Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

svc_host.exe

windows10-2004-x64

10

Resubmissions

15/03/2024, 12:49

240315-p2jqcsag33 10

15/03/2024, 07:43

240315-jklwhadc47 10

Analysis

  • max time kernel
    136s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/03/2024, 07:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svc_host.exe

  • Size

    78KB

  • MD5

    eb821d20efb0c32d0bd3614a5e3b6262

  • SHA1

    8a718eb6acde2e7c8a38903d104ddd13d8259476

  • SHA256

    c1e6b4a0fbc8a4847fb5d8407153a88ab855de8b3ce5ae90d9b4fa3b5d357df9

  • SHA512

    19121eebfbf91ae214451c86135cb988a2dc1d66f078c8c1d6bd4d1517862e0bd7fe09af5affc6fb0ea804f5247c67d38ac3c1bcbdb6dba9742fa51fa7021493

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+gPIC:5Zv5PDwbjNrmAE+EIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIxNzg3OTI5NjU4MDkxNTMzMA.Gun2Gk.3qQXjIgklnHhehF2Rahn_w8VgV15V483p13AWM

  • server_id

    1217879157267234846

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svc_host.exe
    "C:\Users\Admin\AppData\Local\Temp\svc_host.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4872
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2220
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4436
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1340
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1340.0.844200615\1265675642" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07485867-a8db-4a62-b396-6db09f778ac2} 1340 "\\.\pipe\gecko-crash-server-pipe.1340" 1976 1d3aafdc158 gpu
          3⤵
            PID:1784
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1340.1.1410095613\1963065234" -parentBuildID 20221007134813 -prefsHandle 2364 -prefMapHandle 2352 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ee25852-c13b-4a15-8817-e0f5437fc247} 1340 "\\.\pipe\gecko-crash-server-pipe.1340" 2376 1d3aaefa558 socket
            3⤵
            • Checks processor information in registry
            PID:692
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1340.2.1430170016\2104520590" -childID 1 -isForBrowser -prefsHandle 3104 -prefMapHandle 3100 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d3c1f7f-624f-41dc-aa42-1f3ce971ecb0} 1340 "\\.\pipe\gecko-crash-server-pipe.1340" 3116 1d3aaf61158 tab
            3⤵
              PID:1948
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1340.3.1792211377\695340028" -childID 2 -isForBrowser -prefsHandle 1028 -prefMapHandle 1104 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {976b810b-1952-4c9c-ba28-780c759f110e} 1340 "\\.\pipe\gecko-crash-server-pipe.1340" 3616 1d39e761f58 tab
              3⤵
                PID:5192
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1340.4.2034656483\875799243" -childID 3 -isForBrowser -prefsHandle 4316 -prefMapHandle 4340 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {903648f3-1917-4732-a002-55657629de4d} 1340 "\\.\pipe\gecko-crash-server-pipe.1340" 4256 1d3b02dc758 tab
                3⤵
                  PID:5524
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1340.5.915622085\1105427084" -childID 4 -isForBrowser -prefsHandle 5168 -prefMapHandle 5176 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c55c0a0e-4644-404f-bb3e-6ec7954a8c8d} 1340 "\\.\pipe\gecko-crash-server-pipe.1340" 5200 1d39e72e458 tab
                  3⤵
                    PID:5976
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1340.6.604236659\171800177" -childID 5 -isForBrowser -prefsHandle 5216 -prefMapHandle 5316 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f442374b-1519-4bfd-b41c-0d23cdf1f96d} 1340 "\\.\pipe\gecko-crash-server-pipe.1340" 5152 1d3b13c4458 tab
                    3⤵
                      PID:5984
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1340.7.1170322613\1286592457" -childID 6 -isForBrowser -prefsHandle 5504 -prefMapHandle 5508 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {279b6e3f-4b80-4028-9e9e-f105968ae9be} 1340 "\\.\pipe\gecko-crash-server-pipe.1340" 5588 1d3b13c5f58 tab
                      3⤵
                        PID:5992
                  • C:\Windows\system32\taskmgr.exe
                    "C:\Windows\system32\taskmgr.exe" /4
                    1⤵
                    • Checks SCSI registry key(s)
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:2012
                  • C:\Users\Admin\AppData\Local\Temp\svc_host.exe
                    "C:\Users\Admin\AppData\Local\Temp\svc_host.exe"
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5168

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    2KB

                    MD5

                    94960e47357987e2387d2586316e60c7

                    SHA1

                    2c99d55a0cbfb73f2081800421eb4aa48d7483a0

                    SHA256

                    569be2ab63cc7279580ed02a7e09a12d11bf8b8076ef6053d7b0a45bac925ab1

                    SHA512

                    9e40501a932b63ef70768dd9060994f84a622695bf8c9afa79c5d04ef6ee76cd000f5d64cf836c87e2f0101b7f8d3f055da1b31b98a9c45fb395bffa66448a52

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\pending_pings\351e179a-84ee-487e-9dc2-3f6c03f98f9c
                    Filesize

                    11KB

                    MD5

                    364b05b4de9124939f2ae56bb19e4021

                    SHA1

                    4d75ab8f051806a55be48138f35b280fe40a02aa

                    SHA256

                    abedc63d1fa9c2efe6b6775e4d2cc5e99e7cb8ce7a6e2fbe5b2ae19d84bc0ad7

                    SHA512

                    1ef6e55a10eb61271adfcf622dee18a65fefc134e15f23528c7303b8dc04cd43805355d0093b7bb2a88806cfc436f36bf2b64ae2795f9a80ff06919be193d657

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\pending_pings\e8064f9d-5533-4fed-b0da-745ca8b48d11
                    Filesize

                    746B

                    MD5

                    1b4990ac929e5bf1aa952e30fa367bc3

                    SHA1

                    7fc6ce32d47646b04e15947d00dc4cc1d7980ddf

                    SHA256

                    944121b5a070328a50038361c8993190b832609b23bf87e7ccb60c4e477d6191

                    SHA512

                    52a55aa80dbafed53c345b0d7e135bce2a9d26b8ff0f7c05a0659500546d1093b12e1efee6b6d7a318350c32d08da7ce8df6ae1f6076858e5df24fc8b58e2207

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    373a869ebbc88dafb527739fbadc9930

                    SHA1

                    8680487b85ee810366b6f2bd9491ab1181d93669

                    SHA256

                    068cf3131aa8e707b1e614663e3b6bc8fe67b37a1a6ba96739aaa5c32b12add4

                    SHA512

                    99e5c963f6bbe9c6822c1491b4de223ce8aef5f7f18d355227ddff4d5c2e4631d094ba10dfb5f1e28eed01c4e80b94f3d77c1037d8ec908e29273d839764ca5e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    f6e39e5f8ed82524bdfac8a3b3d3dea4

                    SHA1

                    eed8315e00c678d3583c0cde8677b72a88d1ec12

                    SHA256

                    cafd914e07ddbbdccd40cec4d0bbde87e75f9c913b5f885a69af493ba5c8dd0b

                    SHA512

                    d763e31d5715146c1edeade3ee00a470596b6f1d1d8cea8b42d90b925a0b8d90385733414a0f56498ffae9cbc9c4efcb484db06dc3fb18cca8b3631dcc8e8d13

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    4214b6a3945e6084590f58c3530cf308

                    SHA1

                    8f0c397f4c027658af2f54e9985b412c780dbf72

                    SHA256

                    567cbc51ee36f21cc5650b3df061b1011a73ef055bf42e93cbc47fd9356faf2c

                    SHA512

                    738d4ff994810764c49cf054e8b56cd0ac3e2477865607b529ca3cbce48ae0151b5f74937fd794bca52f0e3a2ba645ed46c2845591cfc05d036baeb7b6978dad

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\sessionstore.jsonlz4
                    Filesize

                    879B

                    MD5

                    fad6ba70afa5a1c7a60249acc56aba87

                    SHA1

                    ea9ab4daa0d5e17a573c9b05d87532c74a36a488

                    SHA256

                    4d8b3708606fdfa4a3ec42920117930debbb6e36e3ca71e1605e2033c3fe0177

                    SHA512

                    7b537c4481a383ad8f5607c3d1071b31932814cd436397e1f44fc7de1b6055fe3b8d31c61e77ba33ae8081b3a2ca0f1ae0173f30b231d04ae891968796cb8517

                    Download Submit

                  • memory/2012-167-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2012-179-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2012-174-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2012-178-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2012-177-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2012-176-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2012-175-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2012-173-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2012-168-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2012-169-0x0000028F8DB00000-0x0000028F8DB01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4872-0-0x0000023FD2520000-0x0000023FD2538000-memory.dmp

                    Filesize

                    96KB

                    Download

                  • memory/4872-1-0x0000023FECB00000-0x0000023FECCC2000-memory.dmp

                    Filesize

                    1.8MB

                    Download

                  • memory/4872-2-0x00007FFB11DC0000-0x00007FFB12881000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4872-3-0x0000023FECA60000-0x0000023FECA70000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4872-4-0x0000023FED340000-0x0000023FED868000-memory.dmp

                    Filesize

                    5.2MB

                    Download

                  • memory/4872-5-0x00007FFB11DC0000-0x00007FFB12881000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4872-6-0x0000023FECA60000-0x0000023FECA70000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4872-182-0x00007FFB11DC0000-0x00007FFB12881000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/5168-180-0x00007FFB11DC0000-0x00007FFB12881000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/5168-181-0x00000240FABD0000-0x00000240FABE0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/5168-183-0x00007FFB11DC0000-0x00007FFB12881000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/5168-184-0x00000240FABD0000-0x00000240FABE0000-memory.dmp

                    Filesize

                    64KB

                    Download