Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 23:40
Behavioral task
behavioral1
Sample
Update Check.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Update Check.exe
Resource
win10v2004-20241007-en
General
-
Target
Update Check.exe
-
Size
4.2MB
-
MD5
d53d1f00ed58f99f59822c2d2d544010
-
SHA1
0b7044e63ad051185cdfac92e23ce85af8faa9c8
-
SHA256
58638ff7af545a8ddf3d05ec44b916de2f6e5e3a3d9ed1d9ac95c43737b3d974
-
SHA512
4fe5428921a60bd4fdb5f91a4a0e35d6656f14071a2841a254523e04608cc89b79662b538e5f34aa157540fd87efd98a34be8bf662e2f5ed94abd85fc3f3b9e8
-
SSDEEP
98304:SelujKJAy3ppt06bZmCOHDujxBJSjMgL3+ylLGEeU4uz1P9zz9Izjhed:SZ1yZpt06NmPjuBYAAOylLGEeRy9zz9r
Malware Config
Extracted
discordrat
-
discord_token
MTI1OTY0MjcxOTc2OTMyOTc0NA.G7ihTo._RCPiBzL9dSbWyoWQXFjvV6wNhGpmHiAW1ckvc
-
server_id
1292317246118559744
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Update Check.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Update Check.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Update Check.exe -
resource yara_rule behavioral1/memory/2416-7-0x000000013FC30000-0x0000000140778000-memory.dmp themida behavioral1/memory/2416-8-0x000000013FC30000-0x0000000140778000-memory.dmp themida behavioral1/memory/2416-14-0x000000013FC30000-0x0000000140778000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Update Check.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2416 Update Check.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2948 2416 Update Check.exe 31 PID 2416 wrote to memory of 2948 2416 Update Check.exe 31 PID 2416 wrote to memory of 2948 2416 Update Check.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Update Check.exe"C:\Users\Admin\AppData\Local\Temp\Update Check.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2416 -s 6082⤵PID:2948
-