Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
29/07/2024, 10:25
General
-
Target
a906b97520b2cea778426a1e634890e9142930f2dd47ccf8fe3781a15050adc1.exe
-
Size
7.7MB
-
MD5
02a576c11678bb469de93edf81dfdda3
-
SHA1
dae0bffab8bb5d17803262275b7803557d756e03
-
SHA256
a906b97520b2cea778426a1e634890e9142930f2dd47ccf8fe3781a15050adc1
-
SHA512
4b5e6698e52f66cb32ed7c8a3765a9594cb2ab42a52bee5f525a1d23903846bbea49fae57b5ab64f97a6f4f393857319eab0905be463543eef30193cb6ed8431
-
SSDEEP
24576:EJ2pbDE+yLMitYU03YDNrb+wLmS4rDILywPnt79Re50X5rqlI:+sDRxit70IDNr/4HILywPt7i
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Default
41.216.183.111:4449
kcnzlaqzjkle
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to execute payload.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a906b97520b2cea778426a1e634890e9142930f2dd47ccf8fe3781a15050adc1.exe"C:\Users\Admin\AppData\Local\Temp\a906b97520b2cea778426a1e634890e9142930f2dd47ccf8fe3781a15050adc1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\conhost.exe"conhost.exe" --headless powershell.exe "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/i:III C:\Users\Admin\AppData/Roaming/1pOh.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'NrcgW Prefetch' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/i:III C:\Users\Admin\AppData/Roaming/1pOh.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'NrcgW Prefetch' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\regsvr32.EXEC:\Windows\system32\regsvr32.EXE /i:III C:\Users\Admin\AppData/Roaming/1pOh.dll1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.3MB
MD5cfd6d82a2539c32738c133916c92006b
SHA12ca7659eb93ee76d28108e4606d44fce04571208
SHA256d559dbd5957ee8757a5af765f55f8eb6709b969390296e33bc4e7b1a85f838a0
SHA51235900c5a8bee5591eacaa8edf93205c207220c0ef16ebd15ffa90e536796e5f012089a28ea7a68f070c6478b42571f185b0c3b3f90bb5e0b42598f7546fbcc95
-
Filesize
7.7MB
-
Filesize
1.0MB
-
Filesize
96KB
-
Filesize
1.0MB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB