Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 01:23
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20240705-en
General
-
Target
AsyncClient.exe
-
Size
47KB
-
MD5
b600b84e2c0d59eec1edf643e07c529f
-
SHA1
2541870884411c007991150f21fe0ff814041e13
-
SHA256
c1000bb63421d408df4d0b3869163a95d33c1682b14a3710a41aec00c986ea3e
-
SHA512
7372e3708a66de6eee1f9ebf9b9761f566c8c1fcdca79aa5ce21cf62593035623cf5a49386194b3cd57f5a5a4c5ba0c74e0277dec7b4b598a9e6f8806634b355
-
SSDEEP
768:suI1tT/w70kWUquzumo2qzj2OUM0EtE/43aPINPW98HxC0bsIpz461ochiX/Sjo2:suI1tT/kW2euEtEgjN5HfbsIesof//dW
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
wv97guKzbU2n
-
delay
3
-
install
true
-
install_file
Issas.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000b000000023445-11.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Executes dropped EXE 1 IoCs
pid Process 5008 Issas.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 5104 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3956 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe 1744 AsyncClient.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1744 AsyncClient.exe Token: SeDebugPrivilege 5008 Issas.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1744 wrote to memory of 3424 1744 AsyncClient.exe 86 PID 1744 wrote to memory of 3424 1744 AsyncClient.exe 86 PID 1744 wrote to memory of 3424 1744 AsyncClient.exe 86 PID 1744 wrote to memory of 3012 1744 AsyncClient.exe 88 PID 1744 wrote to memory of 3012 1744 AsyncClient.exe 88 PID 1744 wrote to memory of 3012 1744 AsyncClient.exe 88 PID 3424 wrote to memory of 3956 3424 cmd.exe 90 PID 3424 wrote to memory of 3956 3424 cmd.exe 90 PID 3424 wrote to memory of 3956 3424 cmd.exe 90 PID 3012 wrote to memory of 5104 3012 cmd.exe 91 PID 3012 wrote to memory of 5104 3012 cmd.exe 91 PID 3012 wrote to memory of 5104 3012 cmd.exe 91 PID 3012 wrote to memory of 5008 3012 cmd.exe 92 PID 3012 wrote to memory of 5008 3012 cmd.exe 92 PID 3012 wrote to memory of 5008 3012 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Issas" /tr '"C:\Users\Admin\AppData\Roaming\Issas.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Issas" /tr '"C:\Users\Admin\AppData\Roaming\Issas.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:3956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA76B.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:5104
-
-
C:\Users\Admin\AppData\Roaming\Issas.exe"C:\Users\Admin\AppData\Roaming\Issas.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149B
MD510c40f49b5ec574acd10d6d42ac1995d
SHA16b9e2fccc430b7eb1daaa3ba674b7453b7c24fe5
SHA2561a4ac1adce6fa0fb3e514612346833164b4460985e6b5495cc70ccc6bd6fd0c1
SHA51207ce27baecb3df21e481ab7407074672ff5de0acec573758ae04bd3c0f023bbc0ac0dabba5beb4c76e0d7591a01b0bb0234f3d6d4c9b3385c1117b12f69af949
-
Filesize
47KB
MD5b600b84e2c0d59eec1edf643e07c529f
SHA12541870884411c007991150f21fe0ff814041e13
SHA256c1000bb63421d408df4d0b3869163a95d33c1682b14a3710a41aec00c986ea3e
SHA5127372e3708a66de6eee1f9ebf9b9761f566c8c1fcdca79aa5ce21cf62593035623cf5a49386194b3cd57f5a5a4c5ba0c74e0277dec7b4b598a9e6f8806634b355