Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    73s
  • max time network
    74s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13/07/2024, 17:45

General

  • Target

    F-M-E V2 @RFREE.exe

  • Size

    1001KB

  • MD5

    20f79abbb22e4ce80d8d91347945472b

  • SHA1

    5decdd32943e35c11e89d60aa359be115179b732

  • SHA256

    c1dc64a3e60375c031e62f0e04c48817752d67f55a047aa62a3058052067f6a9

  • SHA512

    3cbfbd778ded7f8fb07129664ec4d0672603088edc717e671970bd222c989625a126f5f8a7658f4b343cce3cf48597ef81f32d7349c2b993a65778158d8994d4

  • SSDEEP

    24576:QWmAu6LxlLQKjgl72Dyhg+XddI3rkbCTkQHwqgzJvAH:dLLDkogl72mRXEbqkkQH2o

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

xdatarfree.ddns.net:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\F-M-E V2 @RFREE.exe
    "C:\Users\Admin\AppData\Local\Temp\F-M-E V2 @RFREE.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Users\Admin\AppData\Local\Temp\Xbcliassvhpkb.exe
      "C:\Users\Admin\AppData\Local\Temp\Xbcliassvhpkb.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Users\Admin\AppData\Local\Temp\7zS4F8B8DE7\name.exe
        .\name.exe
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:276
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/invite/bN4Aynk
          4⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:4764
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa41853cb8,0x7ffa41853cc8,0x7ffa41853cd8
            5⤵
              PID:4996
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,9113300259642645804,4995542769630534908,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
              5⤵
                PID:4032
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,9113300259642645804,4995542769630534908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3948
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,9113300259642645804,4995542769630534908,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
                5⤵
                  PID:4408
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9113300259642645804,4995542769630534908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
                  5⤵
                    PID:3148
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9113300259642645804,4995542769630534908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
                    5⤵
                      PID:1236
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9113300259642645804,4995542769630534908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
                      5⤵
                        PID:72
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1864,9113300259642645804,4995542769630534908,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4040 /prefetch:8
                        5⤵
                          PID:2704
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1864,9113300259642645804,4995542769630534908,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3708 /prefetch:8
                          5⤵
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2428
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wkdm.BAT" "
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5008
                    • C:\Windows\system32\msg.exe
                      msg * Cracked By @RFREE
                      3⤵
                        PID:1476
                    • C:\Users\Admin\AppData\Local\Temp\Dldp.exe
                      "C:\Users\Admin\AppData\Local\Temp\Dldp.exe"
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:408
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:3836
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:1324
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:3864
                        • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                          "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                          1⤵
                          • Suspicious use of SetWindowsHookEx
                          PID:1924

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                          Filesize

                          152B

                          MD5

                          8b0c53c5fe6ad2ee4ffbde1b3384d027

                          SHA1

                          0c9ae4f75a65ed95159b6eb75c3c7b48971f3e71

                          SHA256

                          2e9fc3b050296902d0bb0ce6b8acc0bb54440f75f54f1f04ae95c9956108171f

                          SHA512

                          29f62e085d685d3b4902515790ab4f298454d0f8d53b6234fae9f9a0edffdd0d4edee57261e8eb0b94a4af8e86d3f7ab8b044c6f259576b89f91183002e58b42

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                          Filesize

                          152B

                          MD5

                          afe63f44aa3aa9393e4251b4b74226e3

                          SHA1

                          29eef15e4d60afed127861deebc7196e97d19e4a

                          SHA256

                          7787181844d106768f78847869b5e784f07c1b65109d59b46932979bac823cd3

                          SHA512

                          f0f7951b5d55c2cbb71add5ab0c2ed3617a6fdf93f2c81ee9dd15d9f7c67881b42cbfd97cc4d2f17ba8a383624b23da1897fee069ddcee34233c1f625062a1cb

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                          Filesize

                          96B

                          MD5

                          97afda5783a977e9b5a2d4def016b3f8

                          SHA1

                          c0263a15d085a989b23e5afff9cf04722763f2ba

                          SHA256

                          d8c56956e38762cb017637fae88dca96764d93346cda460ef3d559082a6d2a2e

                          SHA512

                          922b656ff97d92186e225e53a87d79992c16c1922968993a40151e6aa9b6f387289fd891d8cef9e9f2b4574f78d243c60cc9e3406981dbf8e826cca5dcbb163b

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                          Filesize

                          179B

                          MD5

                          c88a3bc77002a075b95198522f195432

                          SHA1

                          dd6ff073c9b7fa86d1a461013165a7251443e777

                          SHA256

                          8f8c6061b94669fcf151b9f8f1c979a33ad38d597be893f375bff44ad1b3556d

                          SHA512

                          e3facaf13afeab1a90a5c15f31288611e7af177fed3e4474aefee3560c5e1129579ea74857f5a3845b8f04c117e6c5af45c87df5d0b003e1259d918b7b0dff1f

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                          Filesize

                          6KB

                          MD5

                          dddb9d16d68bacf3b64d8f205ca78e7e

                          SHA1

                          6b64246edf393960a06d441037d77b9d1d7d7e0f

                          SHA256

                          8c9b7599c73d924495af79807b4b31edefe2c167b85444e2cb24a9f0e9214942

                          SHA512

                          d13532aa8a58ea58a515e43f890a7af4b3a5d75776d061fb5fb6651fb267b971c2df4539dd4b6866397186d17c4894a8c307e735c6dfa104b72e03a6a2cca9a2

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                          Filesize

                          6KB

                          MD5

                          1b764e7ba143f67c548128d5c1d69686

                          SHA1

                          c20b647458d6f29822c202933320a9a0f8369a03

                          SHA256

                          6ff834580f4e9bfb3cf4e74c5f30cfc8ad9a5b9a0a7497a47d8968ca590b3110

                          SHA512

                          f1bb5a603ba486754db73d11ad3facbcbd2ae9fbe967dc7b01d19f67180af411ff2ef19ec03a3968bdde6fae6e4a02d02bc292e041f00c6f66d76eb627163945

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                          Filesize

                          11KB

                          MD5

                          c3d0da3976daa909d6159166c8a76a45

                          SHA1

                          46194ffec648f0da1d3e205281d82dbd97cbdf20

                          SHA256

                          3535e528399de8ab7a8030f473c46a0a0515d3bd1a531505840da3b62da47a50

                          SHA512

                          0f264d845103183d44bb27a2ab7450b07f77f126d895e9ad394378c1bf84f160921031286241166c32f6353ce35c66f89fb044d3b7a11a2b7371ed9f72cc3fa7

                        • C:\Users\Admin\AppData\Local\Temp\7zS4F8B8DE7\fkfkkfkkfkkffffkffkkfkkfkkfffkkkfkfff

                          Filesize

                          1KB

                          MD5

                          ce506b8806c9bafe788389668110cef1

                          SHA1

                          19cc93d1563314d91f7f79385028dab41546784a

                          SHA256

                          62f5afe0fbe445054069df39763dd1291972840ee0eb1f68a7b525b4fb267795

                          SHA512

                          f8639744d7c8243d41ab6b40aa48021430acf0d71a99c3588df33548ec1e33c20d5cb6809c026a99c3555095c7862d3b5cb257eeb5152663b0e8ae01a2ab7a81

                        • C:\Users\Admin\AppData\Local\Temp\7zS4F8B8DE7\name.exe

                          Filesize

                          1.2MB

                          MD5

                          14a8397b20d4d24d6c24f371b7a17607

                          SHA1

                          2ac04da61c13f0a24536d8fcfae74e77b713a296

                          SHA256

                          b2e9f7fe8442818af5bd3eb5d862ff86f5eb71a295cd999ef17bc302d233c968

                          SHA512

                          d637a16fbc37616f0d11438954f0b7eed9477ef33b918bbb40c331218b426702be17a6dd6eb0450328a6b4ff9e4e161519f9348680f030ae55097e5d3fb4e3ab

                        • C:\Users\Admin\AppData\Local\Temp\Dldp.exe

                          Filesize

                          63KB

                          MD5

                          5fe700a0ac449741abf1169c81bc79fb

                          SHA1

                          ed58c091e3b326b041a87c8dc0785b6b9a3fb184

                          SHA256

                          1630f0a7e98dd0ed71dbcb9d7875b59aeeb2152b40324166ecb92f737582fa7b

                          SHA512

                          0d0eb52ab16aa8c5f7a4fa876aa337d19ade7d85cf66e6a9dd181786fb77dc6ebcfa67708c29d50951540cc92584c3abc5497fdbf08aa768034a5685183c67bd

                        • C:\Users\Admin\AppData\Local\Temp\Wkdm.BAT

                          Filesize

                          29B

                          MD5

                          792e2d3f44cb8393a39d64cd7c8d7149

                          SHA1

                          e61432ef42b3ba38102fc267e0dab11fe03e7f0f

                          SHA256

                          8b61995b0af381fd55397b6b07b11fa627db5384de74f4ac7068b7c8aacbe702

                          SHA512

                          9ca96820b71d6b69e6b820258c6cadef00ad623aec17c19eef781ad8dbf24ff9453cefec0e731be0f936fad44c174a5b0a1545c585ad89c7b95be0704adab648

                        • C:\Users\Admin\AppData\Local\Temp\Xbcliassvhpkb.exe

                          Filesize

                          1021KB

                          MD5

                          79799b08d2c033be250dd6428b9db572

                          SHA1

                          d301468af602a857a0d53244dfc3643cd6cba36f

                          SHA256

                          a67b92c1ead803283101fc39e4d978850b1cfea5003bacba8941423d0e316c5c

                          SHA512

                          7626fd94481647db27d434955469bc34ecd2c119dea3ef18c6c1554b4a95b27492ce0352c8fda611ceddf5ddcbed858da2d023c79e750fdb0523b2b8a854db56

                        • memory/408-31-0x00007FFA30010000-0x00007FFA30AD2000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/408-29-0x0000000000E20000-0x0000000000E36000-memory.dmp

                          Filesize

                          88KB

                        • memory/408-187-0x00007FFA30010000-0x00007FFA30AD2000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/2388-0-0x00007FFA30013000-0x00007FFA30015000-memory.dmp

                          Filesize

                          8KB

                        • memory/2388-30-0x00007FFA30010000-0x00007FFA30AD2000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/2388-2-0x00007FFA30010000-0x00007FFA30AD2000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/2388-1-0x0000000000570000-0x0000000000670000-memory.dmp

                          Filesize

                          1024KB