Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/12/2024, 16:05

General

  • Target

    chromegpj.exe

  • Size

    372KB

  • MD5

    8cadd36be12b3cd44d9c50fc3008e394

  • SHA1

    8fa3308090c3aee5f61da184655aea845b8761fe

  • SHA256

    d621cd3aa3adc02c26daf4ffe4da673c4cad67a9d02cb6a0e43c278f8c290b07

  • SHA512

    e07ad462c95c9bd59aaade09c9c1fb324026c4291bf57bbd657715dc3377d6ce2bf55ab52e7c334f7a42693774c24db2c46d3a5599c6dfa81c464a7149abff72

  • SSDEEP

    3072:5n2Af+SLiJO+Y7mR9USl6yOiGB3PSQQivLXdn+mvo+vuChrZtwkYZBwOepe4PUe6:UE+yclwQKjdn+WPtYVJIoBfYgCiVII

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMxNzE1MTMxMDMxMDY3NDQ1Mw.GKLp3H.CULEGtm2KgLqJoKC0S7wJsZGE2slaPIFOXFieM

  • server_id

    1189257292844122132

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Discordrat family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\chromegpj.exe
    "C:\Users\Admin\AppData\Local\Temp\chromegpj.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4232
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome.exe

    Filesize

    78KB

    MD5

    6f777b54d1d1abbab58e3cfca94eeb30

    SHA1

    e14b9a58249d846abd519e8d95e276f83440ec09

    SHA256

    782d45fc815daeec76b2eb4e88fddf3057eec594b20ce63e6ccf0ae9bae91511

    SHA512

    aa0382f08ee2fa88742d47a017c7d2baf8d35ae13781b5302bdd1503afbd6edfb725aad3aee77d66ca18d959e47a28f661b817a15ade00b5879e67c1a6f094af

  • memory/1972-14-0x00007FF9CF053000-0x00007FF9CF055000-memory.dmp

    Filesize

    8KB

  • memory/1972-15-0x00000281594F0000-0x0000028159508000-memory.dmp

    Filesize

    96KB

  • memory/1972-16-0x0000028173BD0000-0x0000028173D92000-memory.dmp

    Filesize

    1.8MB

  • memory/1972-17-0x00007FF9CF050000-0x00007FF9CFB11000-memory.dmp

    Filesize

    10.8MB

  • memory/1972-18-0x00000281743D0000-0x00000281748F8000-memory.dmp

    Filesize

    5.2MB

  • memory/1972-19-0x00007FF9CF053000-0x00007FF9CF055000-memory.dmp

    Filesize

    8KB

  • memory/1972-20-0x00007FF9CF050000-0x00007FF9CFB11000-memory.dmp

    Filesize

    10.8MB

  • memory/1972-22-0x00007FF9CF050000-0x00007FF9CFB11000-memory.dmp

    Filesize

    10.8MB