Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22/04/2024, 06:58
Static task
static1
Behavioral task
behavioral1
Sample
12de70d06ed65680914d061347ac1f95.exe
Resource
win7-20240221-en
General
-
Target
12de70d06ed65680914d061347ac1f95.exe
-
Size
89KB
-
MD5
12de70d06ed65680914d061347ac1f95
-
SHA1
14023e1ed46236cbfb463ddccd6345caa3c14d54
-
SHA256
46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339
-
SHA512
7d6a20b0e9d6c5db0177e08f197f7858aa8000097c5eb2fa7a2b3d2181fefb53760efacd7fcba32d481193eee547162ac22b08b8e8777b68fc1597dec12db67f
-
SSDEEP
1536:EGjb5BKhaUxo6TRMinLvIbzV6A2SYzEOV4c7rei1:EGjb5IJxZTLnL4aSY4OVDui
Malware Config
Extracted
asyncrat
1.0.7
Default
103.249.112.118:8848
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Downloads MZ/PE file
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1004 set thread context of 3524 1004 Accounts_Ledger_Software.eXE 105 -
Executes dropped EXE 2 IoCs
pid Process 1004 Accounts_Ledger_Software.eXE 1872 Accounts_Ledger_Software.eXE -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4300 SCHtAsKs.EXe 3328 SCHtAsKs.EXe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1384 12de70d06ed65680914d061347ac1f95.exe 1384 12de70d06ed65680914d061347ac1f95.exe 1384 12de70d06ed65680914d061347ac1f95.exe 1384 12de70d06ed65680914d061347ac1f95.exe 1004 Accounts_Ledger_Software.eXE 1004 Accounts_Ledger_Software.eXE 1004 Accounts_Ledger_Software.eXE 1872 Accounts_Ledger_Software.eXE 1872 Accounts_Ledger_Software.eXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1384 12de70d06ed65680914d061347ac1f95.exe Token: SeDebugPrivilege 1004 Accounts_Ledger_Software.eXE Token: SeDebugPrivilege 3524 aspnet_compiler.exe Token: SeDebugPrivilege 1872 Accounts_Ledger_Software.eXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1384 wrote to memory of 4300 1384 12de70d06ed65680914d061347ac1f95.exe 90 PID 1384 wrote to memory of 4300 1384 12de70d06ed65680914d061347ac1f95.exe 90 PID 1384 wrote to memory of 4064 1384 12de70d06ed65680914d061347ac1f95.exe 92 PID 1384 wrote to memory of 4064 1384 12de70d06ed65680914d061347ac1f95.exe 92 PID 1384 wrote to memory of 4064 1384 12de70d06ed65680914d061347ac1f95.exe 92 PID 1004 wrote to memory of 3328 1004 Accounts_Ledger_Software.eXE 103 PID 1004 wrote to memory of 3328 1004 Accounts_Ledger_Software.eXE 103 PID 1004 wrote to memory of 3524 1004 Accounts_Ledger_Software.eXE 105 PID 1004 wrote to memory of 3524 1004 Accounts_Ledger_Software.eXE 105 PID 1004 wrote to memory of 3524 1004 Accounts_Ledger_Software.eXE 105 PID 1004 wrote to memory of 3524 1004 Accounts_Ledger_Software.eXE 105 PID 1004 wrote to memory of 3524 1004 Accounts_Ledger_Software.eXE 105 PID 1004 wrote to memory of 3524 1004 Accounts_Ledger_Software.eXE 105 PID 1004 wrote to memory of 3524 1004 Accounts_Ledger_Software.eXE 105 PID 1004 wrote to memory of 3524 1004 Accounts_Ledger_Software.eXE 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\12de70d06ed65680914d061347ac1f95.exe"C:\Users\Admin\AppData\Local\Temp\12de70d06ed65680914d061347ac1f95.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SYSTEM32\SCHtAsKs.EXe"SCHtAsKs.EXe" /create /tn WindowsUpdates /TR 'C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE' /du 9999:59 /sc daily /ri 12⤵
- Creates scheduled task(s)
PID:4300
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3844 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵PID:4996
-
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXEC:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE1⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\system32\SCHtAsKs.EXe"SCHtAsKs.EXe" /create /tn WindowsUpdates /TR 'C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE' /du 9999:59 /sc daily /ri 12⤵
- Creates scheduled task(s)
PID:3328
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3524
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXEC:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b45add5931a183b5b884e454b290b42e
SHA14aafa6d93dea853328fe65347ce24e334e7f0281
SHA2562b9c6ceca7fc1a6b3795798adbaa4e7ef0462573c1a528ff8c9f4201885cc8ce
SHA512969f5f114a34310d55d8f18dd4935aa348d85262a84378757279c4b5dee6b6fbfc9941574f7128eb4e2b6b7eafffdf394d14568ea4b509b740249ed748ea8127
-
Filesize
89KB
MD512de70d06ed65680914d061347ac1f95
SHA114023e1ed46236cbfb463ddccd6345caa3c14d54
SHA25646b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339
SHA5127d6a20b0e9d6c5db0177e08f197f7858aa8000097c5eb2fa7a2b3d2181fefb53760efacd7fcba32d481193eee547162ac22b08b8e8777b68fc1597dec12db67f