Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/10/2024, 02:24

General

  • Target

    f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe

  • Size

    476KB

  • MD5

    23c3f2c8794f05b832c82f72258ba38a

  • SHA1

    6d26d5bbe68f6908f5f43aa448238fd135d7bd93

  • SHA256

    f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4

  • SHA512

    87236ab4eeb9dfcabb28fce2708d02ef13550dccf488348907ee8764e47bf527cb8fb825bcf5152db25b621a53be6ef48d9ea11702e53c5bc32e5369edf2aafa

  • SSDEEP

    12288:xCQjgAtAHM+vetZxF5EWry8AJGy0ObZh2IJBx:x5ZWs+OZVEWry8AF5b24

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI5NjYzNjQ4OTQ0NjE5OTQwOA.GEhciD.QzYUmAgRRkM4btANs6IF2LW4kGU-L42O5YO-Cs

  • server_id

    1296636393107488851

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe
    "C:\Users\Admin\AppData\Local\Temp\f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\noradio.cs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2780
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\samp23.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\samp23.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2452 -s 600
        3⤵
        • Loads dropped DLL
        PID:2316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\noradio.cs

    Filesize

    17KB

    MD5

    2e3e0c90408b4f53deda5e7e2e975224

    SHA1

    8f2da25b994e7daadf488d2d81c252de1a7d9418

    SHA256

    f7107f81e1e8815570578fc9b75e6fa75337586288da0126fcc3fa2b8db5acae

    SHA512

    264f8a8a5a369e313f08aae71ca7a22d6472806efbc7a865dd7d650c2d67fd309dc1870eea3c68a6a730bb42a038b5c3d4ec2fc6f97f20e8e97353b2610fde85

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    6bca49bcef06a88fd646fadd414b2855

    SHA1

    5789c53c45a6aae663d99cfb2c54f19f14a498f8

    SHA256

    355215120cabd23f7039fd60f6405c22b458074e95481f6f6db03b9ea7f18e14

    SHA512

    6c7049e10cff537a26a3896801b5364915ebf457c83f4757b0bd09d43c65503b88752e823f7ff6ba9479ddc1328500c03a11a868ce42f4f117995699a9409db3

  • \Users\Admin\AppData\Local\Temp\RarSFX0\samp23.exe

    Filesize

    78KB

    MD5

    8d5085a3b59652009f453ed350c90315

    SHA1

    d9faa65484d652e7a4ad41bc8f8208c0a0fb1343

    SHA256

    fd75a4cb2497043b93f9027cc2116954fbb83865bdb040417da2a651ea88c425

    SHA512

    ed2df9143d0a15a484e2b6ffa3257d9e17151fede7eb37140a096c28b33b4062d94afa0daf4d926d7bf5b0cfc0d0d72187c60033b7bcb861d93d3e4d3fa6cd3b

  • memory/2452-10-0x000000013F910000-0x000000013F928000-memory.dmp

    Filesize

    96KB