Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12/07/2024, 05:55
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240704-en
Errors
General
-
Target
Client.exe
-
Size
98KB
-
MD5
32ea99984c4ac087a13d62ee493c0e5b
-
SHA1
b74425cc3b69bfe2f8b5ac6f5d0e661d8a646f5e
-
SHA256
3d4fae60580e8c72482beea430dea8f3ed64e64bce3abe15150a26de0fffa7fe
-
SHA512
5064c78c2b8e145105eac87c154a13eb939f8dd4eac59a09c48fd8703195cbc8ed979302b1b6bc5d5b552dc4baf6584175c986d1e721c6f8d55ecc6ae02f0e2f
-
SSDEEP
3072:oUvicxK8WmPMV2e9VdQsH1bf7eQhvWc3fBY:ocWmPMV2aesVbqKT3p
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
147.185.221.21:4449
147.185.221.21:6703
147.185.221.21:5552
iyxtncnzhjunacoyx
-
delay
1
-
install
true
-
install_file
EaxSet.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0009000000016fb3-16.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2896 EaxSet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2716 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2728 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2004 Client.exe 2004 Client.exe 2004 Client.exe 2896 EaxSet.exe 2896 EaxSet.exe 2896 EaxSet.exe 2896 EaxSet.exe 2896 EaxSet.exe 2896 EaxSet.exe 2896 EaxSet.exe 2896 EaxSet.exe 2896 EaxSet.exe 2896 EaxSet.exe 2896 EaxSet.exe 2896 EaxSet.exe 2896 EaxSet.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2004 Client.exe Token: SeDebugPrivilege 2896 EaxSet.exe Token: 33 2100 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2100 AUDIODG.EXE Token: 33 2100 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2100 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2896 EaxSet.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2004 wrote to memory of 2304 2004 Client.exe 31 PID 2004 wrote to memory of 2304 2004 Client.exe 31 PID 2004 wrote to memory of 2304 2004 Client.exe 31 PID 2004 wrote to memory of 2988 2004 Client.exe 33 PID 2004 wrote to memory of 2988 2004 Client.exe 33 PID 2004 wrote to memory of 2988 2004 Client.exe 33 PID 2988 wrote to memory of 2716 2988 cmd.exe 35 PID 2988 wrote to memory of 2716 2988 cmd.exe 35 PID 2988 wrote to memory of 2716 2988 cmd.exe 35 PID 2304 wrote to memory of 2728 2304 cmd.exe 36 PID 2304 wrote to memory of 2728 2304 cmd.exe 36 PID 2304 wrote to memory of 2728 2304 cmd.exe 36 PID 2988 wrote to memory of 2896 2988 cmd.exe 37 PID 2988 wrote to memory of 2896 2988 cmd.exe 37 PID 2988 wrote to memory of 2896 2988 cmd.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "EaxSet" /tr '"C:\Users\Admin\AppData\Roaming\EaxSet.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "EaxSet" /tr '"C:\Users\Admin\AppData\Roaming\EaxSet.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2728
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDC1C.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2716
-
-
C:\Users\Admin\AppData\Roaming\EaxSet.exe"C:\Users\Admin\AppData\Roaming\EaxSet.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2896
-
-
-
C:\Windows\system32\calc.exe"C:\Windows\system32\calc.exe"1⤵PID:2596
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2588
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5501⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2300
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD542652c7ff8edb7b48366c482975a8662
SHA1aa60f613ba8a6f9c10970c0bcfe2dd4222315df8
SHA256fd68da31a595fde445b73937f99a8d3ba3ff7931a19f5327fa255b9606d35b2f
SHA5125b10405d8920d3b83b20e8ebb850497047686e13dc85d0d2d8be0c335c35663c4f7ca776694c5c145e60604606275f597be94cf85a4e203c27a22bd57d4739aa
-
Filesize
98KB
MD532ea99984c4ac087a13d62ee493c0e5b
SHA1b74425cc3b69bfe2f8b5ac6f5d0e661d8a646f5e
SHA2563d4fae60580e8c72482beea430dea8f3ed64e64bce3abe15150a26de0fffa7fe
SHA5125064c78c2b8e145105eac87c154a13eb939f8dd4eac59a09c48fd8703195cbc8ed979302b1b6bc5d5b552dc4baf6584175c986d1e721c6f8d55ecc6ae02f0e2f
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b