Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2025, 08:54
Static task
static1
Behavioral task
behavioral1
Sample
mtreegpj.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
mtreegpj.exe
Resource
win10v2004-20241007-en
General
-
Target
mtreegpj.exe
-
Size
1.3MB
-
MD5
b8b0baac29daa1eff8ecb046fe91f104
-
SHA1
c6ece29c90cb57bca393139e44d70b029bc1f677
-
SHA256
27a1137b8d934f10c2166261ddf2b424e4803102809c446d36767d581b533a96
-
SHA512
5501afad683faeb9e174487caf6f5280aab51050b366334c56539ef7977248c7bb05c8b48c9f5e6198ac728703921dbb29f9bf17e37162410a64caf1e662b3c0
-
SSDEEP
24576:ZuDXTIGaPhEYzUzA0qBc+ZKhmVbC9eabpmkmZ3IaezdKcMYwFL+bGljFIh0aTOS7:8Djlabwz9AjABbpmHmapcMYJo0TOI
Malware Config
Extracted
discordrat
-
discord_token
MTMzMjk5NDEwMjkwMzU3MDU0Mw.GjHo9c.uUUeJljLrRcuIvW_FlFF0o4Eh6h5i-SEDWYry8
-
server_id
1332539766268231760
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 812 NetSh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation mtreegpj.exe -
Executes dropped EXE 1 IoCs
pid Process 4464 Client-built.exe -
Abuse Elevation Control Mechanism: Bypass User Account Control 1 TTPs 1 IoCs
UAC Bypass Attempt via SilentCleanup Task.
pid Process 2308 SCHTASKS.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 24 discord.com 48 discord.com 49 discord.com 62 discord.com 65 discord.com 18 discord.com 19 discord.com 53 discord.com 54 discord.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp2C85.tmp.png" Client-built.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4684 msedge.exe 4684 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4464 Client-built.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4464 Client-built.exe 4464 Client-built.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1168 wrote to memory of 4464 1168 mtreegpj.exe 84 PID 1168 wrote to memory of 4464 1168 mtreegpj.exe 84 PID 4464 wrote to memory of 812 4464 Client-built.exe 105 PID 4464 wrote to memory of 812 4464 Client-built.exe 105 PID 4464 wrote to memory of 2308 4464 Client-built.exe 108 PID 4464 wrote to memory of 2308 4464 Client-built.exe 108 PID 432 wrote to memory of 2912 432 msedge.exe 124 PID 432 wrote to memory of 2912 432 msedge.exe 124 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4308 432 msedge.exe 126 PID 432 wrote to memory of 4684 432 msedge.exe 127 PID 432 wrote to memory of 4684 432 msedge.exe 127 PID 432 wrote to memory of 3096 432 msedge.exe 128 PID 432 wrote to memory of 3096 432 msedge.exe 128 PID 432 wrote to memory of 3096 432 msedge.exe 128 PID 432 wrote to memory of 3096 432 msedge.exe 128 PID 432 wrote to memory of 3096 432 msedge.exe 128 PID 432 wrote to memory of 3096 432 msedge.exe 128 PID 432 wrote to memory of 3096 432 msedge.exe 128 PID 432 wrote to memory of 3096 432 msedge.exe 128 PID 432 wrote to memory of 3096 432 msedge.exe 128 PID 432 wrote to memory of 3096 432 msedge.exe 128 PID 432 wrote to memory of 3096 432 msedge.exe 128 PID 432 wrote to memory of 3096 432 msedge.exe 128 PID 432 wrote to memory of 3096 432 msedge.exe 128 PID 432 wrote to memory of 3096 432 msedge.exe 128 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\mtreegpj.exe"C:\Users\Admin\AppData\Local\Temp\mtreegpj.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:812
-
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I3⤵
- Abuse Elevation Control Mechanism: Bypass User Account Control
PID:2308
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultc55e5ef0h67f4h47c5ha73dhebfc9e0e42871⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8507546f8,0x7ff850754708,0x7ff8507547182⤵PID:2912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4693949325300515975,1765052444608238372,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵PID:4308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,4693949325300515975,1765052444608238372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,4693949325300515975,1765052444608238372,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:82⤵PID:3096
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4652
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1988
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
5KB
MD5d265c19336330ead06c850d9c0f2fdf8
SHA1f275b4a433bc8342d85038cacf4f15b53d534962
SHA256c465402360796bfc9a488752c5a591f896bdb122961edbe13571980489b71d15
SHA512f72e9f6166f6e601d700edc37287d337b721da7ee590d174f19a773fdf90a3a54dca77848b9571a74af16c2f50ff9b435490e65d0df7eb2acbca6258c50fa009
-
Filesize
8KB
MD578e94f12ef31bf00c43c01b6af5bf635
SHA192dcfd9680fae02395381ce461360bf159f382a7
SHA256cf9f3e9125e6ebb1c54aeca3d82d985b6937a5f1bc470f50a9a490c2bbea73b3
SHA5122e4ce1b740264ae82bb2e87bd37dd9cbb18908a19bc2712f5856cb3b4c880bbe4eaba2edce0014efffa43567fb1238d74712fb4f2f5361291ef2b26ea2d214a5
-
Filesize
78KB
MD5cf3c7283d0e6d81dbd48c159d7e9b3b3
SHA1bdbf22216c154f6ce7271656692aac72d6722ea7
SHA2568f55bd1762834764908a60c291607ec869cde7609c558edf1f02a4bfa6e39ae5
SHA51236e8b38288450a9e60437abfe3971b824e128c63c773843c1ac139b52265602012c322cadcc58705215d7d76f08bfb7f983c011b15bcda15b89dfb22df5d9fc6