Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
107s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 13:57
Static task
static1
Behavioral task
behavioral1
Sample
Image-1.exe
Resource
win7-20240903-en
General
-
Target
Image-1.exe
-
Size
257KB
-
MD5
aa7453ea631c154413df9974a3b17b90
-
SHA1
ec7df5d298d392b3d1e7e7825e15ee112d587885
-
SHA256
46a63396c3d340513f963181b0098f984e62861875151d25fea30013170c8f3e
-
SHA512
fb1b9f3216d4574936c019b7351f8b9f5a63983df0ad231b210cb67d188b1824aeb3240471d7ed7842a47108aef681d185c026233d1687af7b48510fae8bfbb1
-
SSDEEP
6144:mCn9gl994bCIMenvjnPrNoaIxT7K/P19yZD2kzMZOI:mCKl92CIDvjDNo1t7K/P19yZD2kzMZz
Malware Config
Extracted
asyncrat
0.5.7B
Default
154.216.17.207:7707
154.216.17.207:8808
154.216.17.207:1188
AsyncMutex_6SI8OkPnk
-
delay
100
-
install
true
-
install_file
file.exe
-
install_folder
%AppData%
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation Image-1.exe -
Executes dropped EXE 3 IoCs
pid Process 4072 file.exe 3152 file.exe 2140 file.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4176 set thread context of 5036 4176 Image-1.exe 84 PID 4176 set thread context of 2628 4176 Image-1.exe 85 PID 4072 set thread context of 3152 4072 file.exe 103 PID 4072 set thread context of 2140 4072 file.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3956 2140 WerFault.exe 104 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Image-1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Image-1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Image-1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4664 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3840 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe 5036 Image-1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4176 Image-1.exe Token: SeDebugPrivilege 5036 Image-1.exe Token: SeDebugPrivilege 4072 file.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 4176 wrote to memory of 5036 4176 Image-1.exe 84 PID 4176 wrote to memory of 5036 4176 Image-1.exe 84 PID 4176 wrote to memory of 5036 4176 Image-1.exe 84 PID 4176 wrote to memory of 5036 4176 Image-1.exe 84 PID 4176 wrote to memory of 5036 4176 Image-1.exe 84 PID 4176 wrote to memory of 5036 4176 Image-1.exe 84 PID 4176 wrote to memory of 5036 4176 Image-1.exe 84 PID 4176 wrote to memory of 5036 4176 Image-1.exe 84 PID 4176 wrote to memory of 2628 4176 Image-1.exe 85 PID 4176 wrote to memory of 2628 4176 Image-1.exe 85 PID 4176 wrote to memory of 2628 4176 Image-1.exe 85 PID 4176 wrote to memory of 2628 4176 Image-1.exe 85 PID 4176 wrote to memory of 2628 4176 Image-1.exe 85 PID 4176 wrote to memory of 2628 4176 Image-1.exe 85 PID 4176 wrote to memory of 2628 4176 Image-1.exe 85 PID 4176 wrote to memory of 2628 4176 Image-1.exe 85 PID 5036 wrote to memory of 4332 5036 Image-1.exe 96 PID 5036 wrote to memory of 4332 5036 Image-1.exe 96 PID 5036 wrote to memory of 4332 5036 Image-1.exe 96 PID 5036 wrote to memory of 3420 5036 Image-1.exe 98 PID 5036 wrote to memory of 3420 5036 Image-1.exe 98 PID 5036 wrote to memory of 3420 5036 Image-1.exe 98 PID 4332 wrote to memory of 3840 4332 cmd.exe 100 PID 4332 wrote to memory of 3840 4332 cmd.exe 100 PID 4332 wrote to memory of 3840 4332 cmd.exe 100 PID 3420 wrote to memory of 4664 3420 cmd.exe 101 PID 3420 wrote to memory of 4664 3420 cmd.exe 101 PID 3420 wrote to memory of 4664 3420 cmd.exe 101 PID 3420 wrote to memory of 4072 3420 cmd.exe 102 PID 3420 wrote to memory of 4072 3420 cmd.exe 102 PID 3420 wrote to memory of 4072 3420 cmd.exe 102 PID 4072 wrote to memory of 3152 4072 file.exe 103 PID 4072 wrote to memory of 3152 4072 file.exe 103 PID 4072 wrote to memory of 3152 4072 file.exe 103 PID 4072 wrote to memory of 3152 4072 file.exe 103 PID 4072 wrote to memory of 3152 4072 file.exe 103 PID 4072 wrote to memory of 3152 4072 file.exe 103 PID 4072 wrote to memory of 3152 4072 file.exe 103 PID 4072 wrote to memory of 3152 4072 file.exe 103 PID 4072 wrote to memory of 2140 4072 file.exe 104 PID 4072 wrote to memory of 2140 4072 file.exe 104 PID 4072 wrote to memory of 2140 4072 file.exe 104 PID 4072 wrote to memory of 2140 4072 file.exe 104 PID 4072 wrote to memory of 2140 4072 file.exe 104 PID 4072 wrote to memory of 2140 4072 file.exe 104 PID 4072 wrote to memory of 2140 4072 file.exe 104 PID 4072 wrote to memory of 2140 4072 file.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\Image-1.exe"C:\Users\Admin\AppData\Local\Temp\Image-1.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\Image-1.exeC:\Users\Admin\AppData\Local\Temp\Image-1.exe2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "file" /tr '"C:\Users\Admin\AppData\Roaming\file.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "file" /tr '"C:\Users\Admin\AppData\Roaming\file.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5104.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4664
-
-
C:\Users\Admin\AppData\Roaming\file.exe"C:\Users\Admin\AppData\Roaming\file.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Users\Admin\AppData\Roaming\file.exeC:\Users\Admin\AppData\Roaming\file.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3152
-
-
C:\Users\Admin\AppData\Roaming\file.exeC:\Users\Admin\AppData\Roaming\file.exe5⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 806⤵
- Program crash
PID:3956
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Image-1.exeC:\Users\Admin\AppData\Local\Temp\Image-1.exe2⤵
- System Location Discovery: System Language Discovery
PID:2628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2140 -ip 21401⤵PID:3380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
148B
MD5aafc4f00b9b66ac63cc23ab7ed2bf299
SHA1a3632f62a21eb1a41d6068eb303ddbd43530f07f
SHA2568d492e5c98f59120452adebd66dbfe8e0b70197f63b367ea61467d530103db4b
SHA512562e199c1673e586d85a2801e6159fc4f9746e356a69a74e8b3e30ac232413f4dc5777bac8b296caad819c233d99e3680fec9f80040d7739acf3d7f3b26c1113
-
Filesize
257KB
MD5aa7453ea631c154413df9974a3b17b90
SHA1ec7df5d298d392b3d1e7e7825e15ee112d587885
SHA25646a63396c3d340513f963181b0098f984e62861875151d25fea30013170c8f3e
SHA512fb1b9f3216d4574936c019b7351f8b9f5a63983df0ad231b210cb67d188b1824aeb3240471d7ed7842a47108aef681d185c026233d1687af7b48510fae8bfbb1