Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
82s -
max time network
121s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/08/2024, 07:36
Behavioral task
behavioral1
Sample
startUp.exe
Resource
win11-20240802-en
4 signatures
120 seconds
General
-
Target
startUp.exe
-
Size
78KB
-
MD5
3c54c63429b0d1fd270d4de8483abb35
-
SHA1
7ba250d75e359298456f3935c1f03b72fed86a23
-
SHA256
ba16769e14928fcfbf992b64097ae2e6d8f2bdbc19845a3f59e3962d605af6b8
-
SHA512
d155f34bcb646513476dc375a37866979b1a863cc46e6043206f5d3d5fe84c52530e436da4a9ccceb9641e20c654080cb1db1d06290f9213cc2134dc22d875c5
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+UPIC:5Zv5PDwbjNrmAE+IIC
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTE5MTM5MjgwNTUxNjQ3NjQyNg.Gl3kkb.usaX-42FrcQ6J-kIDoZduTOOAdWSZQA8Gv_RsQ
-
server_id
1270003925323481189
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 discord.com 3 discord.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2396 startUp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3588 MiniSearchHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\startUp.exe"C:\Users\Admin\AppData\Local\Temp\startUp.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4528
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3588