Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/04/2024, 08:41

General

  • Target

    6d3f68d31efc5fc456850af228427c25.msi

  • Size

    1.5MB

  • MD5

    6d3f68d31efc5fc456850af228427c25

  • SHA1

    487fcaaab61ce4e76d6a1e2568cf3602a5f6632b

  • SHA256

    147f810affa8a7f95cc8a15cc5918933d3cf430232e132b340180d3878951974

  • SHA512

    e1c26181065ad69078e281154f741d318ceec9d412c030a89397e6d27ff89c224ed7f106b68892f41309264830e48255ff114369985206efe9c5311f8725df3d

  • SSDEEP

    24576:kt9cpVDhOXLcVXyEq9GRhv9cWP8rtPN01Mq7+xtA+w9TxDfoUBoiGt+eWilfdqF6:jpRhOXLcJyEq9GRhvVqtV01Mq7kctDAo

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

mafiaexe

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

twinks234.duckdns.org:6606

twinks234.duckdns.org:7707

twinks234.duckdns.org:8808

Mutex

mafiaEXE

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6d3f68d31efc5fc456850af228427c25.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3016
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4192
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 66E6A536B3DA32E3664290BB2C0D6F45
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:2344
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:4588
      • C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\files\mafiachroom.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\files\mafiachroom.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1044
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\files.cab

    Filesize

    1.2MB

    MD5

    d4e7f05d7f6a7dc75f468dbcaa9f437f

    SHA1

    f377284434b0200c6ebeba730dfcddaff7f2de13

    SHA256

    943ef4c71d53ef383ee9591d460799c7e503e493c26abdd6ded50eb82f2dd47f

    SHA512

    9f8d960ee4367f388a0717b9a3991682a900f13db547dd51242a6c1686a2d9badbb94446db36700116c0c7753daacc7fb43ec35c09e94bc462e74c36e2b86bf5

  • C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\files\mafiachroom.exe

    Filesize

    1.2MB

    MD5

    6e7ebd37b6095cb1a2f3ffa9d5598c81

    SHA1

    d4d0cfa65f6dd224af16ff81a29abdf6ab0eab69

    SHA256

    1cf774a50175eb7321b1366c585ccfc68bdf0916d8e78edf1fe24e079209eb9e

    SHA512

    f23d689393db2f8292018d8b303992b19dd8b9cfd4f226a84ddd70d30ec2d89083e9b1418d5f82e04a1a81d9014387e0450747b99a02fc32e094c987cc2c782b

  • C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\msiwrapper.ini

    Filesize

    1KB

    MD5

    9a41d4f44ca69fe6799dfbb66a49f932

    SHA1

    8c11180c25a464ac86e8622d2f5aa0bf3eb7fe21

    SHA256

    ef187294353af2ac211597aaf9225fb7990cd7afa6e1e2ce1accde89935fd3bc

    SHA512

    e108c7b56f677ba0dc639f6f5af1ae7d507ce21b608a8f81eac21f4113297061036f1acc5ab1b6f387c869b349e5ca452f123f0612355747b4cc44c5f4801077

  • C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\msiwrapper.ini

    Filesize

    1KB

    MD5

    97719f6eae7e7e6d8e1fe8970f65a935

    SHA1

    65611f13bb89873c295e44f21a9e3ef96d5d46df

    SHA256

    ed2e0cca8483413fe62b9865895de3cbbc330897fd493be7d719f0b6c05550c1

    SHA512

    c0c8c210871eac6f37899962efe33d2c06b90b6c4dac83b19567c524682755fcbf45c4b9d69c8cd8fc471fbd42aef15f2ddef4dbe2d0ba2ebc0c939016ffde67

  • C:\Windows\Installer\MSI6477.tmp

    Filesize

    208KB

    MD5

    0c8921bbcc37c6efd34faf44cf3b0cb5

    SHA1

    dcfa71246157edcd09eecaf9d4c5e360b24b3e49

    SHA256

    fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

    SHA512

    ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

    Filesize

    23.7MB

    MD5

    d5cc1fbd277d0442b7c322a6163f3a20

    SHA1

    8631ab4015c797f9f32495774ced4e9de972de77

    SHA256

    89d04688afba0d435f75722924c520f0b2d96f5b65b6c0cef5f7c18af222832a

    SHA512

    16ca6e654162c8c0c9a86e7e3daa3a05daa10033496edd92e3e2e6a833f0f2266125ed58e649b9fe433c64daed3f7fbd1c0b390fba56e617d7ff3c9b97887c64

  • \??\Volume{dfbd1330-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1b0eb991-4623-4181-a4c4-75c9188477e4}_OnDiskSnapshotProp

    Filesize

    6KB

    MD5

    d20ad38dc8fbdf573f15cdbf0a6009c2

    SHA1

    f34847db86058ec3a5df6f6f6a576c3cd1c9ea15

    SHA256

    10dc4645acda1f1018f15b92e530fe49bcb386029ac0552ea4dec8c8877f6be4

    SHA512

    57da5ef2cc0498f1b58bf4c73ffee931cb66c539b8e2a97ba40cdf82754da28e03ec7a2c32cbe9b770e749308e1e96ef39f3253424615b1a483c00245e559b82

  • memory/1044-68-0x0000000000880000-0x00000000009C0000-memory.dmp

    Filesize

    1.2MB

  • memory/1044-71-0x0000000005B20000-0x00000000060C4000-memory.dmp

    Filesize

    5.6MB

  • memory/1044-72-0x0000000005760000-0x00000000057F2000-memory.dmp

    Filesize

    584KB

  • memory/1044-73-0x0000000005750000-0x000000000575A000-memory.dmp

    Filesize

    40KB

  • memory/1044-70-0x0000000005460000-0x0000000005470000-memory.dmp

    Filesize

    64KB

  • memory/1044-69-0x00000000726A0000-0x0000000072E50000-memory.dmp

    Filesize

    7.7MB

  • memory/1044-76-0x00000000726A0000-0x0000000072E50000-memory.dmp

    Filesize

    7.7MB

  • memory/1044-77-0x0000000005460000-0x0000000005470000-memory.dmp

    Filesize

    64KB