Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

http45.151...xe.txt

windows10-1703-x64

10

Resubmissions

24/08/2024, 19:10

240824-xvmgnsvarc 10

24/08/2024, 18:56

240824-xlh3wstfpb 4

23/08/2024, 11:21

240823-nf4mza1bqc 4

23/08/2024, 11:13

240823-nbkz3azhrc 10

23/08/2024, 11:10

240823-m9qsjashrq 4

22/08/2024, 07:12

240822-h1kgyaxfpj 1

22/08/2024, 07:06

240822-hxesaaxenm 10

22/08/2024, 07:00

240822-hs54nsxdln 10

22/08/2024, 06:36

240822-hc93patara 8

22/08/2024, 06:32

240822-ha293awfnl 1

Analysis

  • max time kernel
    95s
  • max time network
    79s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22/08/2024, 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http45.151.62.96setup.exe.txt

  • Size

    29B

  • MD5

    688fe12c2f39d3d739a04e6c89b1b22f

  • SHA1

    e2ea25ad47861e77b912026839666d3a99f5c90b

  • SHA256

    35e4cca77e38bd9beaf4a33c97a6f2464ca5ff63bbcf59831bd829b4683fda3c

  • SHA512

    f56694118d4adee2e0c65fb28c3ef86bc5db032656e2306e02e0f5b19706e260f0505ee97f5068d07ae5149a410a15eccd3ebc758d216a5549d7dc0de52834ac

Score
10/10
asyncratdefaultdefense_evasionrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:1024

20.199.84.103:1024
Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 57 IoCs
  • Suspicious use of SendNotifyMessage 56 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:4172
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1800.0.1160680060\2040412517" -parentBuildID 20221007134813 -prefsHandle 1672 -prefMapHandle 1656 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83b0c231-153e-487a-939e-0b4ebaea378c} 1800 "\\.\pipe\gecko-crash-server-pipe.1800" 1764 299207d7558 gpu
        3⤵
          PID:520
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1800.1.847017691\34105410" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ab1ae17-3129-4ca9-bf6f-e414b10aa17b} 1800 "\\.\pipe\gecko-crash-server-pipe.1800" 2120 2990e271958 socket
          3⤵
          • Checks processor information in registry
          PID:424
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1800.2.913161670\1614863502" -childID 1 -isForBrowser -prefsHandle 2868 -prefMapHandle 2864 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fbe8166-ab36-4dbe-8eab-53205f3b997e} 1800 "\\.\pipe\gecko-crash-server-pipe.1800" 2840 299248a1658 tab
          3⤵
            PID:4996
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1800.3.438725378\1705603447" -childID 2 -isForBrowser -prefsHandle 2848 -prefMapHandle 2988 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {817e2d7f-bbb7-4f41-9376-0336a7d6cb9f} 1800 "\\.\pipe\gecko-crash-server-pipe.1800" 2964 2990e25c458 tab
            3⤵
              PID:5040
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1800.4.443316242\980982921" -childID 3 -isForBrowser -prefsHandle 4452 -prefMapHandle 4448 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c466882-3d7c-4f49-a7e7-60adc7fe1910} 1800 "\\.\pipe\gecko-crash-server-pipe.1800" 4464 29926a62358 tab
              3⤵
                PID:4144
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1800.5.1239959277\686049104" -childID 4 -isForBrowser -prefsHandle 5080 -prefMapHandle 5032 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {80acb629-f66a-4562-bdb8-c0fd8e6fcc49} 1800 "\\.\pipe\gecko-crash-server-pipe.1800" 5108 299235df258 tab
                3⤵
                  PID:4640
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1800.6.569274803\1554380788" -childID 5 -isForBrowser -prefsHandle 5124 -prefMapHandle 5128 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d94f697f-b66a-4c76-86ca-0334ab34b625} 1800 "\\.\pipe\gecko-crash-server-pipe.1800" 5052 299270fcb58 tab
                  3⤵
                    PID:4724
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1800.7.1492344679\815276449" -childID 6 -isForBrowser -prefsHandle 5316 -prefMapHandle 5320 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a66fa78-bb9e-4ca6-b16f-553589fe0228} 1800 "\\.\pipe\gecko-crash-server-pipe.1800" 5308 299270faa58 tab
                    3⤵
                      PID:4140
                    • C:\Users\Admin\Downloads\Client.exe
                      "C:\Users\Admin\Downloads\Client.exe"
                      3⤵
                      • Executes dropped EXE
                      PID:3000
                • C:\Windows\system32\taskmgr.exe
                  "C:\Windows\system32\taskmgr.exe" /4
                  1⤵
                  • Drops file in Windows directory
                  • Checks SCSI registry key(s)
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:1176

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  2KB

                  MD5

                  715008dfc85e1ebe030dfe96bec8baf2

                  SHA1

                  3cf4ca36ec8d0367b9db1f235596a870736812c8

                  SHA256

                  fbdf52c3b37e2c67dfe72ca82340c1de26c60a0fea3c604153128d6685cd6e09

                  SHA512

                  9bed3e8c2e17bcc8845117a11793d94908c8cfa9b003437aa7dde77ac4e56efabb3e5164615057e87cc1aa2041b606c3e187c721dcc9e6202de8b962387e73ef

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\3da83290-7342-4f4c-97dd-5ae9958b86b4
                  Filesize

                  10KB

                  MD5

                  845ef2d1687ffe4c684f9d94a8e68333

                  SHA1

                  7afbc83828be733d91610e73dda6cdc6d4e5942d

                  SHA256

                  d6166ddd596fa7d97012d5c463b9b73483c1f7db8e0bde61ebb337116491343d

                  SHA512

                  ee9492060a31c1e9bbd28ccc935377bec5af295200259a994b8fea6a6066dd3c9913887c43886caaafc113f077db6f399e41365a425f0eb137f0f8a541d76525

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\a1937501-80d0-4f72-95ac-e5838d3f64a9
                  Filesize

                  746B

                  MD5

                  5f2874be0041b0984cb974e2a8986e0b

                  SHA1

                  1946e28553ef6257c562559e743ac507de0d7b99

                  SHA256

                  c031eac6513685f00d4af0b196d4ad13e728eee5379f74ff09469cb2f66e0c89

                  SHA512

                  6ea6d5be9d850ac4b36f7d6f436310674d3e1edbde151fff7f823c44e052a7d3d3f1dac678c0810e529678e0aeaf3ab33f3c9217e0fdc864b3e78eb9ad717107

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  d564d9a65fe684f91e98fe2e638e843a

                  SHA1

                  f0fe0da200fb3202ea0cd2365bc11bab3c3544d0

                  SHA256

                  f4d3a1935e059983e2a5a4b84627a5a8aa9931cdf1cac08fddac9f643636cd5b

                  SHA512

                  92333289f1752d484303a8ccf521e69f6ab4c8be2d035a4a2768557d05ea5b6cf38be2d3a5385e619d2feb727c7282eeba008b019666f292aad08fe4cd06c26b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1KB

                  MD5

                  40b4bec3e99e423e1be88e61388d8071

                  SHA1

                  31014be9c301cb3d5f2651f81e4c2a9d39e969b4

                  SHA256

                  f8212bc640c2af568439577702ab18befcf56a7f80f6eb303508cd5e836b6b6d

                  SHA512

                  35a672b4da64e35d9a49a86fb2dc68be0d78a337e6da4c3c37708d630ad8d09850da64e6cdd8d25bafe725485665800bce49ab974df82270e59cce2ceb9ee28f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1KB

                  MD5

                  e23db0c90f4d26be7956a539dcd09d24

                  SHA1

                  cadb0ec9ea186ef4077bf00d6c4637802b13a6b6

                  SHA256

                  cffff683ea8dad6d7040d54869ecd48f0e1d11af6231afab3aa020e285e072f5

                  SHA512

                  03d600f00fb43ee96143c826c960d728eac0a2b1156a13cda1f765b7ba8d29c82336b03b63c818a76567b58d9cd24b079c0605f1b780642ed1ed65c5f0548e13

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4
                  Filesize

                  954B

                  MD5

                  c9b64d04eac6b43eafe7629ab7791411

                  SHA1

                  303d8bf9d866764724af86c3443c5fffed21a247

                  SHA256

                  877e008f2375b7bad029909bf72c9aba7f1b0c3449d973e8fe1cdbdb19ae6b6d

                  SHA512

                  2be8323758b866ba3aa2849da0872bb233b119e48a2f967fea9d0b6c24179e989c189cceb1534cf26bb996174b8d9505e301e1bdc45c8bf9b36a01626a533e5c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  184KB

                  MD5

                  7f868e557b098795d645df9ea302427f

                  SHA1

                  001f3306144559b4049a8ab139b4139f51e59c0e

                  SHA256

                  b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5

                  SHA512

                  56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

                  Download Submit

                • C:\Users\Admin\Downloads\Client.98xtrmTh.exe.part
                  Filesize

                  12KB

                  MD5

                  d572ffdc92a1544d25a8983c40e1ecc7

                  SHA1

                  020ca43a8d7946f23b8cea9ac9f15752c248e9d7

                  SHA256

                  917a0e774c413499f0e513a93e51f1aec1ee8c115b4ddd184f4314a9173adf76

                  SHA512

                  8bd05ffb5850908f359076be075260d3da61eee6358e6b206c3886fcd3e98da0ef6aa0da50a21f880825fab56a066562703e7813d60011512e5e7d431969d06f

                  Download Submit

                • C:\Users\Admin\Downloads\Client.exe
                  Filesize

                  47KB

                  MD5

                  fedb1274930bfa08a83480134a3f1412

                  SHA1

                  d47be6340ecd780274b98dad463749eb2d9d49fd

                  SHA256

                  a8fcd268b48c903e21500439d6754500d59d12d7d5d4e2c7ea737661fa8fe230

                  SHA512

                  ba1d2a9745b837c1f984577a5d96bff1b2c126d86fd75c7e763b085ea8440360899d383be10a7a6f31bbd87c215c3dfed82c03c15880e8f4ef336c411cb448b4

                  Download Submit

                • memory/3000-126-0x00007FFC012B3000-0x00007FFC012B4000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3000-127-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/3000-124-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/3000-123-0x0000000000850000-0x0000000000862000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3000-122-0x00007FFC012B3000-0x00007FFC012B4000-memory.dmp

                  Filesize

                  4KB

                  Download