Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

01206099.exe

windows7-x64

10

01206099.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2023, 08:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01206099.exe

  • Size

    698KB

  • MD5

    acca46dd166c04133d2916b8d780e245

  • SHA1

    e426111a0a29367369a81219161e7577158f0204

  • SHA256

    127c167eab781efef570aaa089b6a66141953dc700beb9f5d5ba4cfa6ae4c97d

  • SHA512

    e603a3c651c612edc29bfbb0e688b75e4faa8e7b96a94dbb860d404191d04f1a1ea488302aa4516f778922bb866014591963732cb42e67f608db90411f1a5004

  • SSDEEP

    6144:XWoSFtKEx6Ixb26rQ7jnr83cVcg6fBuBuDuHJMJlFRQJfYyu2gHuFdfYJFuVBiLQ:XYxa/7jn7lTMZod7Y8

Score
10/10
asyncratrat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 5 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01206099.exe
    "C:\Users\Admin\AppData\Local\Temp\01206099.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "service" /tr '"C:\Users\Admin\AppData\Roaming\service.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "service" /tr '"C:\Users\Admin\AppData\Roaming\service.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:2024
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6C2C.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1708
      • C:\Users\Admin\AppData\Roaming\service.exe
        "C:\Users\Admin\AppData\Roaming\service.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:868

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp6C2C.tmp.bat
    Filesize

    151B

    MD5

    ec58aad5140116f780b5efbe18f766b7

    SHA1

    dd51c2f0fcb4689e30f0bd588d0f3bb0ad302694

    SHA256

    0e791ed84fd3e1679dd7885221852e9a1f5b8ebdd5a3ddc63d18bcc3311cb688

    SHA512

    2f13dfa3e28072f2bfea2dae28ce09c583926918b07a1f0789ad2584f101ae8e0a52b1275dd870714768edac465c71211d946578dc55a6ce1ad81a0760c1f687

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp6C2C.tmp.bat
    Filesize

    151B

    MD5

    ec58aad5140116f780b5efbe18f766b7

    SHA1

    dd51c2f0fcb4689e30f0bd588d0f3bb0ad302694

    SHA256

    0e791ed84fd3e1679dd7885221852e9a1f5b8ebdd5a3ddc63d18bcc3311cb688

    SHA512

    2f13dfa3e28072f2bfea2dae28ce09c583926918b07a1f0789ad2584f101ae8e0a52b1275dd870714768edac465c71211d946578dc55a6ce1ad81a0760c1f687

    Download Submit

  • C:\Users\Admin\AppData\Roaming\service.exe
    Filesize

    698KB

    MD5

    acca46dd166c04133d2916b8d780e245

    SHA1

    e426111a0a29367369a81219161e7577158f0204

    SHA256

    127c167eab781efef570aaa089b6a66141953dc700beb9f5d5ba4cfa6ae4c97d

    SHA512

    e603a3c651c612edc29bfbb0e688b75e4faa8e7b96a94dbb860d404191d04f1a1ea488302aa4516f778922bb866014591963732cb42e67f608db90411f1a5004

    Download Submit

  • C:\Users\Admin\AppData\Roaming\service.exe
    Filesize

    698KB

    MD5

    acca46dd166c04133d2916b8d780e245

    SHA1

    e426111a0a29367369a81219161e7577158f0204

    SHA256

    127c167eab781efef570aaa089b6a66141953dc700beb9f5d5ba4cfa6ae4c97d

    SHA512

    e603a3c651c612edc29bfbb0e688b75e4faa8e7b96a94dbb860d404191d04f1a1ea488302aa4516f778922bb866014591963732cb42e67f608db90411f1a5004

    Download Submit

  • \Users\Admin\AppData\Roaming\service.exe
    Filesize

    698KB

    MD5

    acca46dd166c04133d2916b8d780e245

    SHA1

    e426111a0a29367369a81219161e7577158f0204

    SHA256

    127c167eab781efef570aaa089b6a66141953dc700beb9f5d5ba4cfa6ae4c97d

    SHA512

    e603a3c651c612edc29bfbb0e688b75e4faa8e7b96a94dbb860d404191d04f1a1ea488302aa4516f778922bb866014591963732cb42e67f608db90411f1a5004

    Download Submit

  • memory/868-68-0x0000000000EC0000-0x0000000000F74000-memory.dmp

    Filesize

    720KB

    Download

  • memory/868-69-0x0000000004ED0000-0x0000000004F10000-memory.dmp

    Filesize

    256KB

    Download

  • memory/868-70-0x0000000004ED0000-0x0000000004F10000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1336-54-0x0000000000BE0000-0x0000000000C94000-memory.dmp

    Filesize

    720KB

    Download

  • memory/1336-55-0x0000000004240000-0x0000000004280000-memory.dmp

    Filesize

    256KB

    Download