Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    13/12/2024, 16:05

General

  • Target

    chromegpj.exe

  • Size

    372KB

  • MD5

    8cadd36be12b3cd44d9c50fc3008e394

  • SHA1

    8fa3308090c3aee5f61da184655aea845b8761fe

  • SHA256

    d621cd3aa3adc02c26daf4ffe4da673c4cad67a9d02cb6a0e43c278f8c290b07

  • SHA512

    e07ad462c95c9bd59aaade09c9c1fb324026c4291bf57bbd657715dc3377d6ce2bf55ab52e7c334f7a42693774c24db2c46d3a5599c6dfa81c464a7149abff72

  • SSDEEP

    3072:5n2Af+SLiJO+Y7mR9USl6yOiGB3PSQQivLXdn+mvo+vuChrZtwkYZBwOepe4PUe6:UE+yclwQKjdn+WPtYVJIoBfYgCiVII

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMxNzE1MTMxMDMxMDY3NDQ1Mw.GKLp3H.CULEGtm2KgLqJoKC0S7wJsZGE2slaPIFOXFieM

  • server_id

    1189257292844122132

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Discordrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\chromegpj.exe
    "C:\Users\Admin\AppData\Local\Temp\chromegpj.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2856 -s 596
        3⤵
        • Loads dropped DLL
        PID:1748
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\descarga.png

    Filesize

    960B

    MD5

    c4733882a9d5071c28e036357f79778e

    SHA1

    11fb1d9c081a89e75517078597ed1c50c920cc4e

    SHA256

    626aa0c3454fa40670ad329f95b14f10d3ae807cc4aae0c1ed95b85c186a8b4e

    SHA512

    b2efadf7e77e01e3532bd784560783e45a0ad029be2523718903fa4e38807bd4ef5926aa59fe1a4b3624253dc42448e898ea5fb443fd168e694385708d60ae50

  • \Users\Admin\AppData\Local\Temp\RarSFX0\chrome.exe

    Filesize

    78KB

    MD5

    6f777b54d1d1abbab58e3cfca94eeb30

    SHA1

    e14b9a58249d846abd519e8d95e276f83440ec09

    SHA256

    782d45fc815daeec76b2eb4e88fddf3057eec594b20ce63e6ccf0ae9bae91511

    SHA512

    aa0382f08ee2fa88742d47a017c7d2baf8d35ae13781b5302bdd1503afbd6edfb725aad3aee77d66ca18d959e47a28f661b817a15ade00b5879e67c1a6f094af

  • memory/2412-4-0x0000000000DA0000-0x0000000000DA2000-memory.dmp

    Filesize

    8KB

  • memory/2832-5-0x0000000000120000-0x0000000000122000-memory.dmp

    Filesize

    8KB

  • memory/2832-6-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

  • memory/2832-20-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

  • memory/2856-13-0x000000013F490000-0x000000013F4A8000-memory.dmp

    Filesize

    96KB