Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13/12/2024, 16:05
Static task
static1
Behavioral task
behavioral1
Sample
chromegpj.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
chromegpj.exe
Resource
win10v2004-20241007-en
General
-
Target
chromegpj.exe
-
Size
372KB
-
MD5
8cadd36be12b3cd44d9c50fc3008e394
-
SHA1
8fa3308090c3aee5f61da184655aea845b8761fe
-
SHA256
d621cd3aa3adc02c26daf4ffe4da673c4cad67a9d02cb6a0e43c278f8c290b07
-
SHA512
e07ad462c95c9bd59aaade09c9c1fb324026c4291bf57bbd657715dc3377d6ce2bf55ab52e7c334f7a42693774c24db2c46d3a5599c6dfa81c464a7149abff72
-
SSDEEP
3072:5n2Af+SLiJO+Y7mR9USl6yOiGB3PSQQivLXdn+mvo+vuChrZtwkYZBwOepe4PUe6:UE+yclwQKjdn+WPtYVJIoBfYgCiVII
Malware Config
Extracted
discordrat
-
discord_token
MTMxNzE1MTMxMDMxMDY3NDQ1Mw.GKLp3H.CULEGtm2KgLqJoKC0S7wJsZGE2slaPIFOXFieM
-
server_id
1189257292844122132
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Executes dropped EXE 1 IoCs
pid Process 2856 chrome.exe -
Loads dropped DLL 6 IoCs
pid Process 2412 chromegpj.exe 1748 WerFault.exe 1748 WerFault.exe 1748 WerFault.exe 1748 WerFault.exe 1748 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chromegpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2832 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2832 DllHost.exe 2832 DllHost.exe 2832 DllHost.exe 2832 DllHost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2856 2412 chromegpj.exe 31 PID 2412 wrote to memory of 2856 2412 chromegpj.exe 31 PID 2412 wrote to memory of 2856 2412 chromegpj.exe 31 PID 2412 wrote to memory of 2856 2412 chromegpj.exe 31 PID 2856 wrote to memory of 1748 2856 chrome.exe 32 PID 2856 wrote to memory of 1748 2856 chrome.exe 32 PID 2856 wrote to memory of 1748 2856 chrome.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\chromegpj.exe"C:\Users\Admin\AppData\Local\Temp\chromegpj.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2856 -s 5963⤵
- Loads dropped DLL
PID:1748
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
960B
MD5c4733882a9d5071c28e036357f79778e
SHA111fb1d9c081a89e75517078597ed1c50c920cc4e
SHA256626aa0c3454fa40670ad329f95b14f10d3ae807cc4aae0c1ed95b85c186a8b4e
SHA512b2efadf7e77e01e3532bd784560783e45a0ad029be2523718903fa4e38807bd4ef5926aa59fe1a4b3624253dc42448e898ea5fb443fd168e694385708d60ae50
-
Filesize
78KB
MD56f777b54d1d1abbab58e3cfca94eeb30
SHA1e14b9a58249d846abd519e8d95e276f83440ec09
SHA256782d45fc815daeec76b2eb4e88fddf3057eec594b20ce63e6ccf0ae9bae91511
SHA512aa0382f08ee2fa88742d47a017c7d2baf8d35ae13781b5302bdd1503afbd6edfb725aad3aee77d66ca18d959e47a28f661b817a15ade00b5879e67c1a6f094af