Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
890s -
max time network
899s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250128-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
01/02/2025, 07:46
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win10ltsc2021-20250128-en
7 signatures
900 seconds
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
bcc4362515bc3e380880a72916ec3b5e
-
SHA1
2f91d2118e635873090e0fd4dc44d682e6e63094
-
SHA256
61f53e122d70c57b19cce541be0e24f0eebb253de1077984cf5cfc5f9880c17d
-
SHA512
0123256ccdab9b2f6b261b5e122cd3341ca30d69fad2cf2502fbb8fedd7abc37235b914c5471dd6208ec1e8d8d374757c0b0f520b27cf493ed38dd0f59dfec5c
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+xPIC:5Zv5PDwbjNrmAE+hIC
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTMzNDg2ODQ0OTQ4MjI0ODI1NA.Gfn3Zp.JLsMt1DJyl2BRKGnfJyJCStA144I28izJVPav8
-
server_id
1334873666978189427
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 23 IoCs
flow ioc 15 discord.com 16 discord.com 17 discord.com 34 discord.com 36 discord.com 14 discord.com 32 discord.com 35 discord.com 48 discord.com 49 discord.com 54 discord.com 6 discord.com 11 discord.com 31 discord.com 50 discord.com 51 discord.com 55 discord.com 56 discord.com 5 discord.com 43 discord.com 47 discord.com 52 discord.com 53 discord.com -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 3060 systeminfo.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4016 Client-built.exe Token: SeDebugPrivilege 3900 whoami.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4016 Client-built.exe 4016 Client-built.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4016 wrote to memory of 3720 4016 Client-built.exe 82 PID 4016 wrote to memory of 3720 4016 Client-built.exe 82 PID 4016 wrote to memory of 4968 4016 Client-built.exe 86 PID 4016 wrote to memory of 4968 4016 Client-built.exe 86 PID 4968 wrote to memory of 3900 4968 cmd.exe 88 PID 4968 wrote to memory of 3900 4968 cmd.exe 88 PID 4016 wrote to memory of 5076 4016 Client-built.exe 97 PID 4016 wrote to memory of 5076 4016 Client-built.exe 97 PID 5076 wrote to memory of 3060 5076 cmd.exe 99 PID 5076 wrote to memory of 3060 5076 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C2⤵PID:3720
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C whoami2⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C systeminfo2⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\system32\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:3060
-
-
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵PID:4580