Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Z1ON Dot N...v2.exe

windows7-x64

10

Z1ON Dot N...v2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    24/03/2024, 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Z1ON Dot Net Obfuscator v2.exe

  • Size

    833KB

  • MD5

    583db42843ecdb4f5ba790beb43572a4

  • SHA1

    a55fc37ba004e327fd9444489ac19789bfe267c5

  • SHA256

    b1f32da53c09893e50094325682f61d0b6e662ab7d1df628dd5167d25b7a7c67

  • SHA512

    98dd5a4b63c6e69d084fbf31a5e48a61050be94f8e8613048fcd056cb1960deeed565c891066d6e9b4114166335a6ecfe5cfdc746955dfa589f89db14df82faa

  • SSDEEP

    12288:HCwqF4Ef4tYimS7hD/4onsU9hCqdTsGyFdfJ:iB4m4tcuD/4osU9hCWsDb

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIxMzkyOTAxNDQ4MjQzNjE2Nw.G9M0hN.nD-_EEbklL8mO6w0EeRslibB6lcsoMD5XbbFRo

  • server_id

    1209523015184818257

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe
    "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1304 -s 596
        3⤵
        • Loads dropped DLL
        PID:2596
    • C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
      "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 628
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2736
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
    Filesize

    1023KB

    MD5

    c7fa9a7d9b0d2cdb6742477158b190f8

    SHA1

    44258c848294d209c6504640f9c785241485fc28

    SHA256

    08aa03c784c192aa76acc4da4f79eca7a86e769e405e33c4bff9b0246989af74

    SHA512

    2f0b2af4400a16abf365fcc122ae92e6a6ebcd0aa5ce77a7601e27f219dd03132eb47ad9a84916028e3dd0eb228000652ad8f3059f6e717fa22c4049c9ec5540

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Client-built.exe
    Filesize

    78KB

    MD5

    cc9f95bc616eaa9f2e7b6318eac6ef60

    SHA1

    60f6705dad7f26f6284006f29f7fb64b9075fed1

    SHA256

    e9157690a3c1cab1d44afaabbdceb26679f5a02202f185ad854f6264a23a7c31

    SHA512

    abf98ac5e492d56808b10111c9663a59251c0a0c61396b6d49307bce3357e6585c0da7f20f78707846f18af1fa5bccb4d9d91b4778140b583ae64462d770f668

    Download Submit

  • memory/1160-26-0x0000000004A70000-0x0000000004B4C000-memory.dmp

    Filesize

    880KB

    Download

  • memory/1160-18-0x0000000000A60000-0x0000000000B64000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1160-33-0x00000000749A0000-0x000000007508E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1160-21-0x0000000004B90000-0x0000000004BD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1160-19-0x00000000749A0000-0x000000007508E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1304-16-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1304-20-0x0000000002260000-0x00000000022E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1304-10-0x000000013F480000-0x000000013F498000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1304-34-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2028-17-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2028-2-0x000000001B190000-0x000000001B210000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2028-1-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2028-0-0x00000000000E0000-0x00000000001B6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2552-35-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2552-36-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download