Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
70s -
max time network
74s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2023, 00:31
Static task
static1
Behavioral task
behavioral1
Sample
service_updated.exe
Resource
win7-20230220-en
General
-
Target
service_updated.exe
-
Size
26KB
-
MD5
0ba94632c859dabbdeb1c68ebd7ca34d
-
SHA1
70f25b976fb529d4826d9560288560d7c3f5b63e
-
SHA256
f2ade3ae8bf5ba063e0c5911c2996bafa09de659b23bbd3014747e12a378724e
-
SHA512
be6889837f1556dfde6334ab3dd9245694d79a1495c4be86eecc0ba2695beeaaa4aebfd5fd9e27cdceea2a2e6a65e7624efce48c0ba92bc3f8550d5c914d5ef0
-
SSDEEP
384:IJJo2hYvWMUMGYZapeJiPRQMFWsXrMTW4g1CwL1CyDb+/cG7mljCD0m3HtnX:JEH1eJiJVXrM41v1C8bpCaCgm3HtX
Malware Config
Extracted
asyncrat
1.0.7
Default
DcRatMutex_qwqdanchun
-
delay
10
-
install
true
-
install_file
csrss.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/3Z9zi18j
Signatures
-
Async RAT payload 6 IoCs
resource yara_rule behavioral2/files/0x00010000000230e4-154.dat asyncrat behavioral2/files/0x00010000000230e4-225.dat asyncrat behavioral2/files/0x00010000000230e4-226.dat asyncrat behavioral2/memory/1368-227-0x00000000007B0000-0x00000000007C6000-memory.dmp asyncrat behavioral2/files/0x00040000000227ba-303.dat asyncrat behavioral2/files/0x00040000000227ba-304.dat asyncrat -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3508 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation tmp8DD0.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation csrss.exe -
Executes dropped EXE 4 IoCs
pid Process 1208 tmp8DD0.exe 1368 csrss.exe 4792 Extreme Injector v3.exe 4144 csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4388 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4280 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ tmp8DD0.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1064 service_updated.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe 1368 csrss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1064 service_updated.exe Token: SeDebugPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: SeDebugPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: SeDebugPrivilege 1368 csrss.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: SeDebugPrivilege 4144 csrss.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4792 Extreme Injector v3.exe Token: 33 4792 Extreme Injector v3.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1064 wrote to memory of 3508 1064 service_updated.exe 88 PID 1064 wrote to memory of 3508 1064 service_updated.exe 88 PID 1064 wrote to memory of 1208 1064 service_updated.exe 89 PID 1064 wrote to memory of 1208 1064 service_updated.exe 89 PID 1064 wrote to memory of 1208 1064 service_updated.exe 89 PID 1208 wrote to memory of 1368 1208 tmp8DD0.exe 93 PID 1208 wrote to memory of 1368 1208 tmp8DD0.exe 93 PID 1208 wrote to memory of 4792 1208 tmp8DD0.exe 94 PID 1208 wrote to memory of 4792 1208 tmp8DD0.exe 94 PID 1368 wrote to memory of 4924 1368 csrss.exe 105 PID 1368 wrote to memory of 4924 1368 csrss.exe 105 PID 1368 wrote to memory of 4632 1368 csrss.exe 107 PID 1368 wrote to memory of 4632 1368 csrss.exe 107 PID 4924 wrote to memory of 4388 4924 cmd.exe 109 PID 4924 wrote to memory of 4388 4924 cmd.exe 109 PID 4632 wrote to memory of 4280 4632 cmd.exe 110 PID 4632 wrote to memory of 4280 4632 cmd.exe 110 PID 4632 wrote to memory of 4144 4632 cmd.exe 111 PID 4632 wrote to memory of 4144 4632 cmd.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3508 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\service_updated.exe"C:\Users\Admin\AppData\Local\Temp\service_updated.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\tmp8DD0.exe2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3508
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8DD0.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DD0.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'5⤵
- Creates scheduled task(s)
PID:4388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEF66.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:4280
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD5fff5cbccb6b31b40f834b8f4778a779a
SHA1899ed0377e89f1ed434cfeecc5bc0163ebdf0454
SHA256b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76
SHA5121a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
63KB
MD54e8ed7a82d6919108934eaa3fcd3ed9f
SHA1f74a1c9fc02c8374ec0ee68438ae309f1f61ff41
SHA256c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364
SHA5122fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad
-
Filesize
63KB
MD54e8ed7a82d6919108934eaa3fcd3ed9f
SHA1f74a1c9fc02c8374ec0ee68438ae309f1f61ff41
SHA256c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364
SHA5122fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad
-
Filesize
63KB
MD54e8ed7a82d6919108934eaa3fcd3ed9f
SHA1f74a1c9fc02c8374ec0ee68438ae309f1f61ff41
SHA256c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364
SHA5122fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad
-
Filesize
2.3MB
MD583a24ea1847f5cbb5508785abb5126ea
SHA163930e7171d1fc94fd4ec745392b3a1136cb0496
SHA256246b30f2dc863cc247d9ad8bff17e1ec92f2282810f47f42634c0bb7883ba268
SHA512fb6fbeb92bf4fee54f46e4dd75703cc85ebec3e57594fd7cb14874c096c2783ad896c863ba34c594f368d5c16df6a264e50dbb06d674c565d426dd2ddfe3890e
-
Filesize
2.3MB
MD583a24ea1847f5cbb5508785abb5126ea
SHA163930e7171d1fc94fd4ec745392b3a1136cb0496
SHA256246b30f2dc863cc247d9ad8bff17e1ec92f2282810f47f42634c0bb7883ba268
SHA512fb6fbeb92bf4fee54f46e4dd75703cc85ebec3e57594fd7cb14874c096c2783ad896c863ba34c594f368d5c16df6a264e50dbb06d674c565d426dd2ddfe3890e
-
Filesize
149B
MD58ceb70f89d14aca842e8f6671fce5517
SHA1e413e73baeb2b6d773fd783300b3707e999dce17
SHA256edf1778306314abc5313341d9a9df37db793dc4cc56577857156a472bf67f05b
SHA51299877f7c067f6835734fc97008df400a81f392a3080733550ba2a2bfc2ba2e86c4c274078f3855ff93c7d7eebd8f015b9447d064056837f766b10171ebbeda34
-
Filesize
63KB
MD54e8ed7a82d6919108934eaa3fcd3ed9f
SHA1f74a1c9fc02c8374ec0ee68438ae309f1f61ff41
SHA256c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364
SHA5122fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad
-
Filesize
63KB
MD54e8ed7a82d6919108934eaa3fcd3ed9f
SHA1f74a1c9fc02c8374ec0ee68438ae309f1f61ff41
SHA256c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364
SHA5122fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad