Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    171s
  • max time network
    182s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/08/2024, 11:28

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    dde1143427fbbe9d6cb6e7cb5b94b415

  • SHA1

    02232d66ec3178c65f97ea503d3cdd7d6523f643

  • SHA256

    3b69e72c8db1864fbbbc2584562f7d627c371b82337365005f50af428a6a7203

  • SHA512

    4f01ad8232b2b030bd128c7f300c20485c060e103fb5de6f1392d1478fb4cccd5f660e91522f5b7f82032ce7e3f6fdb5f066da890f020e112684ff232897f2f6

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+dPIC:5Zv5PDwbjNrmAE+NIC

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI2OTI0OTEwMjQ5NTg3OTIyOQ.GLHhlB.ypGKkwamHbm_Ye58lhiwJG8n231holsbEjjd7g

  • server_id

    1269247737208246368

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3940
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:936
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
      1⤵
      • Modifies system executable filetype association
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4272
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
        2⤵
          PID:1508
          • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
            C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
            3⤵
              PID:3536

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

          Filesize

          40.2MB

          MD5

          fb4aa59c92c9b3263eb07e07b91568b5

          SHA1

          6071a3e3c4338b90d892a8416b6a92fbfe25bb67

          SHA256

          e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

          SHA512

          60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

          Filesize

          38.2MB

          MD5

          f6e7baa0441b93d4f3ded91900b76f9c

          SHA1

          0e63c5e50c0557ab18b382cd1d92fcc6a842a28a

          SHA256

          7ba6426c2f7284a29d105eee2fade5d8cd5410823b61df53a4514b2bf9ca6c34

          SHA512

          b9df9c7f95aa2771ca07224f1a7d32a3630756c4bf87f0a045f5f765cd4882b0b26f0b5c77cf2f7c64a1463c16e5b7de1eacbf50bed1758c0d3352d2349a98e0

        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

          Filesize

          12.0MB

          MD5

          4780b3722eca3c774c814e230eb366fc

          SHA1

          d83bed44defafae588cb3ec2b2f350f749d07a73

          SHA256

          55edd1aa7314bdfa588988a0211f3a364fce40493324e83f2faf1da4a1f496fa

          SHA512

          f8a7be48e24a0b26928d622dcc3e607bc371f760753f361f0fe911ea4d3bcd7e61c85f0fcd1aa4ecf4a1c76a088224bcc9e1c1dfc6304fc484f7ba3b75e8d5db

        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

          Filesize

          63KB

          MD5

          e516a60bc980095e8d156b1a99ab5eee

          SHA1

          238e243ffc12d4e012fd020c9822703109b987f6

          SHA256

          543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

          SHA512

          9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini

          Filesize

          77B

          MD5

          4ce6b4e48ae2d53a4f14478a64869d11

          SHA1

          4f35b929edbf44716bef64a2d5f165cc81d301a9

          SHA256

          4cb714fee2f8564548d032f743ea473ed867c46d298f589e8e0034519f577b51

          SHA512

          9bb58d166fd16948de758f5ea9de51d00e7c2d7d1eaa13af22bdcd02a01e92e3de20220968028e4a0496d968ebf39fdd573a03127019b894786ea993f047e055

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\119NURWM\update100[1].xml

          Filesize

          726B

          MD5

          53244e542ddf6d280a2b03e28f0646b7

          SHA1

          d9925f810a95880c92974549deead18d56f19c37

          SHA256

          36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

          SHA512

          4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

        • C:\Users\Admin\AppData\Local\Temp\tmp9EC2.tmp

          Filesize

          2.6MB

          MD5

          d9f4289c33f784d15033599e89932734

          SHA1

          1f8bed16727ba9812bd95af242b7fc3aeab148a6

          SHA256

          7889594161a1fe9b30234bbc6d1ebbaef415f820e2d60e50915ef23cabe174ad

          SHA512

          562b1edb47a04a34ca157ee613ba50bca56d8f24cfd31aae4021fc4061ceb2686b0d537f6e32cee60753bcf95b3a5f62a193fa9943565d26620812cef349f0a5

        • memory/3940-4-0x000001EF6FF00000-0x000001EF70426000-memory.dmp

          Filesize

          5.1MB

        • memory/3940-5-0x00007FFDA9380000-0x00007FFDA9D6C000-memory.dmp

          Filesize

          9.9MB

        • memory/3940-1-0x00007FFDA9383000-0x00007FFDA9384000-memory.dmp

          Filesize

          4KB

        • memory/3940-3-0x00007FFDA9380000-0x00007FFDA9D6C000-memory.dmp

          Filesize

          9.9MB

        • memory/3940-2-0x000001EF6F700000-0x000001EF6F8C2000-memory.dmp

          Filesize

          1.8MB

        • memory/3940-0-0x000001EF55100000-0x000001EF55118000-memory.dmp

          Filesize

          96KB