Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 13:25
Behavioral task
behavioral1
Sample
Client-Swifty.exe
Resource
win10v2004-20240226-en
8 signatures
150 seconds
General
-
Target
Client-Swifty.exe
-
Size
78KB
-
MD5
8c8c3b33f21f55ec38d47329a686b6f5
-
SHA1
a13c5cf6ed1ce13e20df651063268884e9ed720b
-
SHA256
9ef1dc17e0bfdc9783f358d4a035aa1286afb14bbf102adddfe6e09557c06cd8
-
SHA512
422e813722550b4713c91add065bd5cb5fbc4d05c7299c47f7b5a3042bf4d49004b0f5e1812fa013ce5541c6a57da6cd11ab7b93f22abefce5ba98cfb63e74af
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+XPIC:5Zv5PDwbjNrmAE+fIC
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTE0NDQ0MTY1MjYyNzM4MjM1Mg.G4ojxo.MVKAb4PxpTCWI69RfpwGHRT20JacbrUP_44hU8
-
server_id
1164483448111632415
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 26 discord.com 27 discord.com 34 discord.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2176 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3956 Client-Swifty.exe Token: SeDebugPrivilege 2176 taskmgr.exe Token: SeSystemProfilePrivilege 2176 taskmgr.exe Token: SeCreateGlobalPrivilege 2176 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe 2176 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-Swifty.exe"C:\Users\Admin\AppData\Local\Temp\Client-Swifty.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2176