Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/06/2024, 14:28
Behavioral task
behavioral1
Sample
cdumper/compiler.exe
Resource
win11-20240611-en
windows11-21h2-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
cdumper/setup.bat
Resource
win11-20240611-en
windows11-21h2-x64
0 signatures
150 seconds
General
-
Target
cdumper/compiler.exe
-
Size
78KB
-
MD5
cc0c0d53ea855321b892e9d69ce09d1f
-
SHA1
604de3c919a7768f107e15c12c816ed11ea0146f
-
SHA256
cd28a30e4e7970b5fe7e2d2ab0244a41ed3fed048904d671ce2db28de1a87529
-
SHA512
58a7a3e9b374296d8898929a9c1806beb501e45c232efd11db1449583e8227b4a0511fc724d07be030baa640aa285ed7648ed1a328a40e47989b0d7673a4d609
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+SPIC:5Zv5PDwbjNrmAE+eIC
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTI1MzY2NzkzMTcwMzc0MjQ3NA.Gw8dsn.LeG778rjIzDyfb3CK-K3udb1GPBgWlxFwh_VdU
-
server_id
1250682422434074634
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 1 discord.com 3 discord.com 5 discord.com 7 discord.com 8 discord.com 9 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 4832 Process not Found 4128 Process not Found 2076 Process not Found 3880 Process not Found 3200 Process not Found 2228 Process not Found 3264 Process not Found 2088 Process not Found 2256 Process not Found 2600 Process not Found 1216 Process not Found 1244 Process not Found 1264 Process not Found 4980 Process not Found 1528 Process not Found 4288 Process not Found 3596 Process not Found 1488 Process not Found 4988 Process not Found 4636 Process not Found 388 Process not Found 1576 Process not Found 2816 Process not Found 2972 Process not Found 3320 Process not Found 3356 Process not Found 2628 Process not Found 4624 Process not Found 3588 Process not Found 652 Process not Found 2400 Process not Found 4596 Process not Found 2444 Process not Found 1484 Process not Found 3720 Process not Found 4224 Process not Found 3904 Process not Found 976 Process not Found 2192 Process not Found 2116 Process not Found 4516 Process not Found 1384 Process not Found 2500 Process not Found 4256 Process not Found 4168 Process not Found 3920 Process not Found 2528 Process not Found 3040 Process not Found 3076 Process not Found 3716 Process not Found 4100 Process not Found 4952 Process not Found 132 Process not Found 4632 Process not Found 4972 Process not Found 1028 Process not Found 4020 Process not Found 4080 Process not Found 3944 Process not Found 3324 Process not Found 3884 Process not Found 3812 Process not Found 3908 Process not Found 3468 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 912 compiler.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4752 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 912 wrote to memory of 2776 912 compiler.exe 79 PID 912 wrote to memory of 2776 912 compiler.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdumper\compiler.exe"C:\Users\Admin\AppData\Local\Temp\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /L2⤵PID:2776
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a09055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4752