Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
161s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 19:14
Behavioral task
behavioral1
Sample
7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe
Resource
win7-20230831-en
General
-
Target
7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe
-
Size
48KB
-
MD5
39fb8a8a40c829ac3a4fd5cd6ea473b7
-
SHA1
5930195043f8a59566d778d15acb31d3c3e5c3a8
-
SHA256
7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4
-
SHA512
e6d3074a3f2c8d474818d1611d36990b4ab9467f5ffe983ef7572414870c2802e2f353aa02579044c7b51e482bac23424bed9767b8fbb0c41ed16dd328b2beaa
-
SSDEEP
1536:euWk5T1gi29npmgpzmyb+M/oLnOA5UtGhdIR:euWET1gi29pmgpzmyb+/Ld6tI+R
Malware Config
Extracted
asyncrat
0.5.7B
Rust
extra-hack.ddns.net:2550
extra-hack.ddns.net:2551
extra-hack.ddns.net:2552
extra-hack.ddns.net:2553
extra-hack.ddns.net:2554
extra-hack.ddns.net:2555
extra-hack.ddns.net:2556
extra-hack.ddns.net:2557
extra-hack.ddns.net:2558
extra-hack.ddns.net:2559
extra-hack.ddns.net:2560
extra-hack.ddns.net:2561
extra-hack.ddns.net:2562
extra-hack.ddns.net:2563
extra-hack.ddns.net:2564
extra-hack.ddns.net:2565
extra-hack.ddns.net:2566
extra-hack.ddns.net:2567
extra-hack.ddns.net:2568
extra-hack.ddns.net:2569
extra-hack.ddns.net:2570
extra-hack.ddns.net:2571
extra-hack.ddns.net:2572
extra-hack.ddns.net:2573
extra-hack.ddns.net:2574
extra-hack.ddns.net:2575
extra-hack.ddns.net:2576
extra-hack.ddns.net:2577
extra-hack.ddns.net:2578
extra-hack.ddns.net:2579
extra-hack.ddns.net:2580
extra-hack.ddns.net:2581
extra-hack.ddns.net:2582
extra-hack.ddns.net:2583
extra-hack.ddns.net:2584
extra-hack.ddns.net:2585
extra-hack.ddns.net:2586
extra-hack.ddns.net:2587
extra-hack.ddns.net:2588
extra-hack.ddns.net:2589
extra-hack.ddns.net:2590
extra-hack.ddns.net:2591
extra-hack.ddns.net:2592
extra-hack.ddns.net:2593
extra-hack.ddns.net:2594
extra-hack.ddns.net:2595
extra-hack.ddns.net:2596
extra-hack.ddns.net:2597
extra-hack.ddns.net:2598
extra-hack.ddns.net:2599
extra-hack.ddns.net:2600
j4hy8gsf6w53x4
-
delay
3
-
install
true
-
install_file
Realtek HD Audio Universal Service.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral2/memory/768-1-0x0000000000150000-0x0000000000162000-memory.dmp asyncrat behavioral2/files/0x000f0000000230cc-14.dat asyncrat behavioral2/files/0x000f0000000230cc-15.dat asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe -
Executes dropped EXE 1 IoCs
pid Process 372 Realtek HD Audio Universal Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2292 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2776 timeout.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe Token: SeDebugPrivilege 372 Realtek HD Audio Universal Service.exe Token: SeDebugPrivilege 372 Realtek HD Audio Universal Service.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 768 wrote to memory of 472 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 98 PID 768 wrote to memory of 472 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 98 PID 768 wrote to memory of 472 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 98 PID 768 wrote to memory of 2076 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 101 PID 768 wrote to memory of 2076 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 101 PID 768 wrote to memory of 2076 768 7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe 101 PID 472 wrote to memory of 2292 472 cmd.exe 100 PID 472 wrote to memory of 2292 472 cmd.exe 100 PID 472 wrote to memory of 2292 472 cmd.exe 100 PID 2076 wrote to memory of 2776 2076 cmd.exe 103 PID 2076 wrote to memory of 2776 2076 cmd.exe 103 PID 2076 wrote to memory of 2776 2076 cmd.exe 103 PID 2076 wrote to memory of 372 2076 cmd.exe 104 PID 2076 wrote to memory of 372 2076 cmd.exe 104 PID 2076 wrote to memory of 372 2076 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe"C:\Users\Admin\AppData\Local\Temp\7e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4_JC.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Realtek HD Audio Universal Service" /tr '"C:\Users\Admin\AppData\Roaming\Realtek HD Audio Universal Service.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Realtek HD Audio Universal Service" /tr '"C:\Users\Admin\AppData\Roaming\Realtek HD Audio Universal Service.exe"'3⤵
- Creates scheduled task(s)
PID:2292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp87A5.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2776
-
-
C:\Users\Admin\AppData\Roaming\Realtek HD Audio Universal Service.exe"C:\Users\Admin\AppData\Roaming\Realtek HD Audio Universal Service.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:372
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
178B
MD59bb1a513c2e794e67a7e4868a01ebcab
SHA14cef45de720261d41bf6011d7b2e62a2b9193c7e
SHA2567d3f9db20c9e8595dce0ea425d775ad4d6c2b90658b8f00a595422562340c09f
SHA51244c9a14ce2cea8e0cb585a860457e62d07c4db7995428f242dbca31cc4a7fcf391074e0720a80437dbb93832366a49ab767d68821bbaf557ea02b80c1729242e
-
Filesize
48KB
MD539fb8a8a40c829ac3a4fd5cd6ea473b7
SHA15930195043f8a59566d778d15acb31d3c3e5c3a8
SHA2567e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4
SHA512e6d3074a3f2c8d474818d1611d36990b4ab9467f5ffe983ef7572414870c2802e2f353aa02579044c7b51e482bac23424bed9767b8fbb0c41ed16dd328b2beaa
-
Filesize
48KB
MD539fb8a8a40c829ac3a4fd5cd6ea473b7
SHA15930195043f8a59566d778d15acb31d3c3e5c3a8
SHA2567e1974ea77e2416b2ac75656d1e24da59de0af97815a9e337e4a7cc58f6339a4
SHA512e6d3074a3f2c8d474818d1611d36990b4ab9467f5ffe983ef7572414870c2802e2f353aa02579044c7b51e482bac23424bed9767b8fbb0c41ed16dd328b2beaa