Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24/03/2023, 01:45
Behavioral task
behavioral1
Sample
shadow.exe
Resource
win7-20230220-en
General
-
Target
shadow.exe
-
Size
45KB
-
MD5
b0c54754039e4c312c81cc1de388e1e6
-
SHA1
c00e8d078f1224156e5f34720732891afe72d654
-
SHA256
aa199fbb289e048c5abaa334be3eb172175cf53e736d3a15ca32549086c99a8c
-
SHA512
c58117d3f377b6b7c1bba94d56049927a2a0e76e4243fa217ed8af1e80365939a5d3441572dea3c079403c07cad36ffebd35703e69fb258518244f2ca25d8bc8
-
SSDEEP
768:DuU2VTwkbBHWU7TZcFmo2qjLKjGKG6PIyzjbFgX3i0ZHPcZekvlaBDZDx:DuU2VTwAJM2aKYDy3bCXS0ZC+dDx
Malware Config
Extracted
asyncrat
0.5.7B
Default
klept0wiz-33913.portmap.host:33913
guaeiofj398ajgka340gka9wk3f09jq3ad
-
delay
3
-
install
true
-
install_file
Management.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral2/memory/2528-133-0x0000000000D60000-0x0000000000D72000-memory.dmp asyncrat behavioral2/files/0x000300000001e720-142.dat asyncrat behavioral2/files/0x000300000001e720-143.dat asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation shadow.exe -
Executes dropped EXE 1 IoCs
pid Process 4104 Management.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3332 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3576 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe 2528 shadow.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2528 shadow.exe Token: SeDebugPrivilege 4104 Management.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2528 wrote to memory of 4784 2528 shadow.exe 86 PID 2528 wrote to memory of 4784 2528 shadow.exe 86 PID 2528 wrote to memory of 4784 2528 shadow.exe 86 PID 2528 wrote to memory of 3712 2528 shadow.exe 88 PID 2528 wrote to memory of 3712 2528 shadow.exe 88 PID 2528 wrote to memory of 3712 2528 shadow.exe 88 PID 4784 wrote to memory of 3332 4784 cmd.exe 90 PID 4784 wrote to memory of 3332 4784 cmd.exe 90 PID 4784 wrote to memory of 3332 4784 cmd.exe 90 PID 3712 wrote to memory of 3576 3712 cmd.exe 91 PID 3712 wrote to memory of 3576 3712 cmd.exe 91 PID 3712 wrote to memory of 3576 3712 cmd.exe 91 PID 3712 wrote to memory of 4104 3712 cmd.exe 93 PID 3712 wrote to memory of 4104 3712 cmd.exe 93 PID 3712 wrote to memory of 4104 3712 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\shadow.exe"C:\Users\Admin\AppData\Local\Temp\shadow.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Management" /tr '"C:\Users\Admin\AppData\Roaming\Management.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Management" /tr '"C:\Users\Admin\AppData\Roaming\Management.exe"'3⤵
- Creates scheduled task(s)
PID:3332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp79B9.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3576
-
-
C:\Users\Admin\AppData\Roaming\Management.exe"C:\Users\Admin\AppData\Roaming\Management.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154B
MD523f77b559af0a67fd14dc410ee3f5fff
SHA1acf79d182bba3fe47c6f23e4047c9ffacbc1e4d9
SHA256bba4e4e1bee4b198cfd1a2c29114e5f0f92a3e29be18c837d793caf547c7b93c
SHA5128d10d45fcd82cc73941c39f8b5da709234a0011f6a95ac826c11b68f7be42eb92c65ac57b0368d0bbf8fb50f7914a364b0018566c5cd8aca1210038b77b34b18
-
Filesize
45KB
MD5b0c54754039e4c312c81cc1de388e1e6
SHA1c00e8d078f1224156e5f34720732891afe72d654
SHA256aa199fbb289e048c5abaa334be3eb172175cf53e736d3a15ca32549086c99a8c
SHA512c58117d3f377b6b7c1bba94d56049927a2a0e76e4243fa217ed8af1e80365939a5d3441572dea3c079403c07cad36ffebd35703e69fb258518244f2ca25d8bc8
-
Filesize
45KB
MD5b0c54754039e4c312c81cc1de388e1e6
SHA1c00e8d078f1224156e5f34720732891afe72d654
SHA256aa199fbb289e048c5abaa334be3eb172175cf53e736d3a15ca32549086c99a8c
SHA512c58117d3f377b6b7c1bba94d56049927a2a0e76e4243fa217ed8af1e80365939a5d3441572dea3c079403c07cad36ffebd35703e69fb258518244f2ca25d8bc8