Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1602s -
max time network
1782s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
28/09/2024, 00:58
Behavioral task
behavioral1
Sample
HaxMods GUI.exe
Resource
win10-20240611-en
General
-
Target
HaxMods GUI.exe
-
Size
78KB
-
MD5
6a900d4d03f9804eceb266a016658f79
-
SHA1
6af52f2bbe6179c17355564b9676ff98f9a15080
-
SHA256
9c1239acbd4ca0624a4529ad86de37bbc1d48b982812c67a9b011dcd08722f68
-
SHA512
7711182f1e0130494d048111138a8b7f91fefc635cc11cf59fc285bf2b37cb4b5edea046531954897d76035502a67a00897146c528d40aa91b2e8c37094ff27a
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+nPIC:5Zv5PDwbjNrmAE+PIC
Malware Config
Extracted
discordrat
-
discord_token
MTI2OTg1MTgzMTc0NDU5Mzk5Mg.GR0WTi.6wJSWraeR-Rzl_I7fZ7aGCVXpAfAzHPpj4n9qM
-
server_id
976996222277672961
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Disables Task Manager via registry modification
-
Abuse Elevation Control Mechanism: Bypass User Account Control 1 TTPs 1 IoCs
UAC Bypass Attempt via SilentCleanup Task.
pid Process 2664 SCHTASKS.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 6 discord.com 30 discord.com 7 discord.com 11 discord.com 13 discord.com 15 discord.com 16 discord.com 17 discord.com 29 discord.com 32 discord.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4512 HaxMods GUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4512 wrote to memory of 2664 4512 HaxMods GUI.exe 71 PID 4512 wrote to memory of 2664 4512 HaxMods GUI.exe 71 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\HaxMods GUI.exe"C:\Users\Admin\AppData\Local\Temp\HaxMods GUI.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I2⤵
- Abuse Elevation Control Mechanism: Bypass User Account Control
PID:2664
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:1348