Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
570s -
max time network
570s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2024, 22:13
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win10v2004-20241007-en
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
e8e307d2a0e8b33878dea7396f1fe7fe
-
SHA1
4abea5f3288c4045a68d2d355838533d72768e69
-
SHA256
0a188431ec4ef4275ebe8377963a65e82d9a1fbc9a72c9047ccc6fe65d30b837
-
SHA512
c8b50c57b9ac2c3a73a8256a85b74d8ab599c5415148f48ee902f0965bd0c2e7fa91756cd12f491be093058fbf57cb20fca59bd71303147ebbbb36515b82f774
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+6PIC:5Zv5PDwbjNrmAE+mIC
Malware Config
Extracted
discordrat
-
discord_token
MTI5NDA0NTgxMjIxMjQ5ODQ1Mg.G2NcYi.AGgJbkkw4ihNbkFwsXZwuwi-qjW6NEuR8lVozM
-
server_id
1294045594666668093
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 39 IoCs
flow ioc 86 discord.com 26 discord.com 82 discord.com 90 discord.com 12 discord.com 25 discord.com 67 discord.com 92 discord.com 21 raw.githubusercontent.com 27 discord.com 56 discord.com 62 discord.com 76 discord.com 77 discord.com 84 discord.com 88 discord.com 91 discord.com 22 discord.com 57 discord.com 58 discord.com 59 discord.com 61 raw.githubusercontent.com 63 discord.com 71 discord.com 10 discord.com 80 discord.com 81 discord.com 83 discord.com 85 discord.com 87 discord.com 20 raw.githubusercontent.com 50 discord.com 68 discord.com 16 discord.com 23 discord.com 60 discord.com 69 discord.com 72 discord.com 78 discord.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp135F.tmp.png" Client-built.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 872 Client-built.exe Token: 33 4996 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4996 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 872 Client-built.exe 872 Client-built.exe 872 Client-built.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:872
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x514 0x49c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵PID:4536
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵PID:1356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_1FE66027A63A4EA69EA648B47B395E92.dat
Filesize940B
MD58a97e23c64413b84fe3a3e6f7dedf0bb
SHA13f47b588eedcc43f60ca37d3b5531abc8c83636e
SHA25626f06d63a2f25d68893e0380c3492569b8a1b089b3132a749bb9ba900fac9140
SHA5128ca8cf6005bfa3ccb3c2b8deda425cca928e210072ccf6ae409bd55eb3561e0cfdaa47786c4c764dbfb785bc1af9755a51bd6c16c2eee7c2915dca7e5256613d