Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
70s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09/06/2023, 08:01
Behavioral task
behavioral1
Sample
251523fa1b013d8ca82ab08f177d3ab2.exe
Resource
win7-20230220-en
General
-
Target
251523fa1b013d8ca82ab08f177d3ab2.exe
-
Size
49KB
-
MD5
251523fa1b013d8ca82ab08f177d3ab2
-
SHA1
ff641e25cb287db90de6f59786a9a940aa2c5bee
-
SHA256
515e5105f1bda9207f1342220ecaddc6dc04b8aa54149e7cc7ccb38225845d03
-
SHA512
63316282cb55b46fbf5b4c95f4ec39cb59fd7b775c4c1dec4db502b8957ff41c31de3b7b7526c8bfe9c79d68070c433d78ce9d51848d51e9e57a3b3639367ef5
-
SSDEEP
1536:luqY9T9xy2eD3bmXSTLNI98P0wx8vV9XdD4C:luqUT9xy2eD3bmsxI9S8vVhR4C
Malware Config
Extracted
asyncrat
0.5.7B
Default
nasihej725.hopto.org:6606
Microsoft_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Windows Session Control.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral2/memory/1520-133-0x0000000000960000-0x0000000000972000-memory.dmp asyncrat behavioral2/files/0x000200000001e417-143.dat asyncrat behavioral2/files/0x000200000001e417-144.dat asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation 251523fa1b013d8ca82ab08f177d3ab2.exe -
Executes dropped EXE 1 IoCs
pid Process 4008 Windows Session Control.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2404 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2064 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 1520 251523fa1b013d8ca82ab08f177d3ab2.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1520 251523fa1b013d8ca82ab08f177d3ab2.exe Token: SeDebugPrivilege 4008 Windows Session Control.exe Token: SeDebugPrivilege 4008 Windows Session Control.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1520 wrote to memory of 804 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 82 PID 1520 wrote to memory of 804 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 82 PID 1520 wrote to memory of 804 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 82 PID 1520 wrote to memory of 2128 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 84 PID 1520 wrote to memory of 2128 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 84 PID 1520 wrote to memory of 2128 1520 251523fa1b013d8ca82ab08f177d3ab2.exe 84 PID 804 wrote to memory of 2404 804 cmd.exe 86 PID 804 wrote to memory of 2404 804 cmd.exe 86 PID 804 wrote to memory of 2404 804 cmd.exe 86 PID 2128 wrote to memory of 2064 2128 cmd.exe 87 PID 2128 wrote to memory of 2064 2128 cmd.exe 87 PID 2128 wrote to memory of 2064 2128 cmd.exe 87 PID 2128 wrote to memory of 4008 2128 cmd.exe 91 PID 2128 wrote to memory of 4008 2128 cmd.exe 91 PID 2128 wrote to memory of 4008 2128 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\251523fa1b013d8ca82ab08f177d3ab2.exe"C:\Users\Admin\AppData\Local\Temp\251523fa1b013d8ca82ab08f177d3ab2.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Session Control" /tr '"C:\Users\Admin\AppData\Roaming\Windows Session Control.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Session Control" /tr '"C:\Users\Admin\AppData\Roaming\Windows Session Control.exe"'3⤵
- Creates scheduled task(s)
PID:2404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8988.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2064
-
-
C:\Users\Admin\AppData\Roaming\Windows Session Control.exe"C:\Users\Admin\AppData\Roaming\Windows Session Control.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167B
MD5a95b18578d58859082fb9a6479bc8ac8
SHA188f104d619857fcaa6b231f375681a574747384e
SHA25613cf07f15aed8dd720df774d38cdd0a682d43c0bf0444423fe13cf7a9580fdc5
SHA512c8cf8601f4d1de398331b57b8188ee6f0a1249ef7e65b5eb1e97029fa154e01775fde887be9c2d4dcf317bf5d4d67f7b526933413d908d26b416864c00fe366e
-
Filesize
49KB
MD5251523fa1b013d8ca82ab08f177d3ab2
SHA1ff641e25cb287db90de6f59786a9a940aa2c5bee
SHA256515e5105f1bda9207f1342220ecaddc6dc04b8aa54149e7cc7ccb38225845d03
SHA51263316282cb55b46fbf5b4c95f4ec39cb59fd7b775c4c1dec4db502b8957ff41c31de3b7b7526c8bfe9c79d68070c433d78ce9d51848d51e9e57a3b3639367ef5
-
Filesize
49KB
MD5251523fa1b013d8ca82ab08f177d3ab2
SHA1ff641e25cb287db90de6f59786a9a940aa2c5bee
SHA256515e5105f1bda9207f1342220ecaddc6dc04b8aa54149e7cc7ccb38225845d03
SHA51263316282cb55b46fbf5b4c95f4ec39cb59fd7b775c4c1dec4db502b8957ff41c31de3b7b7526c8bfe9c79d68070c433d78ce9d51848d51e9e57a3b3639367ef5