdadf33c656646cae2c548

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  b40a308cd4f6c9dbd116c07b64fd6ec8

                  SHA1

                  8fd808cb586476fe5a7d23ea6597cb5761b4a37d

                  SHA256

                  412f3ce28833dc5f43fbf399b01feb13de8805f3912d09c44e40593d3dce5031

                  SHA512

                  7a2d6e95e3077a1199a21c3a3038d20e8a09c0a46e67e5cee2f30c0b0d718f36775665a43e9dc0f2c6224f03323a3f5d205bffc443bfa27587321dceb817a031

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  06090dc6c5a8ee7950b8402de1089129

                  SHA1

                  b7108298d7fe6b322a750d5a6c391f12437a3986

                  SHA256

                  f65599b94fc477b3dfd19919bf5949c81a665e6aac6fd8947b14a79b23c1861d

                  SHA512

                  a45821c99d721ef09ae3f6ce1a6b51f62f3793fb8f29cb8f9714443bf2423234fb9e5eafc148309372f46d1e4fdc332548d32563990c0ae8bb442e9181a7de25

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1KB

                  MD5

                  7293376d9b2c6b077a0c851b61fd48d0

                  SHA1

                  8ba0dc89bf86cbfbbdb3cf789f5d142205e123d6

                  SHA256

                  6ab7cc7b5fdab19a685d03d61fd453ac10c83b3ff94e2ee1d094e21637480c8d

                  SHA512

                  fba970ea714d1904b8f6ae099f06df8dd429c4cff2106b64d8dd51f1e8fcfed645e6c2759b1122fcbe915f05655bc6cdde61535de1f8a7323fb2027435da0f29

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\sessionstore.jsonlz4
                  Filesize

                  891B

                  MD5

                  6d8c523c043c3947d6f29cccaab6b18a

                  SHA1

                  2eb759d452c913783053b98177ec2e69b987930a

                  SHA256

                  6afdc5c723dcf4ead1ec215ce4b5afc39fc037284ed9d1d2488a309994f8d987

                  SHA512

                  4d8329d34e753c1f26f94ce3ea443051617b4e257bb2da618ba6022a215774987fbd23f9e97ba34f144c4994ebd06629dd027ad10bd96d2c51470e50e631203d

                  Download Submit

                • memory/1180-3-0x000001BA532F0000-0x000001BA53300000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1180-6-0x000001BA532F0000-0x000001BA53300000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1180-5-0x00007FF9B9FE0000-0x00007FF9BAAA1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1180-4-0x000001BA53B60000-0x000001BA54088000-memory.dmp

                  Filesize

                  5.2MB

                  Download

                • memory/1180-0-0x000001BA38D60000-0x000001BA38D78000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/1180-2-0x00007FF9B9FE0000-0x00007FF9BAAA1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1180-1-0x000001BA53360000-0x000001BA53522000-memory.dmp

                  Filesize

                  1.8MB

                  Download