Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

veydovokna.exe

windows7-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/07/2024, 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    veydovokna.exe

  • Size

    78KB

  • MD5

    7ee32f2553fa474e79b2f1a444172735

  • SHA1

    fc17876384c197f73a7471850d13748aa6f659b0

  • SHA256

    d99a4d776f04dfd3e8004c466ab81788da8f0ba08b83430df4dd984fa1ef4e39

  • SHA512

    2789dc16e615f28c29f5e81ade9e4b03a47d9855cc9092bbcdf90ce7419fe38cabd729a87f038f4aa3d8e2f5317ac69a0637737f468dd8d05532dbd3dda738b9

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+APIC:5Zv5PDwbjNrmAE+kIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1NjYyNDkzOTk3MzQ4MDYzOA.GmmRJ5.-nbYbt2H8apuatUJNXT2gF-Pq4ZpLJRKwy0hls

  • server_id

    1257063713945419826

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\veydovokna.exe
    "C:\Users\Admin\AppData\Local\Temp\veydovokna.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2424 -s 596
      2⤵
        PID:1936
    • C:\Program Files\Windows Sidebar\sidebar.exe
      "C:\Program Files\Windows Sidebar\sidebar.exe" /showGadgets
      1⤵
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2144
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.0.1006267430\1644205380" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c14813c-710a-43a2-aec8-aa0f479a4af9} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 1280 103d8b58 gpu
          3⤵
            PID:2724
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.1.2001801535\1000580399" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e94f1f2-c689-4309-aeef-b766f1c26fb6} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 1488 f72b58 socket
            3⤵
            • Checks processor information in registry
            PID:580
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.2.1188954229\1255573746" -childID 1 -isForBrowser -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab7ffc7b-6e45-4cb0-9585-fe6c0785f3f0} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 2128 10363d58 tab
            3⤵
              PID:2360
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.3.439944296\51327321" -childID 2 -isForBrowser -prefsHandle 2480 -prefMapHandle 2472 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cdba4a4-37ed-464d-98fa-630430df71fd} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 2500 11c88e58 tab
              3⤵
                PID:3028
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.4.1776714114\1299909372" -childID 3 -isForBrowser -prefsHandle 2732 -prefMapHandle 2728 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {232ddd35-79be-4d61-a288-fc20f30edc34} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 2744 f62258 tab
                3⤵
                  PID:2728
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.5.865415971\81997227" -childID 4 -isForBrowser -prefsHandle 3836 -prefMapHandle 3804 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37229e7a-854b-4eb0-8bd9-b39879fa4f6d} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 3828 1e724758 tab
                  3⤵
                    PID:1360
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.6.1926948359\557215743" -childID 5 -isForBrowser -prefsHandle 4016 -prefMapHandle 4012 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9be2991e-05b9-4592-955f-706837c4a521} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 4000 1e724a58 tab
                    3⤵
                      PID:1292
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.7.1663401696\1804161524" -childID 6 -isForBrowser -prefsHandle 4112 -prefMapHandle 4116 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb409bec-998d-4642-a457-4cad1004b541} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 3980 1e726858 tab
                      3⤵
                        PID:2656

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
                    Filesize

                    1KB

                    MD5

                    9f27f4d487bcdd35d96e49a2768b4552

                    SHA1

                    abddfd32d7e7ed9568d2635038dede54c7793d63

                    SHA256

                    701363c8e8ebb328d0f9c6def1799ad6c47b247451eac3bd2098171b775456bf

                    SHA512

                    e8e40e46593dfbf03c5e85b9af59418f211c44c3ee25ed621b3c89d59f25a78935febd65b5043cc0279c0f2d52e6fa49e57d562fcfe9c24bbaab7cf24bac9555

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
                    Filesize

                    1KB

                    MD5

                    242c549bf92365aa90ad3888882234be

                    SHA1

                    dc66fdf95c6015882dc7c9142e33b00b48a430a9

                    SHA256

                    3b5f480ca38ba928cee8dfee735a7ad82534292ada22369ba5e40b10f9f6ba65

                    SHA512

                    422b7f2f409b8b554e05d3692926b23b8b6ae11cfd2f0ed3a37f85336dc757be31711a7d9a5ed8eeb9bb25e253d553f0d94b4d0dc00f9efbad7123a95a8c4f67

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
                    Filesize

                    2KB

                    MD5

                    7bca544f0fbf100763551dffffd8fd3b

                    SHA1

                    771e32475d22059931110a09503e54afe1080603

                    SHA256

                    3b7e883ef5680659d08e90636732dca013496f6b697123d4c6a7f38c494e4072

                    SHA512

                    81e68a4fb9ad7602f186a4309d2fb42f4be142434c3a444c878a7b0c78dd2ce0a7b6c1b8462b284e8b046311a225527254fb8ceca224bf60fc425a7283f83010

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    24KB

                    MD5

                    346d5bf7e7a4bbf14da7f78700261ba7

                    SHA1

                    97e804def0372915ec768a3e52bfd752bc65d2b9

                    SHA256

                    2101c0c22b13dc73a36efc6d06a61813ae9b25978301b29df08f93d9d8a02cf5

                    SHA512

                    ba911bff5fb8f13ec290d0f488adf3aaa3954aa180856e7df1e97776081ca56aa769ae4b9612d67abf066fdccacf3d1dff1b16fc3a0badab0dec7a779f6ea006

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    2KB

                    MD5

                    ff99d79d47b42ef026a83c9dd5b1a770

                    SHA1

                    4f59d7269d4480523b9fd52fedfcc9b7eb961569

                    SHA256

                    3c971f87a5f73efb02a498c003913b1cc19458318ba9e968c42fff730ac14580

                    SHA512

                    07663170506cdc7f3f05df9d68df101a3c9fa836065e73903b0e04ad172c0e1a707056c28a9ba8d25ece77fbab7421ce1771c6c3bf1c2ffdb4c8c47a33a76530

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\datareporting\glean\pending_pings\4335b286-9a65-4541-9930-aa67dd36057c
                    Filesize

                    11KB

                    MD5

                    e12cdd02c603b0dccf56aea71486698a

                    SHA1

                    38e334aedda357912b78865462bc8386ee8007c3

                    SHA256

                    6e55f21669cf04afedd0b99d46bb9b6d4eed1f661b705ce18eda9be23e811708

                    SHA512

                    a3b78c58f106ebba63f11f9776a97b27d8cec261d595860f55f6c2869d3ffe9edfafd91d4944a6ece877f11146b7aac58a588d5715cc56abc45f27750196789c

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\datareporting\glean\pending_pings\d940cf43-a416-4f91-b72c-64508dcfa38c
                    Filesize

                    745B

                    MD5

                    2d04b0c3a1a6b26a8cd35ce976931639

                    SHA1

                    157778cfa9ec3318071467a34605a19eea5f6735

                    SHA256

                    fbf3aa04bcaa3f3474e97ce5b4a12aef9ca7af9c53aaf0576462cafff04f7523

                    SHA512

                    d7507b2c8615081b9cb15ad6dee3d94242a36ee2f6d6704c490f351c13e84f30dc7053f66f07cb0b2ad76bbd15af9fb3a31f08f0cfa1a7ab6af558a00cc1a8d2

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    5264c5313aba30362074d4aeb13b634a

                    SHA1

                    7c491deb0f99e44fcb163ce384c042aee02c4e0d

                    SHA256

                    4c62852debaf2e6a54ae2d461d6f78347ce090f47c90f15002bb6151ab9a3fd6

                    SHA512

                    6eefc4dff26a46996b84637ea0ed71615dfb3b0fc792bfde0af5627a1798d8f89e98c113a167beee92f564cbb1ad8f86d54ca8ea910655e748624a80d04cb726

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    ede0b3f1bf02921f172d57e4789d54e3

                    SHA1

                    a5b6d9dc4f8304602046c441f3b335b43f243882

                    SHA256

                    638e90c8f24084216f28936758ea6297c5f1c6a4b22681847d7f565f7a1b53ef

                    SHA512

                    398b54b56d699761495cae9efda1eff75214f1d3393a67afcb8a3f1430529d42d859d0169c5546b2761253a2679f0b70ff71462bca3f355069b06771ce3acfcf

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\sessionstore.jsonlz4
                    Filesize

                    831B

                    MD5

                    026e191ed4be53e3b9bbf1235004fb45

                    SHA1

                    c5e845d9af1c5048280e4e8283435d9eb9dd5c12

                    SHA256

                    9a8b6082633074471abb74b723e136f78ea29543cdcca31ba095244ea2eb9d8f

                    SHA512

                    a514a22658d9536a1ab58e02b53c1f1b8be147d94015dac2b2993000ae3744e2a14c5e6737d2bfa41ff1744cdd132c5c3f84f18a7f4be947c04c49bdc645e833

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                    Filesize

                    184KB

                    MD5

                    e64c81a753d3e7d5a6266720b4d2c385

                    SHA1

                    8923cd728a9fd4236d9292e61edaa59985cd21fb

                    SHA256

                    cbe3d57b556ca1f6f051f0b9d83fc0d11b92cce568d8b6b8c80070e29736b551

                    SHA512

                    a4d70771ddac1c24561973e3885ae86e9e8aa5c04d551b7c046920fae921ee720f23b9bfef858a72b2640cc5ae21a19197c5ac401fdfd9bd7e1675f1bdd6d1bf

                    Download Submit

                  • memory/2424-3-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/2424-2-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/2424-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2424-1-0x000000013FF00000-0x000000013FF18000-memory.dmp

                    Filesize

                    96KB

                    Download