Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
30/12/2024, 03:21
241230-dwa1gswpdt 1030/11/2024, 20:08
241130-ywkj5sxqdp 1030/11/2024, 20:06
241130-yvtfnatmay 10Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
30/11/2024, 20:08
General
-
Target
discord_token_grabber.pyc
-
Size
17KB
-
MD5
e523026b612006e580e96bd9e2a8882c
-
SHA1
03b9938701f7eff11a0c3632ed805e8188598c88
-
SHA256
8ae6baddc552f9a47c488760a3d3b04f217f7c999dbffc1a548bb09532e6bf77
-
SHA512
a0f15f5edecbab4894aa3b85092fc2bde34b76f6048b198ce387d59a56d6c74969201cc43d19cd27a9ff0a6ab72268884a90ef206f0be34a5707a7f6ea24a853
-
SSDEEP
384:cGllyAavwS9F0RW807PPQviowoYbCj+Mo8WWIc02a8:cIlytvX9iRW8inQ6owoYOyM0d2a8
Malware Config
Signatures
-
A potential corporate email address has been identified in the URL: currency-file@1
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4687356-fd9c-46e3-b095-057bf53c9818} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f9b1618-8c21-466f-b166-fbfa88806357} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3308 -childID 1 -isForBrowser -prefsHandle 3164 -prefMapHandle 3056 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7385397a-f00e-44ba-9d11-e47fbebd918c} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2812 -childID 2 -isForBrowser -prefsHandle 1248 -prefMapHandle 1216 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bbeb3ac-c885-48b5-bbe8-536ed48c4cd9} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4676 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4692 -prefMapHandle 4688 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d97382a2-77cf-4a54-9bd2-4e9d534c827f} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 5356 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2f508f9-299d-4e81-b41e-64d06a999516} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5540 -prefMapHandle 5352 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea31f38b-93d8-433f-9bb3-3e1813ea99ac} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 5 -isForBrowser -prefsHandle 5716 -prefMapHandle 5720 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b92209c5-a138-43ca-a42d-ece9f5d21c4d} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6216 -childID 6 -isForBrowser -prefsHandle 6208 -prefMapHandle 6204 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8a043fa-0202-44c1-8544-7dc537f70bc2} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6348 -parentBuildID 20240401114208 -prefsHandle 6448 -prefMapHandle 6444 -prefsLen 29279 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62409357-3049-4f91-97c1-6ff5f9caf275} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" rdd3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7448 -childID 7 -isForBrowser -prefsHandle 7440 -prefMapHandle 7492 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51a8aa42-2d5c-4275-87bd-c21cb7d7dcd6} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7368 -childID 8 -isForBrowser -prefsHandle 7668 -prefMapHandle 7676 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f554b21e-a1da-4da3-994b-5c0298bc9aa1} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7836 -childID 9 -isForBrowser -prefsHandle 7420 -prefMapHandle 5240 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b64ca3aa-e8cf-444f-9d05-32a6860f25e6} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8120 -childID 10 -isForBrowser -prefsHandle 8124 -prefMapHandle 8132 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d361a5f-422e-4358-ab26-88d4a7ac5d02} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5ae543fa551d1a0b1bc658f8daac9fabb
SHA1675364122fa3d2251b3d22ec2f2ea9414912dd36
SHA256f61288bd5db4a33fd57e3dcb2de5b74767e69e12a393346837c9f7eeed86c3f8
SHA51252d6ee5eca8f4e33450a116ca06678daca8276c49e4540a740b48f4ef580e79f0444f80a5ed04322fbb103e9a4f49dbe725a07c68a1eb66cd6b709d2f5bce16e
-
Filesize
8KB
MD5aa2b0fec41ce562dba07bff656fd1c64
SHA16d27965eff837ecf65f83fb65082fb2b4a41016e
SHA2569d7aae53b33e618afa64882aa13440807de31fae480f2d06652decb515effc3c
SHA512c2221074babd7771bca8eb4a775717f3b74102e6f64c41254efd234d8696286ad8051884471d6e0cdb161659cff274643959f49bf27dc51b179df2a4de1fe3aa
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD5b910ef2a56347a20b8fe89f07cc406d6
SHA14fec1d9d5b4ce3a2edc258f818c242a51f64595a
SHA256f652f0a60e37025f15da36f7b383483da7bade3857e4de9da7d569ec17d3e3ee
SHA512d5b951dbffdb5ec30f6927074b1a3e6b36030fbe1d1c331ca9d5b62d2239faabbe26a2ffc456a65390b0b999ce64f83f6933b4b26c32974d0ba7efbe99ad32a7
-
Filesize
42KB
MD551040308fb44b0756893bed837a6155b
SHA1563ff09fcab89e11d25272073132b69ecfecfec9
SHA256cb6134d734636a01b440ca355cd7031f34c686709635c8fe5229bb08098de43e
SHA5127c026e0e1ddd9e2e45b34243522672e540d270f0bd081b74c6fcaf82efee4f185a7477a0fe91051f0e28608417a2b0fac3586a7875ff99eaf717c8557886b453
-
Filesize
5KB
MD5fbfd4ce4cf0e8432af56dd4ee5702b5b
SHA19bf98537e54084fc0d8fefbc3ccef64f49f4c3df
SHA256f9af42b13d595a06578b26c3293c2f23c2d2b112a848b7c690bda76ecf0bfef2
SHA512a9178e0f47381b4e8552ab05881d96b5bdc40a89d46fd97e56899a66246e88e4fac7d13635e520a96362655d6d94dabf295b6ebd4d591314b3a9e621f6990599
-
Filesize
6KB
MD5d693d447588f5d5e51dfd160b81d12db
SHA1dc96cb5eac2cddce66520a918189e3f63c84c83b
SHA25684e4abc6b11a665efa7f6cf475127354617cf7ebc2ebc72b11347101732bb46a
SHA512c0cd508ce00fdb5b8e4c9d7da9267aca5e3a642ef555da6c50e553df60847d98eb716895e74c1ee4be0a5d91cc5f9d81e60878928746fdc7c592423b6ddda25f
-
Filesize
982B
MD5982be6a495ef4ec52686030e277b3ec9
SHA10bfd85e47d12c2c995794de0353793c62b1bad37
SHA25654d1cbc9bb9dec5b65b40f9a743c1107a55808c11847689b28ec9bc38d4b6555
SHA512c67df0caef605621ce79cc91b7de66d6e7a8eb858d55bd58d59c38a2bb2d79c3e553a0b8879662b52e59b7ff7798a0ddb19a8cebfe10bce5f3e74a461dda4187
-
Filesize
671B
MD50e883c6cac98f0a5224eac28ded52ee5
SHA1748b7cf71c0d1ed7409f385e75cc631c16091de2
SHA25604e4dc062c5d0ef137ede0268ad79d2e8663b08a6663530173faf62c5b4f6cf6
SHA5126c235967afb4486e9203d7e52c697f74a7b2662c359992ab03718004e457fa79111a8812039e868475a939f3f96d303d65c0a7e1480e1b9bfc8540201e6ffcc7
-
Filesize
26KB
MD54b2c9e8bfeee3a99154c87e8dbc02abf
SHA1efba3448d77eb8791bdf66588321ba4c949b4887
SHA256080a52e16a21036e6a150f38af429e75b3a0bbff05b2bab2b02dc78c7f5b12a1
SHA51223ae1e2f2968706869797120e0bfe8bdad9da6fb3a77222b24ff3ef1bcf56f2b23c11f72ccc10650677750730feb9a3baa2f0875f9b4845da102f1223b77f6d0
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5d1bf01b5d02d326e184d3b296f2129d6
SHA18eb30ab934e89b716f9d8d1091dcab1d02d43280
SHA2566368ff53f8ad6b8bddc8a9152a8e4a574352bb0ee7ee993ee1cbfe4ae77f65c7
SHA512e9734118ae63759a13e8a0310c0d66c371fcf7d9b7696228b11a66a53273c511e857b155ed78146ac27d7df19a269bec85362713707a09d9707bfb99658a9d8f
-
Filesize
11KB
MD54e002278b1e106a6bfd0a5756b02ff08
SHA137550e95882391692c8dc72457170ef10fbdd15b
SHA25646219841fc8a33c9d591627f97cae514ba8236601647f5045fb954aadc520d1e
SHA5121ec7cfff4b914c862c47362759ea90c5adcbac72e83652f7c4809926f37df68a8d833308d5649970dfa10078239e1f840897489b7a08dfe17fc16e7a7a58749d
-
Filesize
10KB
MD5ccae364d3cbd64b4c936a1011674ab6f
SHA17a378cfeb5a27e6a349b7b01f5da3b4eb4f80d5a
SHA256ce4abee205b0de137f5fa3de209f91ac6c121add52703c9e220abe1f3a4f5bcd
SHA512202cb11309debae31af5d2f8c46df4b34fe010382a8da67a16adbd3dcd010222d64ae37b0367f44e2b974fa09c6526677fbbc69a8d350ec17449dc109df9aff2
-
Filesize
1KB
MD5c159b2325af732663f7cceab581882d8
SHA1284ca04b541b31fdbccf25bff6b5753115e56c47
SHA2564b6339c654460680418b9d3696800e1d391dce21f9cab9e70656db4a422deb7c
SHA51234e8f6415ac3f805e126bc0e9b68292b3907511929a645a3f2de0c46b60355e917b5e7db7d16c7470bc182561e7c8e5bea6a7234100865b562c873f0fed78099
-
Filesize
376KB
MD543f35ec976f82c62c39d1531638a2eca
SHA12bb3f2247891164cd7afa13af8713f9a99425c1c
SHA256fa13a60d00d28ed6c7d2fb6a8605604f259756c598cb70f5cc2c48ff46b756a7
SHA512a120475e1bade4a88a0093ba0390e8118c029b6fdd20e619b925b88e46959fb5679d62d7987069ea256f75ba01e01d41863e7626865ce82d0357b311798c648f
