Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 06:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
payload.exe
Resource
win7-20240705-en
6 signatures
150 seconds
General
-
Target
payload.exe
-
Size
187KB
-
MD5
114cfb0a1a06cb6c621edfbe35c6de7d
-
SHA1
c8f44299a96807e741507423fae47e46afa8d434
-
SHA256
a07479025c1100c57c7240d438305e85db5ea96d4d31f7103c3f27f044e19bd3
-
SHA512
4540a0a25cb29a6aa7d296ca9a0ff2a19c28177cea2623e57b32ec22b356a4dd7744e5c95852dd5b83c9c1390664a6dbf2c9db3789b38c60e885e899ea12fe61
-
SSDEEP
3072:a4BXIEcFjraWaHC9dZa6y/WKiHCDF2s87j34Ih0TiRurbPaxR:hXKcXi9dZa6kWKrhKj/h0Tsuvc
Malware Config
Extracted
Family
asyncrat
Version
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Botnet
Default
C2
64.112.85.3:4449
Mutex
ufaaryvntrlyhwcwq
Attributes
-
delay
1
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2436 set thread context of 4472 2436 payload.exe 84 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4472 aspnet_regbrowsers.exe 4472 aspnet_regbrowsers.exe 4472 aspnet_regbrowsers.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4472 aspnet_regbrowsers.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4472 aspnet_regbrowsers.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2436 wrote to memory of 4472 2436 payload.exe 84 PID 2436 wrote to memory of 4472 2436 payload.exe 84 PID 2436 wrote to memory of 4472 2436 payload.exe 84 PID 2436 wrote to memory of 4472 2436 payload.exe 84 PID 2436 wrote to memory of 4472 2436 payload.exe 84 PID 2436 wrote to memory of 4472 2436 payload.exe 84 PID 2436 wrote to memory of 4472 2436 payload.exe 84 PID 2436 wrote to memory of 4472 2436 payload.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\payload.exe"C:\Users\Admin\AppData\Local\Temp\payload.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4472
-