Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 08:10

General

  • Target

    Tria.gay.exe

  • Size

    629KB

  • MD5

    b3cea39c19b4c87e9a4e5400fa5c9c48

  • SHA1

    d08516f598618d5d01f4ca0f536e1c946fe6bfec

  • SHA256

    c41bbd9aeb765015231cb1b05de9ef13fba577877a226817cfad9bfeebe8fc5a

  • SHA512

    322e324f2fe98ab272e92cb2663b16e20db7b61a1a170e2eb1c31b0ff9bf17d1c9a6e66819bd628d9611b6ed23be2e353b465f9bb7c9662252c5a49126c1dc6d

  • SSDEEP

    12288:0CQjgAtAHM+vetZxF5EWry8AJGy0Aq2aQOyfHrJnU44:05ZWs+OZVEWry8AFu2aQvfHmR

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIzNDcyMDk2NjIzNjU3MzgwNg.GAgMA7.5Fr2VglBtzELzBN5jTv1isgkXurp9_3fiYShzU

  • server_id

    1235156619520901140

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Tria.gay.exe
    "C:\Users\Admin\AppData\Local\Temp\Tria.gay.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3612
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3928
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2244
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4988
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa5888cc40,0x7ffa5888cc4c,0x7ffa5888cc58
        2⤵
          PID:5100
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2056,i,17785439572201653439,2177716296751833398,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2052 /prefetch:2
          2⤵
            PID:5048
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1952,i,17785439572201653439,2177716296751833398,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2368 /prefetch:3
            2⤵
              PID:2988
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2132,i,17785439572201653439,2177716296751833398,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2552 /prefetch:8
              2⤵
                PID:4344
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,17785439572201653439,2177716296751833398,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3148 /prefetch:1
                2⤵
                  PID:1220
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,17785439572201653439,2177716296751833398,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3320 /prefetch:1
                  2⤵
                    PID:4112
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3700,i,17785439572201653439,2177716296751833398,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4504 /prefetch:1
                    2⤵
                      PID:3864
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,17785439572201653439,2177716296751833398,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4764 /prefetch:8
                      2⤵
                        PID:640
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,17785439572201653439,2177716296751833398,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4948 /prefetch:8
                        2⤵
                          PID:4320
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,17785439572201653439,2177716296751833398,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5144 /prefetch:8
                          2⤵
                            PID:4696
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5168,i,17785439572201653439,2177716296751833398,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5084 /prefetch:8
                            2⤵
                              PID:1852
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5100,i,17785439572201653439,2177716296751833398,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5040 /prefetch:8
                              2⤵
                              • Drops file in System32 directory
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1824
                          • C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
                            "C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
                            1⤵
                              PID:3808
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                              1⤵
                                PID:2316

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                                Filesize

                                649B

                                MD5

                                7ed9242bdae4b0ea6c1b89ecc176d6e9

                                SHA1

                                d17fdded1d96087167d2d8622847669a5b99c6c3

                                SHA256

                                1cb7287bf8e697ef560a2292c43c792ef17b5fff25e1d900c10dbfdc2d303733

                                SHA512

                                0f49fc4681560f473002fb9156dd4c368503c0c8ee1b0f33c5e64993ea0242912ecc30fd2da16d9ae328bf49eba026f6faa6f5841c7bb2a441e9d6921671b1e7

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                bac1cf5bca5666d1dce454dcbed3cff7

                                SHA1

                                7c6438687b2dc0286f66d29c58628104d0ea4a64

                                SHA256

                                7db824b737e54b07ff909c8516244e9e6b107dc49a1a3fb4cb5f58c540f312eb

                                SHA512

                                544a04fe4a048ad030ee57513be48fb9e22172bdf8391ca66e25d225d0d6e48e22673a26f70cb800e95d92bd27ca041d8e4aaf475a2e258e99a566f58c5c0aa4

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                d7cff7ac4f7f07011cd556cb7ca2675b

                                SHA1

                                67a2defbb559c44cce4d3f6ffbb83b90a314aa0c

                                SHA256

                                38c75fd78506ecf589002b8292ac559b8f94c682a23152015027b3c531c2ea55

                                SHA512

                                540543a08b2021c8d69be11925d5502b74277bfc7407206dd68d376573d6e25913062efdd90d6461a7e5d471cec151c5ab39d546f3e7dba92d1762382b5f50ad

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                1eabc167d8294b7aa294a953dc33110d

                                SHA1

                                c47d7eb2a0696fdaec7a944e3d908d554c49b978

                                SHA256

                                b4ba47ac6b8ae67db2bd6a40a93dc3c4f1a005d4e207f2b87d93b7e227727f2f

                                SHA512

                                668705e7ce873a5c5e7608fc19e9987149b5d7c5c5866381f456d2ebc91fd0e827b9dd74bf42fcf9c59f35c3e7502de97baf66a95302f0d44733a8d4aca93422

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                04d0abcc782739fb0c56e89cbaf0c703

                                SHA1

                                3f488f0a62254b14cc9069924fb4bde9b9ebc1b4

                                SHA256

                                8389f294b25aa6fa0e3f99ccf9328976b14de6a456b0a23c0f96b31bcb83ae66

                                SHA512

                                d280a11cbd3ea1a35ef5ed8091bc2174bb0dfb9a2bcf460c28051a043a6fbef9d2b5efe895b2fbd3777090bfad4a3a71ac94cc15ad0dfed26e1a50ea2728590e

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                18e1e4f01a51d0f4c5fc76400122291e

                                SHA1

                                e9b673443a5c84d000082abbadc5fbc271ffc1d1

                                SHA256

                                cfb9569484971038321f26bddb04523fa39d944d7ee8ed8f6eae434463d75934

                                SHA512

                                4e55438ba12864103df059cae6d9975902edb6d82b2196a232071d8e5e97eacc09a9dafb5d899b76369045cb5ac2a2086219e8f725ab6e23590101b778f2e6ef

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                d7a1e7d5f22095cc1a116ba0b786f945

                                SHA1

                                a0466525f35f8e4a5eacb0a82e5b4afb1c53656b

                                SHA256

                                9b9d15c9cd988a922f09c29f2a223cc6da39f4aef13f3e13b5462030169e8359

                                SHA512

                                fee81cfd3a869e88c597f2b11bacf5d00654baed7d5e03fe6dd31caa0be6f05be7f862ea3912032a4e728bd3b196e1cd5d4b8fd8218ede04d06f40c07ab81664

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                ffefdf9f2a2a83e24d154decbdb78a52

                                SHA1

                                40066604fb21e42549830b4ce35920b0238c43d8

                                SHA256

                                0aa8ae81eefd84f12c11f263b492da3ff26238f6fdfbf6944230c628d638c6dd

                                SHA512

                                3dab1ccd5bda6d6a7922887ae3f4b469c780711c4b8e2bd8989a5af4590c96ef47b13b2d81925f905226b88806f172e5dd2dc93744d2a0d0d0d0813d77626906

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                bbab7f88066206cfd6aa225c96010218

                                SHA1

                                9dfb4094e740fb0437337d05bc15bc829661503a

                                SHA256

                                4e6e1cb17ead48399100217f55ca34c6debe2f3ccc5b5145add37026d04f3a94

                                SHA512

                                05722b6c99e62d651e5483bcc46d7677a926dd5b6519b69d3997597acf516704b6b407c414489b0d3913b82a5558c1a208c6222876e24bee30e016691e5fe5a3

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                4d03df3d6b1ee23420d55434d6b7bf47

                                SHA1

                                8125f24e51b75f787ea1ac412d6667028386edd5

                                SHA256

                                4a45fad0645b99ea5ab56ad87cf4d1fcb2bfa5e79ecfb0916b41039c51616655

                                SHA512

                                1ab8cf603e07bd91d1a3419781e3a9190db460b68cacecf618b1be17e073bb917a675af76f0ecb983735e97a3aa6180b9a56742def811a9f495657be96d7be28

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                Filesize

                                15KB

                                MD5

                                c9b4f407242cbe7eec05929b8b42b214

                                SHA1

                                21647fefa9abccc4b81d4507b2ec2f07e8fe30a5

                                SHA256

                                6f195919ab169bb1c6e7a2f56b53c741afcc3dac93a837e6aea3834df20c7f33

                                SHA512

                                e0b388aa7dd5cf54002e72d065317e5cf64e8af3fa86526fd62b145033b061f955f3f60123a6a2ec0bdebd51c3fb20e740f08f677c2e91282054b801f5b5fa77

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                Filesize

                                152KB

                                MD5

                                c1d48c186fe22cb6e6bdc7c15f1c34c6

                                SHA1

                                845f300ab8c71156f7aa2ac68552849e30dceda4

                                SHA256

                                cb97323f5ef8227acbff1eb6047cf14440435cab4e8cdba84b08364832e02875

                                SHA512

                                dd193641ecc71c8499f142ab3ffca0cf6acea0511893872871728f30631be066508ac4f3e9562139ca6ba0aa74e22201616a74b504c23ec5df98af0d50dba1fb

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                Filesize

                                152KB

                                MD5

                                90c8f362fc49441e242d2ccabb55f4f8

                                SHA1

                                4c9dbfac5e02ffdc3740cc048c47b90d2275539a

                                SHA256

                                e5ba17978bf160349c8583a8f349b5cb7436c1cce6979b78413fd8b48941c4b0

                                SHA512

                                d4acb6cf0093ac950e597f57d6e4df87f2d623ab4cd7290193d18903ffc18fe57ae894c8316edc0a8ea161e165861ac6c8c88a2a8a177333c0735068dd641f40

                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

                                Filesize

                                78KB

                                MD5

                                0cccb44d8b9efe2baa53f809f54923f6

                                SHA1

                                57f8d3877af9853fc9f880e05a045274dd7c7c3d

                                SHA256

                                7fbdcb4fc89ad23c70c9b17e5e633e4b4688beaa7081b7e530f156608246aee9

                                SHA512

                                0aef03daf778f7b0b5cc1a077fb0b7a37972220e816ce577968f564aa192e226658aced1865a5917d623d28ec53b3c92f893940fec726268f2cdb4b991227f32

                              • memory/3928-39-0x00007FFA5FB20000-0x00007FFA605E1000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/3928-31-0x00007FFA5FB23000-0x00007FFA5FB25000-memory.dmp

                                Filesize

                                8KB

                              • memory/3928-18-0x000001727D2C0000-0x000001727D7E8000-memory.dmp

                                Filesize

                                5.2MB

                              • memory/3928-17-0x00007FFA5FB20000-0x00007FFA605E1000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/3928-16-0x000001727C9E0000-0x000001727CBA2000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/3928-15-0x00007FFA5FB23000-0x00007FFA5FB25000-memory.dmp

                                Filesize

                                8KB

                              • memory/3928-14-0x000001727A410000-0x000001727A428000-memory.dmp

                                Filesize

                                96KB