Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
09/02/2025, 13:21
Behavioral task
behavioral1
Sample
CARBOT BOT 2.0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
CARBOT BOT 2.0.exe
Resource
win10v2004-20250207-en
General
-
Target
CARBOT BOT 2.0.exe
-
Size
78KB
-
MD5
f84e3c47d28a741b08c30c7a04c6ee00
-
SHA1
b45ae22bd44f7228b9c4a0242e65d2af6d2b7b76
-
SHA256
f5086a9d0e3bdb92e469896feaa431fb9e82c82cf6d031f73b35e5cc8c6331fc
-
SHA512
fb62a0d8f8bf29316b0f3490f267df36248f2b8314ca39bab23b33824372a72460f8d62e4c1875388df6f3d5bdbe494f0a95ec90c9255b23f62a2c5f9d978967
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+ZPIC:5Zv5PDwbjNrmAE+pIC
Malware Config
Extracted
discordrat
-
discord_token
MTMzODEzMzAzMTI4MTQ5NjA3NQ.G9nEy-.M7VwbXAvMLglPonGh0POraMB1SrrA8Sg01-xIg
-
server_id
1012892095574454333
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4476 powershell.exe -
Downloads MZ/PE file 2 IoCs
flow pid Process 54 2020 Process not Found 70 2212 CARBOT BOT 2.0.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 42 discord.com 64 discord.com 70 raw.githubusercontent.com 8 discord.com 9 discord.com 17 discord.com 34 discord.com 63 discord.com 69 raw.githubusercontent.com 33 discord.com 38 discord.com 43 discord.com 48 discord.com -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1468 MicrosoftEdgeUpdate.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3488 SCHTASKS.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4476 powershell.exe 4476 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2212 CARBOT BOT 2.0.exe Token: SeDebugPrivilege 4476 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2212 wrote to memory of 4476 2212 CARBOT BOT 2.0.exe 93 PID 2212 wrote to memory of 4476 2212 CARBOT BOT 2.0.exe 93 PID 2212 wrote to memory of 3488 2212 CARBOT BOT 2.0.exe 95 PID 2212 wrote to memory of 3488 2212 CARBOT BOT 2.0.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CARBOT BOT 2.0.exe"C:\Users\Admin\AppData\Local\Temp\CARBOT BOT 2.0.exe"1⤵
- Downloads MZ/PE file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77CARBOT BOT 2.0.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\CARBOT BOT 2.0.exe'" /sc onlogon /rl HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:3488
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzI5NzNDRUYtQTQ2Qi00Q0VCLTg5RTAtNzMwQ0RCNkY1RkU3fSIgdXNlcmlkPSJ7QURDRTNENTYtOThGNC00RjgzLUE3RDgtNzMzMjFDMUI3NkU1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Njk0NDA2ODEtNkQ5My00N0NFLUI3NzItQzMzQ0REMjMwRjJGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTcxNzk0ODg3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1468
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82