Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
01/10/2022, 18:07
General
-
Target
F5E715D046072F8716F662BB86A02BE3F13DD984ED207.exe
-
Size
176KB
-
MD5
f8b8c7e30a0c98c7db0c64d4b925db75
-
SHA1
928ec1e03d21f51f34da1a7c801fdce9a36b3c36
-
SHA256
f5e715d046072f8716f662bb86a02be3f13dd984ed207562c9e8e3feb6aeab40
-
SHA512
67d7c8c62877a0d274089ef062a85e1b0622bcb6ccfc86d3bd9234973af514e211c4a3043504c597429ade35524f314efecea75a4695bf5489e282fef3cedef3
-
SSDEEP
3072:tuK0THf52BTHbvxPZYJ01yDgNlfWSZ0cXF:tuK+chHbIpgy/m
Malware Config
Extracted
asyncrat
0.5.7B
Default
zulakim.duckdns.org:6606
zulakim.duckdns.org:7707
zulakim.duckdns.org:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
dllhost.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\F5E715D046072F8716F662BB86A02BE3F13DD984ED207.exe"C:\Users\Admin\AppData\Local\Temp\F5E715D046072F8716F662BB86A02BE3F13DD984ED207.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dllhost" /tr '"C:\Users\Admin\AppData\Roaming\dllhost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "dllhost" /tr '"C:\Users\Admin\AppData\Roaming\dllhost.exe"'3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA4C7.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5ec113f4c1bb20e51b55990a373026e22
SHA1f5e504a601cefadff05a41457b1a21535bbf3cc5
SHA2568b4218b16af1d3da63c22f893504a880e73111fb7ba3453299f0e20380918ed5
SHA51217db8b747a79b292325f9598670506dd57dc10a25852874c3461af05470bc2b082bd31b941bd683e60141c795fd0a70630c503f263542c675bdd43ac1ce9bd01
-
Filesize
176KB
MD5f8b8c7e30a0c98c7db0c64d4b925db75
SHA1928ec1e03d21f51f34da1a7c801fdce9a36b3c36
SHA256f5e715d046072f8716f662bb86a02be3f13dd984ed207562c9e8e3feb6aeab40
SHA51267d7c8c62877a0d274089ef062a85e1b0622bcb6ccfc86d3bd9234973af514e211c4a3043504c597429ade35524f314efecea75a4695bf5489e282fef3cedef3
-
Filesize
176KB
MD5f8b8c7e30a0c98c7db0c64d4b925db75
SHA1928ec1e03d21f51f34da1a7c801fdce9a36b3c36
SHA256f5e715d046072f8716f662bb86a02be3f13dd984ed207562c9e8e3feb6aeab40
SHA51267d7c8c62877a0d274089ef062a85e1b0622bcb6ccfc86d3bd9234973af514e211c4a3043504c597429ade35524f314efecea75a4695bf5489e282fef3cedef3
-
Filesize
200KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
408KB