Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
57s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
21/09/2024, 19:26
General
-
Target
b9ca3de39b6ff253a9683c6f32666f4882a275e4e7a9df69f4f2787373f88a77.exe
-
Size
267KB
-
MD5
ca543a3a645d3f76aa25727b92b8596d
-
SHA1
93f60ad73571b2a7579e2ee888bea21e7974c47a
-
SHA256
b9ca3de39b6ff253a9683c6f32666f4882a275e4e7a9df69f4f2787373f88a77
-
SHA512
7c1cfe5218e22d325701d91dedb464964a3cbef5db04bf207854c24107dada6e216fb1f046d4e20de53387eebfcf575d51ae96ca58d9554c5e47247d636f949a
-
SSDEEP
3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8sds:WFzDqa86hV6uRRqX1evPlwAEds
Malware Config
Extracted
asyncrat
0.4.9G
corporation.warzonedns.com:9341
480-28105c055659
-
delay
0
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Contains code to disable Windows Defender 5 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9ca3de39b6ff253a9683c6f32666f4882a275e4e7a9df69f4f2787373f88a77.exe"C:\Users\Admin\AppData\Local\Temp\b9ca3de39b6ff253a9683c6f32666f4882a275e4e7a9df69f4f2787373f88a77.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat""2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213B
MD50955cb4b691d44b37f8b6fad48a33b8e
SHA19dae759ae014cc124ab6eed7c8035788c124ae4a
SHA2569092dbb1ca1767d1966b7f79349dd95a802a68248251bf070c0f1d74d5681d71
SHA51208b868a028c1e8d29ed643416850df16f58d44668f9193b46bd3934965e5617a0a4015fc52815c5456023dbde01023450d295b76d936a936f26b602e764b0235
-
Filesize
267KB
MD58c1b5a0f226bb21c91cd296d973fa35a
SHA1b81c0f030564576e03d594ddada0ca52a9a12102
SHA2562cf73aeba9bffb8f1d9fbe70e0036ca1a6246d654f884ee6b0f9a9f0663f3c42
SHA512bd587aebe21554ab736023327f78c9af2ec37ab9edaeda3650421ce6fe5478e44555448f0696b9853c8602de39baf0ed760152f0adce2d1e7bfdc85d1809aaca
-
Filesize
6.9MB
-
Filesize
280KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
280KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB