Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

svchost23.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    599s
  • max time network
    396s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31/07/2024, 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost23.exe

  • Size

    63KB

  • MD5

    5f00c912f2ac12df8525a30afb8f776e

  • SHA1

    516af350678a65e9e10901b8c990ef4601ae0844

  • SHA256

    ffe2d2e6b930f0b8f752d2a478d77cfbf9467006d294474fe33970a8c529b75a

  • SHA512

    5e9e96ed14d4c1fff020d9d1d00f137cbf1121cd5c3c58a054002d7d1f29a417b6f2f71d8f534c7207ea6bd87a3b57d7afea76390b90a1c8badf482dbba710d5

  • SSDEEP

    1536:FhMpLbRQkB4+ENds+jFBncsSRoAGbbzwHvGHtpqKmY7:FhMpLbRQkB4tds+jFBl2JGbbzt2z

Score
10/10
asyncratdefaultexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

1.2

Botnet

Default

C2

stores-less.gl.at.ply.gg:45080

Mutex

AtomRatMutex_penka

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain
aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Start PowerShell.

    execution
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost23.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost23.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4416
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4572
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp70AC.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3648
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:8
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\231.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3980
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\231.exe"'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Users\Admin\AppData\Local\Temp\231.exe
              "C:\Users\Admin\AppData\Local\Temp\231.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3516
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "svchost"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3092
          • C:\Windows\system32\schtasks.exe
            schtasks /delete /f /tn "svchost"
            5⤵
              PID:2476
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp70E2.tmp.bat""
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1612
            • C:\Windows\system32\timeout.exe
              timeout 3
              5⤵
              • Delays execution with timeout.exe
              PID:4304
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3584

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\231.exe
      Filesize

      63KB

      MD5

      1b8eea1226cd913da97c0c0b8a806b18

      SHA1

      4320bde806e4fb5792be6bfb2e0b45ae30033fa0

      SHA256

      4476d0eb2a47cb9bfe3155abf0a1603de727dd127f4df099b344df56c22c0d67

      SHA512

      70fca344d74efe3e1bf9268e36bd2aac698e69cde340559f5a0df603bf996d06f6b60920cf02ecf19c8532f6a6d6210a4c9ad54a61ddbf12541ae0cfee3da7f1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oib33h1p.qsg.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp70AC.tmp.bat
      Filesize

      151B

      MD5

      bb412c404826adbd2a3ec3cd9ada98d8

      SHA1

      362a9426959e893ffee599c268c63f93e9f548a5

      SHA256

      9a1957aacbabafd2bfead602038e883473975c672f37f98644620af9b81e5eb4

      SHA512

      3bb8c642bdd6accacc7bdc043ec7e4173289d8834fddc9f68db9bbdf3ff21d588c7a24cdae3a7404cc14a2ba0c41f7e688b3e12713541b56e30fdc4627f07bc6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp70E2.tmp.bat
      Filesize

      156B

      MD5

      1a13ded1b01c390aa620119102ee205e

      SHA1

      81256f3b055466da04720617d5feee1a03dcacaa

      SHA256

      104215ffca6eee72d90a322a2a007d43e3e7153a16f3e8e054d23c21ee6d5783

      SHA512

      a2bb1ef618a94e29cd619a0a669251795eca689741c6e28dfb39c72b3f364feaacdc18a30baba535d676ccb4d948dafe7cf166a263ba2a0e21d625be03da6f8b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      63KB

      MD5

      5f00c912f2ac12df8525a30afb8f776e

      SHA1

      516af350678a65e9e10901b8c990ef4601ae0844

      SHA256

      ffe2d2e6b930f0b8f752d2a478d77cfbf9467006d294474fe33970a8c529b75a

      SHA512

      5e9e96ed14d4c1fff020d9d1d00f137cbf1121cd5c3c58a054002d7d1f29a417b6f2f71d8f534c7207ea6bd87a3b57d7afea76390b90a1c8badf482dbba710d5

      Download Submit

    • memory/2552-27-0x00000204F82D0000-0x00000204F82DC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2552-26-0x00000204F9F10000-0x00000204F9F86000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2552-28-0x00000204F8690000-0x00000204F86AE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2552-62-0x00000204FA680000-0x00000204FA6E4000-memory.dmp

      Filesize

      400KB

      Download

    • memory/2740-34-0x0000021B56EE0000-0x0000021B56F02000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3516-60-0x000001E05A600000-0x000001E05A616000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4928-8-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4928-0-0x00007FFD0B763000-0x00007FFD0B764000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4928-3-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4928-2-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4928-1-0x0000022FC7710000-0x0000022FC7726000-memory.dmp

      Filesize

      88KB

      Download