Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Client.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    596s
  • max time network
    600s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31/07/2024, 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    63KB

  • MD5

    a5764fe6f0b7af285c0187bd37046c6b

  • SHA1

    4f713d87a6bc6806997b9c5189f8b399e3de860d

  • SHA256

    cef5f8243d475962e0f5c18b9461146e6ee0a8261c11b0682251ddc790e7dd3b

  • SHA512

    39627e91dcb407e560d16b20391eedde240370eac3c166d22fc76ac9818909c072cf3aca15f43679b98033a8513fa26b1630e8adca9a414ec185417f2bd72c30

  • SSDEEP

    1536:7hpJL7VQky47k8NmceiHFGbbXwXHXaC7yzGbtpqKmY7:7hpJL7VQky4nNJeoGbbX8R2Y2z

Score
10/10
asyncratchuwawarat

Malware Config

Extracted

Family

asyncrat

Version

ChuWaWa 5.2

Botnet

ChuWaWa

C2

stores-less.gl.at.ply.gg:45080

Mutex

ChuWaWaRatMutex_penka

Attributes
  • delay

    1

  • install

    true

  • install_file

    213.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:600
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "213" /tr '"C:\Users\Admin\AppData\Roaming\213.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3556
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "213" /tr '"C:\Users\Admin\AppData\Roaming\213.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2400
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7791.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:344
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4884
      • C:\Users\Admin\AppData\Roaming\213.exe
        "C:\Users\Admin\AppData\Roaming\213.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp7791.tmp.bat
    Filesize

    147B

    MD5

    3d06d0ece45fe01485266b1245f4b2ac

    SHA1

    d2b96e76d097ab57ef39fe1688fab7f2b4fa7d99

    SHA256

    e6269866d82ac84ea5030a99d9f5ded8313201715f5720a8219a4deadcdfef9d

    SHA512

    dc0ec7afefe45c09aa1ac247c8d5573a1428a00badd1b8421b462043f91f6788af5f0d4ab374fdbaaeebda6c401d057fa88d8bcd69e2cd68bc4d3dfc86ccb3d8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\213.exe
    Filesize

    63KB

    MD5

    a5764fe6f0b7af285c0187bd37046c6b

    SHA1

    4f713d87a6bc6806997b9c5189f8b399e3de860d

    SHA256

    cef5f8243d475962e0f5c18b9461146e6ee0a8261c11b0682251ddc790e7dd3b

    SHA512

    39627e91dcb407e560d16b20391eedde240370eac3c166d22fc76ac9818909c072cf3aca15f43679b98033a8513fa26b1630e8adca9a414ec185417f2bd72c30

    Download Submit

  • memory/600-0-0x0000017D19910000-0x0000017D19926000-memory.dmp

    Filesize

    88KB

    Download

  • memory/600-1-0x00007FF80FF60000-0x00007FF81013B000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/600-2-0x00007FF80FF60000-0x00007FF81013B000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/600-3-0x00007FF80FF60000-0x00007FF81013B000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/600-8-0x00007FF80FF60000-0x00007FF81013B000-memory.dmp

    Filesize

    1.9MB

    Download