Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

09ee64f8bb...8a.exe

windows7-x64

10

09ee64f8bb...8a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/12/2022, 01:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09ee64f8bb9aebb6a09da283e34c528a.exe

  • Size

    232KB

  • MD5

    09ee64f8bb9aebb6a09da283e34c528a

  • SHA1

    3b55fff91903daf89131c1ee51653c7cf4027d18

  • SHA256

    e03f6c4f04ef25238b6d7c8a447555402caa7d1ddb1803bbb6cbcb889cab1135

  • SHA512

    e12a387b578dc1b1307e9bc7fb43e9da5b4a10106958fb329e171f8851767911814e74e2c7468460d00a9adf1691430be28439a087e12383a16a27b8e490aebf

  • SSDEEP

    6144:bDubaBBOBIIj6HLLYLCYJqvc1DMaJ+2+AHbEr1peYGrNNaR0NUg:ubaj9Gk1pLZi

Score
10/10
asyncratstormkittydefaultratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5841906429:AAHSe6la_NGlt9rOSoOwJAowwZ6H54N0dWA/sendMessage?chat_id=5816850831
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 9 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09ee64f8bb9aebb6a09da283e34c528a.exe
    "C:\Users\Admin\AppData\Local\Temp\09ee64f8bb9aebb6a09da283e34c528a.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3720
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:4404
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:772
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            3⤵
              PID:3708
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3884
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              3⤵
                PID:824
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:924
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\09ee64f8bb9aebb6a09da283e34c528a.exe"
                2⤵
                • Creates scheduled task(s)
                PID:4036

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/4872-133-0x0000000005700000-0x0000000005766000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4872-132-0x0000000000D80000-0x0000000000DC0000-memory.dmp

              Filesize

              256KB

              Download

            • memory/4872-134-0x0000000006660000-0x0000000006C04000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4872-143-0x0000000007130000-0x000000000713A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4872-144-0x0000000007940000-0x0000000007952000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4872-135-0x0000000006190000-0x0000000006222000-memory.dmp

              Filesize

              584KB

              Download

            • memory/4872-146-0x0000000008600000-0x000000000860A000-memory.dmp

              Filesize

              40KB

              Download