Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
1Discord-Mi...in.zip
windows7-x64
1Discord-Mi...in.zip
windows10-2004-x64
1Discord-Mi...ignore
windows7-x64
3Discord-Mi...ignore
windows10-2004-x64
3Discord-Mi...ICENSE
windows7-x64
1Discord-Mi...ICENSE
windows10-2004-x64
1Discord-Mi...DME.md
windows7-x64
3Discord-Mi...DME.md
windows10-2004-x64
3Discord-Mi...fig.py
windows7-x64
3Discord-Mi...fig.py
windows10-2004-x64
3Discord-Mi...ain.py
windows7-x64
3Discord-Mi...ain.py
windows10-2004-x64
3Discord-Mi...s.json
windows7-x64
3Discord-Mi...s.json
windows10-2004-x64
3Analysis
-
max time kernel
18s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/09/2024, 14:28
Static task
static1
Behavioral task
behavioral1
Sample
Discord-Microsoft-Scam-main.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Discord-Microsoft-Scam-main.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Discord-Microsoft-Scam-main/.gitignore
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
Discord-Microsoft-Scam-main/.gitignore
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Discord-Microsoft-Scam-main/LICENSE
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
Discord-Microsoft-Scam-main/LICENSE
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Discord-Microsoft-Scam-main/README.md
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Discord-Microsoft-Scam-main/README.md
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
Discord-Microsoft-Scam-main/config.py
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Discord-Microsoft-Scam-main/config.py
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
Discord-Microsoft-Scam-main/main.py
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Discord-Microsoft-Scam-main/main.py
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Discord-Microsoft-Scam-main/registrations.json
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
Discord-Microsoft-Scam-main/registrations.json
Resource
win10v2004-20240802-en
General
-
Target
Discord-Microsoft-Scam-main/config.py
-
Size
47B
-
MD5
c7257632f9e6e2cc97fc261bc3df08cb
-
SHA1
3efb0b15b583eef0d31155fb58cc81f27c291998
-
SHA256
b116c545c527ce3b3b8763ed6d8aa5451213dededc418720fd568cbbb4a0c59c
-
SHA512
ba78240e5559ab662a2b969e75a8e788eac98804ab423d83766de7f7031f379f5c1655d6d6431ef5bc1d2a3e86e6cefd7dd64da1f3eff921019e0a0c3cf20577
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2736 AcroRd32.exe 2736 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2212 2468 cmd.exe 30 PID 2468 wrote to memory of 2212 2468 cmd.exe 30 PID 2468 wrote to memory of 2212 2468 cmd.exe 30 PID 2212 wrote to memory of 2736 2212 rundll32.exe 31 PID 2212 wrote to memory of 2736 2212 rundll32.exe 31 PID 2212 wrote to memory of 2736 2212 rundll32.exe 31 PID 2212 wrote to memory of 2736 2212 rundll32.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Discord-Microsoft-Scam-main\config.py1⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Discord-Microsoft-Scam-main\config.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Discord-Microsoft-Scam-main\config.py"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2736
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f3651202fe9056b6131970901aa87fbb
SHA168b608b158a08e0f90734112e3f030e736d5d3db
SHA2563b2df598411a828189b0868c1d8cf2bfddb7bdce27730ecde0af33c4146aaf14
SHA512a0d809d268917733b0e40fddb360a66bdcd60c6d3b6f585fdc187f425954e89f7abd71d0b7fd09e63fe9f72113713290f520e1f22c531d0ea7512fbe54531e9f