Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/07/2024, 16:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    63KB

  • MD5

    1b8eea1226cd913da97c0c0b8a806b18

  • SHA1

    4320bde806e4fb5792be6bfb2e0b45ae30033fa0

  • SHA256

    4476d0eb2a47cb9bfe3155abf0a1603de727dd127f4df099b344df56c22c0d67

  • SHA512

    70fca344d74efe3e1bf9268e36bd2aac698e69cde340559f5a0df603bf996d06f6b60920cf02ecf19c8532f6a6d6210a4c9ad54a61ddbf12541ae0cfee3da7f1

  • SSDEEP

    1536:zZgPH9F4s1THE6HTIiTEulumGbb+wAe+EhGG0kpqKmY7:zZgPH9F4sBHLTIiTnGbb+xmuvz

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

1.2

Botnet

Default

C2

stores-less.gl.at.ply.gg:45080

Mutex

AtomRatMutex_penka

Attributes
  • delay

    1

  • install

    true

  • install_file

    piskat.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3148
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "piskat" /tr '"C:\Users\Admin\AppData\Roaming\piskat.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "piskat" /tr '"C:\Users\Admin\AppData\Roaming\piskat.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5084
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA633.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1228
      • C:\Users\Admin\AppData\Roaming\piskat.exe
        "C:\Users\Admin\AppData\Roaming\piskat.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpA633.tmp.bat
    Filesize

    150B

    MD5

    17de485c5edd62a0ac5417aea5b0d18a

    SHA1

    7f15e79ac302b8d45f3c8a39c8b97d92d56fc288

    SHA256

    ac14135d918e9e68715f34d053e01bf14b244782e8e139a8bdba84cf6cd8a6a8

    SHA512

    9d7177b8971f0cda2a7dcba415979c3a22ca968eefc281698b63df4aaa78c2f92d39ee830c691d7280ff16536c84084fc776dd2f44fa8b2b42ce14d6a17db531

    Download Submit

  • C:\Users\Admin\AppData\Roaming\piskat.exe
    Filesize

    63KB

    MD5

    1b8eea1226cd913da97c0c0b8a806b18

    SHA1

    4320bde806e4fb5792be6bfb2e0b45ae30033fa0

    SHA256

    4476d0eb2a47cb9bfe3155abf0a1603de727dd127f4df099b344df56c22c0d67

    SHA512

    70fca344d74efe3e1bf9268e36bd2aac698e69cde340559f5a0df603bf996d06f6b60920cf02ecf19c8532f6a6d6210a4c9ad54a61ddbf12541ae0cfee3da7f1

    Download Submit

  • memory/3148-1-0x00007FFC094E3000-0x00007FFC094E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3148-0-0x000001E2D3200000-0x000001E2D3216000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3148-2-0x00007FFC094E0000-0x00007FFC09FA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3148-7-0x00007FFC094E0000-0x00007FFC09FA1000-memory.dmp

    Filesize

    10.8MB

    Download