Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1794s -
max time network
1165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 18:04
Behavioral task
behavioral1
Sample
tszpullertool.exe
Resource
win10v2004-20240226-en
3 signatures
1800 seconds
General
-
Target
tszpullertool.exe
-
Size
78KB
-
MD5
490e1d60373872243f705bdf46aab56a
-
SHA1
066dc2cd21f2289e6bf52e374c93480fa165d8f8
-
SHA256
a71b6a07ff699594a51120bd9634c46b7eafef39d43c1139439ac846280fd32a
-
SHA512
d76824c27a16e39ee6d92a32b6db3f70c0d1d026c934a690ab087851df993fc7197027dc8c077db6fc1eb660afb0eed71ef2d43d1d117b81885b52d1568dbeb6
-
SSDEEP
1536:M2WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+rPI2:MZv5PDwbjNrmAE+DI2
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTIwNjYzMDA2MDg1NDA4MzYzNA.GvVyvp.mAZUqpiSErc4n9lJ5dxHXEniOy_EsnBOiN0dn4
-
server_id
1217894352093708318
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 13 discord.com 14 discord.com 46 discord.com 53 discord.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 808 tszpullertool.exe Token: SeManageVolumePrivilege 4332 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tszpullertool.exe"C:\Users\Admin\AppData\Local\Temp\tszpullertool.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:808
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:2156
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4332