Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    137s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    12/07/2024, 05:55

Errors

Reason
Machine shutdown

General

  • Target

    Client.exe

  • Size

    98KB

  • MD5

    32ea99984c4ac087a13d62ee493c0e5b

  • SHA1

    b74425cc3b69bfe2f8b5ac6f5d0e661d8a646f5e

  • SHA256

    3d4fae60580e8c72482beea430dea8f3ed64e64bce3abe15150a26de0fffa7fe

  • SHA512

    5064c78c2b8e145105eac87c154a13eb939f8dd4eac59a09c48fd8703195cbc8ed979302b1b6bc5d5b552dc4baf6584175c986d1e721c6f8d55ecc6ae02f0e2f

  • SSDEEP

    3072:oUvicxK8WmPMV2e9VdQsH1bf7eQhvWc3fBY:ocWmPMV2aesVbqKT3p

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

147.185.221.21:4449

147.185.221.21:6703

147.185.221.21:5552

Mutex

iyxtncnzhjunacoyx

Attributes
  • delay

    1

  • install

    true

  • install_file

    EaxSet.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "EaxSet" /tr '"C:\Users\Admin\AppData\Roaming\EaxSet.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "EaxSet" /tr '"C:\Users\Admin\AppData\Roaming\EaxSet.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2728
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDC1C.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2716
      • C:\Users\Admin\AppData\Roaming\EaxSet.exe
        "C:\Users\Admin\AppData\Roaming\EaxSet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2896
  • C:\Windows\system32\calc.exe
    "C:\Windows\system32\calc.exe"
    1⤵
      PID:2596
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:2588
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x550
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2100
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:2300

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpDC1C.tmp.bat

          Filesize

          150B

          MD5

          42652c7ff8edb7b48366c482975a8662

          SHA1

          aa60f613ba8a6f9c10970c0bcfe2dd4222315df8

          SHA256

          fd68da31a595fde445b73937f99a8d3ba3ff7931a19f5327fa255b9606d35b2f

          SHA512

          5b10405d8920d3b83b20e8ebb850497047686e13dc85d0d2d8be0c335c35663c4f7ca776694c5c145e60604606275f597be94cf85a4e203c27a22bd57d4739aa

        • C:\Users\Admin\AppData\Roaming\EaxSet.exe

          Filesize

          98KB

          MD5

          32ea99984c4ac087a13d62ee493c0e5b

          SHA1

          b74425cc3b69bfe2f8b5ac6f5d0e661d8a646f5e

          SHA256

          3d4fae60580e8c72482beea430dea8f3ed64e64bce3abe15150a26de0fffa7fe

          SHA512

          5064c78c2b8e145105eac87c154a13eb939f8dd4eac59a09c48fd8703195cbc8ed979302b1b6bc5d5b552dc4baf6584175c986d1e721c6f8d55ecc6ae02f0e2f

        • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

          Filesize

          8B

          MD5

          cf759e4c5f14fe3eec41b87ed756cea8

          SHA1

          c27c796bb3c2fac929359563676f4ba1ffada1f5

          SHA256

          c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

          SHA512

          c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

        • memory/2004-0-0x000007FEF5273000-0x000007FEF5274000-memory.dmp

          Filesize

          4KB

        • memory/2004-1-0x00000000001C0000-0x00000000001DE000-memory.dmp

          Filesize

          120KB

        • memory/2004-3-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

          Filesize

          9.9MB

        • memory/2004-12-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

          Filesize

          9.9MB

        • memory/2004-14-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

          Filesize

          9.9MB

        • memory/2896-18-0x0000000000930000-0x000000000094E000-memory.dmp

          Filesize

          120KB