Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/04/2024, 06:58

General

  • Target

    12de70d06ed65680914d061347ac1f95.exe

  • Size

    89KB

  • MD5

    12de70d06ed65680914d061347ac1f95

  • SHA1

    14023e1ed46236cbfb463ddccd6345caa3c14d54

  • SHA256

    46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339

  • SHA512

    7d6a20b0e9d6c5db0177e08f197f7858aa8000097c5eb2fa7a2b3d2181fefb53760efacd7fcba32d481193eee547162ac22b08b8e8777b68fc1597dec12db67f

  • SSDEEP

    1536:EGjb5BKhaUxo6TRMinLvIbzV6A2SYzEOV4c7rei1:EGjb5IJxZTLnL4aSY4OVDui

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

103.249.112.118:8848

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Downloads MZ/PE file
  • Suspicious use of SetThreadContext 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\12de70d06ed65680914d061347ac1f95.exe
    "C:\Users\Admin\AppData\Local\Temp\12de70d06ed65680914d061347ac1f95.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Windows\SYSTEM32\SCHtAsKs.EXe
      "SCHtAsKs.EXe" /create /tn WindowsUpdates /TR 'C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE' /du 9999:59 /sc daily /ri 1
      2⤵
      • Creates scheduled task(s)
      PID:4300
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      2⤵
        PID:4064
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3844 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4996
      • C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
        C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
        1⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1004
        • C:\Windows\system32\SCHtAsKs.EXe
          "SCHtAsKs.EXe" /create /tn WindowsUpdates /TR 'C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE' /du 9999:59 /sc daily /ri 1
          2⤵
          • Creates scheduled task(s)
          PID:3328
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3524
      • C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
        C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1872

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Accounts_Ledger_Software.eXE.log

        Filesize

        1KB

        MD5

        b45add5931a183b5b884e454b290b42e

        SHA1

        4aafa6d93dea853328fe65347ce24e334e7f0281

        SHA256

        2b9c6ceca7fc1a6b3795798adbaa4e7ef0462573c1a528ff8c9f4201885cc8ce

        SHA512

        969f5f114a34310d55d8f18dd4935aa348d85262a84378757279c4b5dee6b6fbfc9941574f7128eb4e2b6b7eafffdf394d14568ea4b509b740249ed748ea8127

      • C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE

        Filesize

        89KB

        MD5

        12de70d06ed65680914d061347ac1f95

        SHA1

        14023e1ed46236cbfb463ddccd6345caa3c14d54

        SHA256

        46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339

        SHA512

        7d6a20b0e9d6c5db0177e08f197f7858aa8000097c5eb2fa7a2b3d2181fefb53760efacd7fcba32d481193eee547162ac22b08b8e8777b68fc1597dec12db67f

      • memory/1004-15-0x00007FFEAB1C0000-0x00007FFEABC81000-memory.dmp

        Filesize

        10.8MB

      • memory/1004-11-0x0000000002550000-0x0000000002560000-memory.dmp

        Filesize

        64KB

      • memory/1004-10-0x00007FFEAB1C0000-0x00007FFEABC81000-memory.dmp

        Filesize

        10.8MB

      • memory/1384-7-0x00007FFEAC100000-0x00007FFEACBC1000-memory.dmp

        Filesize

        10.8MB

      • memory/1384-1-0x00007FFEAC100000-0x00007FFEACBC1000-memory.dmp

        Filesize

        10.8MB

      • memory/1384-5-0x0000000002970000-0x0000000002971000-memory.dmp

        Filesize

        4KB

      • memory/1384-4-0x000000001B5C0000-0x000000001B5FC000-memory.dmp

        Filesize

        240KB

      • memory/1384-3-0x000000001B630000-0x000000001B640000-memory.dmp

        Filesize

        64KB

      • memory/1384-0-0x0000000000820000-0x000000000083A000-memory.dmp

        Filesize

        104KB

      • memory/1872-28-0x00007FFEAB2E0000-0x00007FFEABDA1000-memory.dmp

        Filesize

        10.8MB

      • memory/1872-27-0x00007FFEAB2E0000-0x00007FFEABDA1000-memory.dmp

        Filesize

        10.8MB

      • memory/3524-17-0x00000000051E0000-0x00000000051F0000-memory.dmp

        Filesize

        64KB

      • memory/3524-21-0x0000000005AF0000-0x0000000005B8C000-memory.dmp

        Filesize

        624KB

      • memory/3524-22-0x0000000006140000-0x00000000066E4000-memory.dmp

        Filesize

        5.6MB

      • memory/3524-23-0x0000000005C00000-0x0000000005C66000-memory.dmp

        Filesize

        408KB

      • memory/3524-24-0x0000000074860000-0x0000000075010000-memory.dmp

        Filesize

        7.7MB

      • memory/3524-18-0x00000000772C1000-0x00000000772C2000-memory.dmp

        Filesize

        4KB

      • memory/3524-16-0x0000000074860000-0x0000000075010000-memory.dmp

        Filesize

        7.7MB

      • memory/3524-13-0x0000000000400000-0x0000000000416000-memory.dmp

        Filesize

        88KB