Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2023, 14:11

General

  • Target

    file.exe

  • Size

    353KB

  • MD5

    3a31f9c35ab9f26a2e9028c5b438780d

  • SHA1

    62dbb580219968fa4e4fed20703fa00dbac78666

  • SHA256

    15b5aace17bef2063e42f5956f066ee601b2dc15a657e9b3aaefb9588a7b83d7

  • SHA512

    36a93e957267c14eaee560f00217f2e9104dad8e75475bd364ce041a7c7395445afa4032a72fb1056e222d37686f0ac0171d8a3403c1873e5f1281dc55fc46b5

  • SSDEEP

    6144:Bj7y9GhvWNikQKsPDvKyG9Ih0oenrJYkcKp4ORIvY+pObV:9dcNHcvVh0oIrJfoORIvY+p+

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.1

Botnet

V365

C2

111.90.149.195:5111

111.90.149.195:7766

Mutex

4ac24af1-9eb0-4f83-aa69-9a23a66ab177

Attributes
  • delay

    2

  • install

    false

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:640
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp319C.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:888
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1908
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1368
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
          4⤵
            PID:576
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
            4⤵
              PID:1328
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"
              4⤵
                PID:1544
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
                4⤵
                  PID:2024
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:556
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 168
                    5⤵
                    • Program crash
                    PID:1976

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\tmp319C.tmp.bat

            Filesize

            151B

            MD5

            4903cf0694fe5526545066f73a6fbd53

            SHA1

            0fc6a8dc45d7d4a1a87ddf726117c43736ff30e4

            SHA256

            f5ae5e38978e2d5d58eca03fc9ecfd3bb7cfc7e0f2fa3e2232ccbaa5ff091cc9

            SHA512

            0e014804677c835e013b8d4b3ec1cc4ca1efcdcec5772f6fbcc47bcf46b522c17aa114d8e21992ecdc65ccb8db46bfdd9a23d34a087e5216c7c92ef66790ae01

          • C:\Users\Admin\AppData\Local\Temp\tmp319C.tmp.bat

            Filesize

            151B

            MD5

            4903cf0694fe5526545066f73a6fbd53

            SHA1

            0fc6a8dc45d7d4a1a87ddf726117c43736ff30e4

            SHA256

            f5ae5e38978e2d5d58eca03fc9ecfd3bb7cfc7e0f2fa3e2232ccbaa5ff091cc9

            SHA512

            0e014804677c835e013b8d4b3ec1cc4ca1efcdcec5772f6fbcc47bcf46b522c17aa114d8e21992ecdc65ccb8db46bfdd9a23d34a087e5216c7c92ef66790ae01

          • C:\Users\Admin\AppData\Roaming\svchost.exe

            Filesize

            353KB

            MD5

            3a31f9c35ab9f26a2e9028c5b438780d

            SHA1

            62dbb580219968fa4e4fed20703fa00dbac78666

            SHA256

            15b5aace17bef2063e42f5956f066ee601b2dc15a657e9b3aaefb9588a7b83d7

            SHA512

            36a93e957267c14eaee560f00217f2e9104dad8e75475bd364ce041a7c7395445afa4032a72fb1056e222d37686f0ac0171d8a3403c1873e5f1281dc55fc46b5

          • C:\Users\Admin\AppData\Roaming\svchost.exe

            Filesize

            353KB

            MD5

            3a31f9c35ab9f26a2e9028c5b438780d

            SHA1

            62dbb580219968fa4e4fed20703fa00dbac78666

            SHA256

            15b5aace17bef2063e42f5956f066ee601b2dc15a657e9b3aaefb9588a7b83d7

            SHA512

            36a93e957267c14eaee560f00217f2e9104dad8e75475bd364ce041a7c7395445afa4032a72fb1056e222d37686f0ac0171d8a3403c1873e5f1281dc55fc46b5

          • \Users\Admin\AppData\Roaming\svchost.exe

            Filesize

            353KB

            MD5

            3a31f9c35ab9f26a2e9028c5b438780d

            SHA1

            62dbb580219968fa4e4fed20703fa00dbac78666

            SHA256

            15b5aace17bef2063e42f5956f066ee601b2dc15a657e9b3aaefb9588a7b83d7

            SHA512

            36a93e957267c14eaee560f00217f2e9104dad8e75475bd364ce041a7c7395445afa4032a72fb1056e222d37686f0ac0171d8a3403c1873e5f1281dc55fc46b5

          • memory/556-71-0x0000000000400000-0x000000000041C000-memory.dmp

            Filesize

            112KB

          • memory/1368-69-0x0000000000320000-0x000000000037C000-memory.dmp

            Filesize

            368KB

          • memory/1368-70-0x000000001BD90000-0x000000001BE10000-memory.dmp

            Filesize

            512KB

          • memory/2000-54-0x0000000000CD0000-0x0000000000D2C000-memory.dmp

            Filesize

            368KB

          • memory/2000-55-0x000000001BC40000-0x000000001BCC0000-memory.dmp

            Filesize

            512KB