Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    12/05/2023, 05:06

General

  • Target

    Vnd Vietcombankpdf.exe

  • Size

    164KB

  • MD5

    17a37bf8286737da1e6b94f8094ca1c1

  • SHA1

    4c926d254cdc3bc5f243f97b5602cbae2d9669a5

  • SHA256

    5d318ad1fa11ca3660fe35faff0e0aaef8acd820e01cdd5ee7305c30314f5303

  • SHA512

    66c3ba7121ed0485fb9dbef897f15baf2920575aec6e3d3b773ca36052b09217df277a7127c6e907241d62f0c239f1099c5e43ad3c811c84f5323d2e1d9357ca

  • SSDEEP

    3072:XfY/TU9fE9PEtuAbx1qh8nA7Yg75h/zu3GOFkqqymeiy5wt8biswBM6GZ7wzG48:PYa6cxchIAR5h/zLak+mPtIisW8gV8

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

141.98.102.235:16296

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Vnd Vietcombankpdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Vnd Vietcombankpdf.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Users\Admin\AppData\Local\Temp\Vnd Vietcombankpdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Vnd Vietcombankpdf.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:840

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nso1114.tmp\smjrtvd.dll

    Filesize

    4KB

    MD5

    e39081d0a073b0aa576cb5b2571b2a1b

    SHA1

    da726c1269d8b7127dcb77f95d44e63b597b0bc6

    SHA256

    467a142e9aee7798d20ce3d3339fb04a49a4c219c9795d4a69ef0def1000069b

    SHA512

    03f642399b5da14556e741217e5b10070ca03e5f4135127cb886f8b8835290c89aa95638f7974b8796f0f867937c1953b2d3a8e80d56fbb6276ba70fd8cb383a

  • memory/840-62-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/840-64-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/840-65-0x0000000000310000-0x0000000000322000-memory.dmp

    Filesize

    72KB

  • memory/840-66-0x0000000004450000-0x0000000004490000-memory.dmp

    Filesize

    256KB

  • memory/840-67-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/840-68-0x0000000004450000-0x0000000004490000-memory.dmp

    Filesize

    256KB

  • memory/840-87-0x0000000004450000-0x0000000004490000-memory.dmp

    Filesize

    256KB