Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Image-1.exe

windows7-x64

10

Image-1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/09/2024, 13:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Image-1.exe

  • Size

    257KB

  • MD5

    aa7453ea631c154413df9974a3b17b90

  • SHA1

    ec7df5d298d392b3d1e7e7825e15ee112d587885

  • SHA256

    46a63396c3d340513f963181b0098f984e62861875151d25fea30013170c8f3e

  • SHA512

    fb1b9f3216d4574936c019b7351f8b9f5a63983df0ad231b210cb67d188b1824aeb3240471d7ed7842a47108aef681d185c026233d1687af7b48510fae8bfbb1

  • SSDEEP

    6144:mCn9gl994bCIMenvjnPrNoaIxT7K/P19yZD2kzMZOI:mCKl92CIDvjDNo1t7K/P19yZD2kzMZz

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

154.216.17.207:7707

154.216.17.207:8808

154.216.17.207:1188
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    100

  • install

    true

  • install_file

    file.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Image-1.exe
    "C:\Users\Admin\AppData\Local\Temp\Image-1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Users\Admin\AppData\Local\Temp\Image-1.exe
      C:\Users\Admin\AppData\Local\Temp\Image-1.exe
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "file" /tr '"C:\Users\Admin\AppData\Roaming\file.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4332
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "file" /tr '"C:\Users\Admin\AppData\Roaming\file.exe"'
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3840
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5104.tmp.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3420
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:4664
        • C:\Users\Admin\AppData\Roaming\file.exe
          "C:\Users\Admin\AppData\Roaming\file.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4072
          • C:\Users\Admin\AppData\Roaming\file.exe
            C:\Users\Admin\AppData\Roaming\file.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3152
          • C:\Users\Admin\AppData\Roaming\file.exe
            C:\Users\Admin\AppData\Roaming\file.exe
            5⤵
            • Executes dropped EXE
            PID:2140
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 80
              6⤵
              • Program crash
              PID:3956
    • C:\Users\Admin\AppData\Local\Temp\Image-1.exe
      C:\Users\Admin\AppData\Local\Temp\Image-1.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2628
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2140 -ip 2140
    1⤵
      PID:3380

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Image-1.exe.log
      Filesize

      706B

      MD5

      d95c58e609838928f0f49837cab7dfd2

      SHA1

      55e7139a1e3899195b92ed8771d1ca2c7d53c916

      SHA256

      0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

      SHA512

      405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp5104.tmp.bat
      Filesize

      148B

      MD5

      aafc4f00b9b66ac63cc23ab7ed2bf299

      SHA1

      a3632f62a21eb1a41d6068eb303ddbd43530f07f

      SHA256

      8d492e5c98f59120452adebd66dbfe8e0b70197f63b367ea61467d530103db4b

      SHA512

      562e199c1673e586d85a2801e6159fc4f9746e356a69a74e8b3e30ac232413f4dc5777bac8b296caad819c233d99e3680fec9f80040d7739acf3d7f3b26c1113

      Download Submit

    • C:\Users\Admin\AppData\Roaming\file.exe
      Filesize

      257KB

      MD5

      aa7453ea631c154413df9974a3b17b90

      SHA1

      ec7df5d298d392b3d1e7e7825e15ee112d587885

      SHA256

      46a63396c3d340513f963181b0098f984e62861875151d25fea30013170c8f3e

      SHA512

      fb1b9f3216d4574936c019b7351f8b9f5a63983df0ad231b210cb67d188b1824aeb3240471d7ed7842a47108aef681d185c026233d1687af7b48510fae8bfbb1

      Download Submit

    • memory/2628-18-0x00000000752B0000-0x0000000075A60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2628-21-0x00000000752B0000-0x0000000075A60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2628-16-0x00000000752B0000-0x0000000075A60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2628-13-0x00000000752B0000-0x0000000075A60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4176-8-0x00000000046F0000-0x00000000046F6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4176-7-0x000000000D990000-0x000000000DA22000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4176-6-0x000000000DEA0000-0x000000000E444000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4176-0-0x00000000752BE000-0x00000000752BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4176-5-0x000000000D850000-0x000000000D8EC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4176-14-0x00000000752B0000-0x0000000075A60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4176-4-0x00000000752B0000-0x0000000075A60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4176-3-0x000000000D770000-0x000000000D7B0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4176-2-0x0000000002540000-0x0000000002546000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4176-1-0x0000000000200000-0x000000000024A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/5036-12-0x00000000752B0000-0x0000000075A60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5036-20-0x00000000050A0000-0x0000000005106000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5036-17-0x00000000752B0000-0x0000000075A60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5036-25-0x00000000752B0000-0x0000000075A60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5036-15-0x00000000752B0000-0x0000000075A60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5036-9-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download