Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/02/2025, 11:19

General

  • Target

    d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe

  • Size

    391KB

  • MD5

    ed019318b08c6ec18086e3d8cc8ed4a0

  • SHA1

    c5b76f566ed8808d74a12766addbbb010fbe3aca

  • SHA256

    d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9

  • SHA512

    dc05444db94d51bc6a9cd4479e6ffe24fcd5dc6bd551219e67d05641b47da1be0691a3ff5a557f1cd5bc9d1688b3b50fb5fcef1d23ae8def28e61c66a33206ab

  • SSDEEP

    6144:7E+yclwQKjdn+WPtYVJIoBfYo/eyd8/tbrIQ7Oi9Ku:7BdlwHRn+WlYV+RVz/Nr17J

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMxNzUwNjY0NjkzMDYyMDQ5Ng.GNBK2Y.upogfQP8BcmxvUWnTPh9TiKyGPCxMpHGHpJtR0

  • server_id

    1317507198582128671

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Discordrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rar.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2784 -s 604
        3⤵
        • Loads dropped DLL
        PID:2780
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\screenshot.png

    Filesize

    16KB

    MD5

    606613cc1965ecf6ec7b42d94efcb2cd

    SHA1

    84e848b5958b7352b3c748bc56db99ea07eb23d2

    SHA256

    b5f36538eb0dde089abec9b880c153d6216b8fdbc3941f3396ef6a68c105cad6

    SHA512

    f876d6b0b02505fc835a7a048f90bdfd3ff31682a4e84acc58dbb4c4255be030c1bb8fbc7c822f6f6b9c46061fb4716bae9d98cff9217155a5cd841294e6ab7b

  • \Users\Admin\AppData\Local\Temp\RarSFX0\rar.exe

    Filesize

    78KB

    MD5

    928b34327061b09e7e40759d04363eeb

    SHA1

    a1e5715f0e0d054d654dcc6746b37c9a60f9ccfe

    SHA256

    ea72c77769e394a017c08af3640c090d4216495d730f2612e8729d933589460c

    SHA512

    62b8bd581583f872f4df5b2ffd999a31b6d98c6aa16ae522d02e2124995d5d4a4253e459b31af55abaaffd4e0d6bf373b5cc2b4b5269053994629f5ef82c2250

  • memory/2668-4-0x0000000002380000-0x0000000002382000-memory.dmp

    Filesize

    8KB

  • memory/2680-5-0x0000000000110000-0x0000000000112000-memory.dmp

    Filesize

    8KB

  • memory/2680-7-0x0000000000420000-0x0000000000421000-memory.dmp

    Filesize

    4KB

  • memory/2680-20-0x0000000000420000-0x0000000000421000-memory.dmp

    Filesize

    4KB

  • memory/2784-13-0x000000013FA40000-0x000000013FA58000-memory.dmp

    Filesize

    96KB