Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

silence/si...ce.exe

windows10-1703-x64

10

Resubmissions

19/03/2024, 16:46

240319-t968vagg74 10

19/03/2024, 16:44

240319-t811fahe2x 10

19/03/2024, 16:41

240319-t68x9sgf77 10

Analysis

  • max time kernel
    76s
  • max time network
    89s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19/03/2024, 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    silence/silence-workspace.exe

  • Size

    1.7MB

  • MD5

    839a13e8b65aab0cb6d061ac82a8e3d4

  • SHA1

    3de9d9d68c94493867bcb081d093bf39d45bf923

  • SHA256

    a8741e78c8b8b86042814e65b5a7ab358f1050757de3738a0d358097db996bd3

  • SHA512

    ea2ded5b24dc88af32673957a7cc85c5b602fec5731c4af4d3cb9859009f0af6d2b9b629253090d23715af3b8030fc5727612f92a5339e08748fad5694eff2bc

  • SSDEEP

    49152:O0xx0GTBlPBAc2AVMlsHbeucMYc5pSoUiGG8:OWTkcH3Hyo

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIwODA5NTM2NDk2MDM1NDM3NA.GizXN5._a-pu5nHBPQiBTo-MibYQvf7mDtkutfsttwhUo

  • server_id

    1208095629734322196

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe
    "C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
      "C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:428
    • C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
      "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5 | find /i /v "md5" | find /i /v "certutil"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1320
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5
          4⤵
            PID:3728
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            4⤵
              PID:908
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              4⤵
                PID:4916

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
          Filesize

          78KB

          MD5

          6f9c42f940f854243a2f445c8cb750ec

          SHA1

          aeed75218753dd1f184cc55ebbe8a1a80e5a59f3

          SHA256

          15fbe5942c60d92081fa93d5444a7abb355dc917c9ea3a44585d5a4b4219e91a

          SHA512

          612bfac0a8a079a67e361e87ac6eaf9c9cc5a4940b5dd74ecb6c61e2811707b2e60e60ee70102622c0bb222b01a3aced82853d130d2f07075e8d629e33bb8cb2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
          Filesize

          1.6MB

          MD5

          8b393057c5c9026495f8efbe7234b1c4

          SHA1

          21aff93ce1ff29a961ac947cafd75b6994fb5ae8

          SHA256

          c100648181026be6dbce91beb36b5cd859563c4b0edd8e4a0aa5d60829467b30

          SHA512

          57504769cff622817a129f4b0d235d2f148a381d588950949f0b0316c71aef46e3d0d17747a50a81a946e73af486962d52f23160fe937c1d6caf8db4b1996952

          Download Submit

        • memory/428-7-0x000001F6B34B0000-0x000001F6B34C8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/428-10-0x000001F6CDBD0000-0x000001F6CDD92000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/428-12-0x00007FFB36FF0000-0x00007FFB379DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/428-13-0x000001F6CDB50000-0x000001F6CDB60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/428-14-0x000001F6CE2D0000-0x000001F6CE7F6000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/428-15-0x00007FFB36FF0000-0x00007FFB379DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/428-16-0x000001F6CDB50000-0x000001F6CDB60000-memory.dmp

          Filesize

          64KB

          Download