Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 02:14
General
-
Target
Client.exe
-
Size
48KB
-
MD5
a41754aa9cfd098e0f31fce03ab38166
-
SHA1
22946a1c7828ab7a5f218b6a815350fc0e1d1c1b
-
SHA256
f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7
-
SHA512
5cc51386415d49e6d4c87111f6674347568047ad3420f8095559f0d077b5f7593506a34d4877765563ff0feccf50c9d1b7501452ab7dc6ce611768571d248cd9
-
SSDEEP
768:UVNYu9bVIILoech+ri0telDSN+iV08YbygeQVzZE3GdvEgK/JvZVc6KN:UVG7Z0tKDs4zb1lVzZEEnkJvZVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
DcRatMutex_qwqdanchun
-
c2_url_file
https://Pastebin.com/raw/fevFJe98
-
delay
1
-
install
true
-
install_file
nigger.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x00080000000235c5-10.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 1 IoCs
pid Process 1652 nigger.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 25 pastebin.com 26 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2208 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 692 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe 3316 Client.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3316 Client.exe Token: SeDebugPrivilege 1652 nigger.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3316 wrote to memory of 2420 3316 Client.exe 94 PID 3316 wrote to memory of 2420 3316 Client.exe 94 PID 3316 wrote to memory of 2776 3316 Client.exe 96 PID 3316 wrote to memory of 2776 3316 Client.exe 96 PID 2420 wrote to memory of 692 2420 cmd.exe 98 PID 2420 wrote to memory of 692 2420 cmd.exe 98 PID 2776 wrote to memory of 2208 2776 cmd.exe 99 PID 2776 wrote to memory of 2208 2776 cmd.exe 99 PID 2776 wrote to memory of 1652 2776 cmd.exe 104 PID 2776 wrote to memory of 1652 2776 cmd.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "nigger" /tr '"C:\Users\Admin\AppData\Roaming\nigger.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "nigger" /tr '"C:\Users\Admin\AppData\Roaming\nigger.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp491A.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2208
-
-
C:\Users\Admin\AppData\Roaming\nigger.exe"C:\Users\Admin\AppData\Roaming\nigger.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4612,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:81⤵PID:1656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD53dc8f026aa682a3420bc70644dbf2d8a
SHA1064b6cfa82f3ba93917c51ba371e7be62a3b82d8
SHA25699fee74ffe1b9656f3fe9d5ef0ee29500675039469f8c9b4b9d69695f5eef408
SHA512d2c690226088c3b6932a560171c0f88f1720256b77875c681837b8ccbdb4ea6cd70b6a3d2a17a29114b6e143677392346d83e9e94574dcbacd9c45ff2f8b4120
-
Filesize
48KB
MD5a41754aa9cfd098e0f31fce03ab38166
SHA122946a1c7828ab7a5f218b6a815350fc0e1d1c1b
SHA256f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7
SHA5125cc51386415d49e6d4c87111f6674347568047ad3420f8095559f0d077b5f7593506a34d4877765563ff0feccf50c9d1b7501452ab7dc6ce611768571d248cd9