Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
24/03/2024, 18:26
Static task
static1
Behavioral task
behavioral1
Sample
Z1ON Dot Net Obfuscator v2.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Z1ON Dot Net Obfuscator v2.exe
Resource
win10v2004-20240226-en
General
-
Target
Z1ON Dot Net Obfuscator v2.exe
-
Size
833KB
-
MD5
583db42843ecdb4f5ba790beb43572a4
-
SHA1
a55fc37ba004e327fd9444489ac19789bfe267c5
-
SHA256
b1f32da53c09893e50094325682f61d0b6e662ab7d1df628dd5167d25b7a7c67
-
SHA512
98dd5a4b63c6e69d084fbf31a5e48a61050be94f8e8613048fcd056cb1960deeed565c891066d6e9b4114166335a6ecfe5cfdc746955dfa589f89db14df82faa
-
SSDEEP
12288:HCwqF4Ef4tYimS7hD/4onsU9hCqdTsGyFdfJ:iB4m4tcuD/4osU9hCWsDb
Malware Config
Extracted
discordrat
-
discord_token
MTIxMzkyOTAxNDQ4MjQzNjE2Nw.G9M0hN.nD-_EEbklL8mO6w0EeRslibB6lcsoMD5XbbFRo
-
server_id
1209523015184818257
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 2 IoCs
pid Process 1304 Client-built.exe 1160 Z1ON Dot Net Obfuscator.exe -
Loads dropped DLL 11 IoCs
pid Process 2028 Z1ON Dot Net Obfuscator v2.exe 2596 WerFault.exe 2596 WerFault.exe 2596 WerFault.exe 2596 WerFault.exe 2596 WerFault.exe 2736 WerFault.exe 2736 WerFault.exe 2736 WerFault.exe 2736 WerFault.exe 2736 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2736 1160 WerFault.exe 29 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2552 taskmgr.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe 2552 taskmgr.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2028 wrote to memory of 1304 2028 Z1ON Dot Net Obfuscator v2.exe 28 PID 2028 wrote to memory of 1304 2028 Z1ON Dot Net Obfuscator v2.exe 28 PID 2028 wrote to memory of 1304 2028 Z1ON Dot Net Obfuscator v2.exe 28 PID 2028 wrote to memory of 1160 2028 Z1ON Dot Net Obfuscator v2.exe 29 PID 2028 wrote to memory of 1160 2028 Z1ON Dot Net Obfuscator v2.exe 29 PID 2028 wrote to memory of 1160 2028 Z1ON Dot Net Obfuscator v2.exe 29 PID 2028 wrote to memory of 1160 2028 Z1ON Dot Net Obfuscator v2.exe 29 PID 1304 wrote to memory of 2596 1304 Client-built.exe 30 PID 1304 wrote to memory of 2596 1304 Client-built.exe 30 PID 1304 wrote to memory of 2596 1304 Client-built.exe 30 PID 1160 wrote to memory of 2736 1160 Z1ON Dot Net Obfuscator.exe 31 PID 1160 wrote to memory of 2736 1160 Z1ON Dot Net Obfuscator.exe 31 PID 1160 wrote to memory of 2736 1160 Z1ON Dot Net Obfuscator.exe 31 PID 1160 wrote to memory of 2736 1160 Z1ON Dot Net Obfuscator.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe"C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1304 -s 5963⤵
- Loads dropped DLL
PID:2596
-
-
-
C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 6283⤵
- Loads dropped DLL
- Program crash
PID:2736
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1023KB
MD5c7fa9a7d9b0d2cdb6742477158b190f8
SHA144258c848294d209c6504640f9c785241485fc28
SHA25608aa03c784c192aa76acc4da4f79eca7a86e769e405e33c4bff9b0246989af74
SHA5122f0b2af4400a16abf365fcc122ae92e6a6ebcd0aa5ce77a7601e27f219dd03132eb47ad9a84916028e3dd0eb228000652ad8f3059f6e717fa22c4049c9ec5540
-
Filesize
78KB
MD5cc9f95bc616eaa9f2e7b6318eac6ef60
SHA160f6705dad7f26f6284006f29f7fb64b9075fed1
SHA256e9157690a3c1cab1d44afaabbdceb26679f5a02202f185ad854f6264a23a7c31
SHA512abf98ac5e492d56808b10111c9663a59251c0a0c61396b6d49307bce3357e6585c0da7f20f78707846f18af1fa5bccb4d9d91b4778140b583ae64462d770f668