Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
73s -
max time network
74s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
13/07/2024, 17:45
Static task
static1
Behavioral task
behavioral1
Sample
F-M-E V2 @RFREE.exe
Resource
win11-20240709-en
General
-
Target
F-M-E V2 @RFREE.exe
-
Size
1001KB
-
MD5
20f79abbb22e4ce80d8d91347945472b
-
SHA1
5decdd32943e35c11e89d60aa359be115179b732
-
SHA256
c1dc64a3e60375c031e62f0e04c48817752d67f55a047aa62a3058052067f6a9
-
SHA512
3cbfbd778ded7f8fb07129664ec4d0672603088edc717e671970bd222c989625a126f5f8a7658f4b343cce3cf48597ef81f32d7349c2b993a65778158d8994d4
-
SSDEEP
24576:QWmAu6LxlLQKjgl72Dyhg+XddI3rkbCTkQHwqgzJvAH:dLLDkogl72mRXEbqkkQH2o
Malware Config
Extracted
asyncrat
5.0.5
Venom Clients
xdatarfree.ddns.net:4449
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000100000002aa4b-20.dat family_asyncrat -
Executes dropped EXE 3 IoCs
pid Process 2292 Xbcliassvhpkb.exe 408 Dldp.exe 276 name.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 2 drive.google.com 8 discord.com 13 discord.com 14 discord.com 1 drive.google.com 1 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ name.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1210443139-7911939-2760828654-1000\{C95876AC-F57A-4D2D-B20E-77EB688806AF} msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3948 msedge.exe 3948 msedge.exe 4764 msedge.exe 4764 msedge.exe 2428 msedge.exe 2428 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 408 Dldp.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1924 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2292 2388 F-M-E V2 @RFREE.exe 79 PID 2388 wrote to memory of 2292 2388 F-M-E V2 @RFREE.exe 79 PID 2388 wrote to memory of 2292 2388 F-M-E V2 @RFREE.exe 79 PID 2388 wrote to memory of 5008 2388 F-M-E V2 @RFREE.exe 80 PID 2388 wrote to memory of 5008 2388 F-M-E V2 @RFREE.exe 80 PID 2388 wrote to memory of 408 2388 F-M-E V2 @RFREE.exe 82 PID 2388 wrote to memory of 408 2388 F-M-E V2 @RFREE.exe 82 PID 5008 wrote to memory of 1476 5008 cmd.exe 83 PID 5008 wrote to memory of 1476 5008 cmd.exe 83 PID 2292 wrote to memory of 276 2292 Xbcliassvhpkb.exe 84 PID 2292 wrote to memory of 276 2292 Xbcliassvhpkb.exe 84 PID 276 wrote to memory of 4764 276 name.exe 85 PID 276 wrote to memory of 4764 276 name.exe 85 PID 4764 wrote to memory of 4996 4764 msedge.exe 86 PID 4764 wrote to memory of 4996 4764 msedge.exe 86 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 4032 4764 msedge.exe 87 PID 4764 wrote to memory of 3948 4764 msedge.exe 88 PID 4764 wrote to memory of 3948 4764 msedge.exe 88 PID 4764 wrote to memory of 4408 4764 msedge.exe 90 PID 4764 wrote to memory of 4408 4764 msedge.exe 90 PID 4764 wrote to memory of 4408 4764 msedge.exe 90 PID 4764 wrote to memory of 4408 4764 msedge.exe 90 PID 4764 wrote to memory of 4408 4764 msedge.exe 90 PID 4764 wrote to memory of 4408 4764 msedge.exe 90 PID 4764 wrote to memory of 4408 4764 msedge.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\F-M-E V2 @RFREE.exe"C:\Users\Admin\AppData\Local\Temp\F-M-E V2 @RFREE.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\Xbcliassvhpkb.exe"C:\Users\Admin\AppData\Local\Temp\Xbcliassvhpkb.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\7zS4F8B8DE7\name.exe.\name.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/invite/bN4Aynk4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa41853cb8,0x7ffa41853cc8,0x7ffa41853cd85⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,9113300259642645804,4995542769630534908,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:25⤵PID:4032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,9113300259642645804,4995542769630534908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,9113300259642645804,4995542769630534908,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:85⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9113300259642645804,4995542769630534908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:15⤵PID:3148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9113300259642645804,4995542769630534908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:15⤵PID:1236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9113300259642645804,4995542769630534908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:15⤵PID:72
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1864,9113300259642645804,4995542769630534908,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4040 /prefetch:85⤵PID:2704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1864,9113300259642645804,4995542769630534908,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3708 /prefetch:85⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2428
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wkdm.BAT" "2⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\system32\msg.exemsg * Cracked By @RFREE3⤵PID:1476
-
-
-
C:\Users\Admin\AppData\Local\Temp\Dldp.exe"C:\Users\Admin\AppData\Local\Temp\Dldp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3836
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1324
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3864
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58b0c53c5fe6ad2ee4ffbde1b3384d027
SHA10c9ae4f75a65ed95159b6eb75c3c7b48971f3e71
SHA2562e9fc3b050296902d0bb0ce6b8acc0bb54440f75f54f1f04ae95c9956108171f
SHA51229f62e085d685d3b4902515790ab4f298454d0f8d53b6234fae9f9a0edffdd0d4edee57261e8eb0b94a4af8e86d3f7ab8b044c6f259576b89f91183002e58b42
-
Filesize
152B
MD5afe63f44aa3aa9393e4251b4b74226e3
SHA129eef15e4d60afed127861deebc7196e97d19e4a
SHA2567787181844d106768f78847869b5e784f07c1b65109d59b46932979bac823cd3
SHA512f0f7951b5d55c2cbb71add5ab0c2ed3617a6fdf93f2c81ee9dd15d9f7c67881b42cbfd97cc4d2f17ba8a383624b23da1897fee069ddcee34233c1f625062a1cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD597afda5783a977e9b5a2d4def016b3f8
SHA1c0263a15d085a989b23e5afff9cf04722763f2ba
SHA256d8c56956e38762cb017637fae88dca96764d93346cda460ef3d559082a6d2a2e
SHA512922b656ff97d92186e225e53a87d79992c16c1922968993a40151e6aa9b6f387289fd891d8cef9e9f2b4574f78d243c60cc9e3406981dbf8e826cca5dcbb163b
-
Filesize
179B
MD5c88a3bc77002a075b95198522f195432
SHA1dd6ff073c9b7fa86d1a461013165a7251443e777
SHA2568f8c6061b94669fcf151b9f8f1c979a33ad38d597be893f375bff44ad1b3556d
SHA512e3facaf13afeab1a90a5c15f31288611e7af177fed3e4474aefee3560c5e1129579ea74857f5a3845b8f04c117e6c5af45c87df5d0b003e1259d918b7b0dff1f
-
Filesize
6KB
MD5dddb9d16d68bacf3b64d8f205ca78e7e
SHA16b64246edf393960a06d441037d77b9d1d7d7e0f
SHA2568c9b7599c73d924495af79807b4b31edefe2c167b85444e2cb24a9f0e9214942
SHA512d13532aa8a58ea58a515e43f890a7af4b3a5d75776d061fb5fb6651fb267b971c2df4539dd4b6866397186d17c4894a8c307e735c6dfa104b72e03a6a2cca9a2
-
Filesize
6KB
MD51b764e7ba143f67c548128d5c1d69686
SHA1c20b647458d6f29822c202933320a9a0f8369a03
SHA2566ff834580f4e9bfb3cf4e74c5f30cfc8ad9a5b9a0a7497a47d8968ca590b3110
SHA512f1bb5a603ba486754db73d11ad3facbcbd2ae9fbe967dc7b01d19f67180af411ff2ef19ec03a3968bdde6fae6e4a02d02bc292e041f00c6f66d76eb627163945
-
Filesize
11KB
MD5c3d0da3976daa909d6159166c8a76a45
SHA146194ffec648f0da1d3e205281d82dbd97cbdf20
SHA2563535e528399de8ab7a8030f473c46a0a0515d3bd1a531505840da3b62da47a50
SHA5120f264d845103183d44bb27a2ab7450b07f77f126d895e9ad394378c1bf84f160921031286241166c32f6353ce35c66f89fb044d3b7a11a2b7371ed9f72cc3fa7
-
Filesize
1KB
MD5ce506b8806c9bafe788389668110cef1
SHA119cc93d1563314d91f7f79385028dab41546784a
SHA25662f5afe0fbe445054069df39763dd1291972840ee0eb1f68a7b525b4fb267795
SHA512f8639744d7c8243d41ab6b40aa48021430acf0d71a99c3588df33548ec1e33c20d5cb6809c026a99c3555095c7862d3b5cb257eeb5152663b0e8ae01a2ab7a81
-
Filesize
1.2MB
MD514a8397b20d4d24d6c24f371b7a17607
SHA12ac04da61c13f0a24536d8fcfae74e77b713a296
SHA256b2e9f7fe8442818af5bd3eb5d862ff86f5eb71a295cd999ef17bc302d233c968
SHA512d637a16fbc37616f0d11438954f0b7eed9477ef33b918bbb40c331218b426702be17a6dd6eb0450328a6b4ff9e4e161519f9348680f030ae55097e5d3fb4e3ab
-
Filesize
63KB
MD55fe700a0ac449741abf1169c81bc79fb
SHA1ed58c091e3b326b041a87c8dc0785b6b9a3fb184
SHA2561630f0a7e98dd0ed71dbcb9d7875b59aeeb2152b40324166ecb92f737582fa7b
SHA5120d0eb52ab16aa8c5f7a4fa876aa337d19ade7d85cf66e6a9dd181786fb77dc6ebcfa67708c29d50951540cc92584c3abc5497fdbf08aa768034a5685183c67bd
-
Filesize
29B
MD5792e2d3f44cb8393a39d64cd7c8d7149
SHA1e61432ef42b3ba38102fc267e0dab11fe03e7f0f
SHA2568b61995b0af381fd55397b6b07b11fa627db5384de74f4ac7068b7c8aacbe702
SHA5129ca96820b71d6b69e6b820258c6cadef00ad623aec17c19eef781ad8dbf24ff9453cefec0e731be0f936fad44c174a5b0a1545c585ad89c7b95be0704adab648
-
Filesize
1021KB
MD579799b08d2c033be250dd6428b9db572
SHA1d301468af602a857a0d53244dfc3643cd6cba36f
SHA256a67b92c1ead803283101fc39e4d978850b1cfea5003bacba8941423d0e316c5c
SHA5127626fd94481647db27d434955469bc34ecd2c119dea3ef18c6c1554b4a95b27492ce0352c8fda611ceddf5ddcbed858da2d023c79e750fdb0523b2b8a854db56