Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/02/2025, 11:19
Static task
static1
Behavioral task
behavioral1
Sample
d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe
Resource
win10v2004-20241007-en
General
-
Target
d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe
-
Size
391KB
-
MD5
ed019318b08c6ec18086e3d8cc8ed4a0
-
SHA1
c5b76f566ed8808d74a12766addbbb010fbe3aca
-
SHA256
d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9
-
SHA512
dc05444db94d51bc6a9cd4479e6ffe24fcd5dc6bd551219e67d05641b47da1be0691a3ff5a557f1cd5bc9d1688b3b50fb5fcef1d23ae8def28e61c66a33206ab
-
SSDEEP
6144:7E+yclwQKjdn+WPtYVJIoBfYo/eyd8/tbrIQ7Oi9Ku:7BdlwHRn+WlYV+RVz/Nr17J
Malware Config
Extracted
discordrat
-
discord_token
MTMxNzUwNjY0NjkzMDYyMDQ5Ng.GNBK2Y.upogfQP8BcmxvUWnTPh9TiKyGPCxMpHGHpJtR0
-
server_id
1317507198582128671
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Executes dropped EXE 1 IoCs
pid Process 2784 rar.exe -
Loads dropped DLL 6 IoCs
pid Process 2668 d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2680 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2680 DllHost.exe 2680 DllHost.exe 2680 DllHost.exe 2680 DllHost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2784 2668 d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe 31 PID 2668 wrote to memory of 2784 2668 d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe 31 PID 2668 wrote to memory of 2784 2668 d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe 31 PID 2668 wrote to memory of 2784 2668 d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe 31 PID 2784 wrote to memory of 2780 2784 rar.exe 32 PID 2784 wrote to memory of 2780 2784 rar.exe 32 PID 2784 wrote to memory of 2780 2784 rar.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe"C:\Users\Admin\AppData\Local\Temp\d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rar.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rar.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2784 -s 6043⤵
- Loads dropped DLL
PID:2780
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5606613cc1965ecf6ec7b42d94efcb2cd
SHA184e848b5958b7352b3c748bc56db99ea07eb23d2
SHA256b5f36538eb0dde089abec9b880c153d6216b8fdbc3941f3396ef6a68c105cad6
SHA512f876d6b0b02505fc835a7a048f90bdfd3ff31682a4e84acc58dbb4c4255be030c1bb8fbc7c822f6f6b9c46061fb4716bae9d98cff9217155a5cd841294e6ab7b
-
Filesize
78KB
MD5928b34327061b09e7e40759d04363eeb
SHA1a1e5715f0e0d054d654dcc6746b37c9a60f9ccfe
SHA256ea72c77769e394a017c08af3640c090d4216495d730f2612e8729d933589460c
SHA51262b8bd581583f872f4df5b2ffd999a31b6d98c6aa16ae522d02e2124995d5d4a4253e459b31af55abaaffd4e0d6bf373b5cc2b4b5269053994629f5ef82c2250