Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/10/2024, 02:24
Static task
static1
Behavioral task
behavioral1
Sample
f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe
Resource
win10v2004-20241007-en
General
-
Target
f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe
-
Size
476KB
-
MD5
23c3f2c8794f05b832c82f72258ba38a
-
SHA1
6d26d5bbe68f6908f5f43aa448238fd135d7bd93
-
SHA256
f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4
-
SHA512
87236ab4eeb9dfcabb28fce2708d02ef13550dccf488348907ee8764e47bf527cb8fb825bcf5152db25b621a53be6ef48d9ea11702e53c5bc32e5369edf2aafa
-
SSDEEP
12288:xCQjgAtAHM+vetZxF5EWry8AJGy0ObZh2IJBx:x5ZWs+OZVEWry8AF5b24
Malware Config
Extracted
discordrat
-
discord_token
MTI5NjYzNjQ4OTQ0NjE5OTQwOA.GEhciD.QzYUmAgRRkM4btANs6IF2LW4kGU-L42O5YO-Cs
-
server_id
1296636393107488851
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
pid Process 2452 samp23.exe -
Loads dropped DLL 6 IoCs
pid Process 3016 f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\cs_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.cs f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.cs\ = "cs_auto_file" f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\cs_auto_file\shell f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\cs_auto_file\shell\Read\command f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\cs_auto_file f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\cs_auto_file\ f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\cs_auto_file\shell\Read f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2780 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2780 AcroRd32.exe 2780 AcroRd32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2780 3016 f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe 30 PID 3016 wrote to memory of 2780 3016 f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe 30 PID 3016 wrote to memory of 2780 3016 f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe 30 PID 3016 wrote to memory of 2780 3016 f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe 30 PID 3016 wrote to memory of 2452 3016 f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe 31 PID 3016 wrote to memory of 2452 3016 f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe 31 PID 3016 wrote to memory of 2452 3016 f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe 31 PID 2452 wrote to memory of 2316 2452 samp23.exe 32 PID 2452 wrote to memory of 2316 2452 samp23.exe 32 PID 2452 wrote to memory of 2316 2452 samp23.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe"C:\Users\Admin\AppData\Local\Temp\f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\noradio.cs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2780
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\samp23.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\samp23.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2452 -s 6003⤵
- Loads dropped DLL
PID:2316
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD52e3e0c90408b4f53deda5e7e2e975224
SHA18f2da25b994e7daadf488d2d81c252de1a7d9418
SHA256f7107f81e1e8815570578fc9b75e6fa75337586288da0126fcc3fa2b8db5acae
SHA512264f8a8a5a369e313f08aae71ca7a22d6472806efbc7a865dd7d650c2d67fd309dc1870eea3c68a6a730bb42a038b5c3d4ec2fc6f97f20e8e97353b2610fde85
-
Filesize
3KB
MD56bca49bcef06a88fd646fadd414b2855
SHA15789c53c45a6aae663d99cfb2c54f19f14a498f8
SHA256355215120cabd23f7039fd60f6405c22b458074e95481f6f6db03b9ea7f18e14
SHA5126c7049e10cff537a26a3896801b5364915ebf457c83f4757b0bd09d43c65503b88752e823f7ff6ba9479ddc1328500c03a11a868ce42f4f117995699a9409db3
-
Filesize
78KB
MD58d5085a3b59652009f453ed350c90315
SHA1d9faa65484d652e7a4ad41bc8f8208c0a0fb1343
SHA256fd75a4cb2497043b93f9027cc2116954fbb83865bdb040417da2a651ea88c425
SHA512ed2df9143d0a15a484e2b6ffa3257d9e17151fede7eb37140a096c28b33b4062d94afa0daf4d926d7bf5b0cfc0d0d72187c60033b7bcb861d93d3e4d3fa6cd3b