Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/03/2024, 13:25

General

  • Target

    Client-Swifty.exe

  • Size

    78KB

  • MD5

    8c8c3b33f21f55ec38d47329a686b6f5

  • SHA1

    a13c5cf6ed1ce13e20df651063268884e9ed720b

  • SHA256

    9ef1dc17e0bfdc9783f358d4a035aa1286afb14bbf102adddfe6e09557c06cd8

  • SHA512

    422e813722550b4713c91add065bd5cb5fbc4d05c7299c47f7b5a3042bf4d49004b0f5e1812fa013ce5541c6a57da6cd11ab7b93f22abefce5ba98cfb63e74af

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+XPIC:5Zv5PDwbjNrmAE+fIC

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTE0NDQ0MTY1MjYyNzM4MjM1Mg.G4ojxo.MVKAb4PxpTCWI69RfpwGHRT20JacbrUP_44hU8

  • server_id

    1164483448111632415

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-Swifty.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-Swifty.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3956
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /0
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2176-14-0x0000021A44EF0000-0x0000021A44EF1000-memory.dmp

    Filesize

    4KB

  • memory/2176-12-0x0000021A44EF0000-0x0000021A44EF1000-memory.dmp

    Filesize

    4KB

  • memory/2176-17-0x0000021A44EF0000-0x0000021A44EF1000-memory.dmp

    Filesize

    4KB

  • memory/2176-16-0x0000021A44EF0000-0x0000021A44EF1000-memory.dmp

    Filesize

    4KB

  • memory/2176-15-0x0000021A44EF0000-0x0000021A44EF1000-memory.dmp

    Filesize

    4KB

  • memory/2176-5-0x0000021A44EF0000-0x0000021A44EF1000-memory.dmp

    Filesize

    4KB

  • memory/2176-6-0x0000021A44EF0000-0x0000021A44EF1000-memory.dmp

    Filesize

    4KB

  • memory/2176-7-0x0000021A44EF0000-0x0000021A44EF1000-memory.dmp

    Filesize

    4KB

  • memory/2176-13-0x0000021A44EF0000-0x0000021A44EF1000-memory.dmp

    Filesize

    4KB

  • memory/2176-11-0x0000021A44EF0000-0x0000021A44EF1000-memory.dmp

    Filesize

    4KB

  • memory/3956-1-0x0000024B76CD0000-0x0000024B76E92000-memory.dmp

    Filesize

    1.8MB

  • memory/3956-4-0x0000024B775B0000-0x0000024B77AD8000-memory.dmp

    Filesize

    5.2MB

  • memory/3956-0-0x0000024B74650000-0x0000024B74668000-memory.dmp

    Filesize

    96KB

  • memory/3956-3-0x0000024B77070000-0x0000024B77080000-memory.dmp

    Filesize

    64KB

  • memory/3956-2-0x00007FFDB2A20000-0x00007FFDB34E1000-memory.dmp

    Filesize

    10.8MB

  • memory/3956-18-0x00007FFDB2A20000-0x00007FFDB34E1000-memory.dmp

    Filesize

    10.8MB

  • memory/3956-19-0x0000024B77070000-0x0000024B77080000-memory.dmp

    Filesize

    64KB