Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/01/2025, 08:58
Static task
static1
Behavioral task
behavioral1
Sample
mtreegpj.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
mtreegpj.exe
Resource
win10v2004-20241007-en
General
-
Target
mtreegpj.exe
-
Size
1.3MB
-
MD5
b8b0baac29daa1eff8ecb046fe91f104
-
SHA1
c6ece29c90cb57bca393139e44d70b029bc1f677
-
SHA256
27a1137b8d934f10c2166261ddf2b424e4803102809c446d36767d581b533a96
-
SHA512
5501afad683faeb9e174487caf6f5280aab51050b366334c56539ef7977248c7bb05c8b48c9f5e6198ac728703921dbb29f9bf17e37162410a64caf1e662b3c0
-
SSDEEP
24576:ZuDXTIGaPhEYzUzA0qBc+ZKhmVbC9eabpmkmZ3IaezdKcMYwFL+bGljFIh0aTOS7:8Djlabwz9AjABbpmHmapcMYJo0TOI
Malware Config
Extracted
discordrat
-
discord_token
MTMzMjk5NDEwMjkwMzU3MDU0Mw.GjHo9c.uUUeJljLrRcuIvW_FlFF0o4Eh6h5i-SEDWYry8
-
server_id
1332539766268231760
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Executes dropped EXE 1 IoCs
pid Process 2652 Client-built.exe -
Loads dropped DLL 6 IoCs
pid Process 2164 mtreegpj.exe 2544 WerFault.exe 2544 WerFault.exe 2544 WerFault.exe 2544 WerFault.exe 2544 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2652 2164 mtreegpj.exe 32 PID 2164 wrote to memory of 2652 2164 mtreegpj.exe 32 PID 2164 wrote to memory of 2652 2164 mtreegpj.exe 32 PID 2652 wrote to memory of 2544 2652 Client-built.exe 33 PID 2652 wrote to memory of 2544 2652 Client-built.exe 33 PID 2652 wrote to memory of 2544 2652 Client-built.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\mtreegpj.exe"C:\Users\Admin\AppData\Local\Temp\mtreegpj.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2652 -s 5963⤵
- Loads dropped DLL
PID:2544
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5cf3c7283d0e6d81dbd48c159d7e9b3b3
SHA1bdbf22216c154f6ce7271656692aac72d6722ea7
SHA2568f55bd1762834764908a60c291607ec869cde7609c558edf1f02a4bfa6e39ae5
SHA51236e8b38288450a9e60437abfe3971b824e128c63c773843c1ac139b52265602012c322cadcc58705215d7d76f08bfb7f983c011b15bcda15b89dfb22df5d9fc6