Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Dehasher.exe

windows7-x64

10

Dehasher.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2024, 22:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dehasher.exe

  • Size

    1.1MB

  • MD5

    be43176a494e84f0beb04cdd86efd67d

  • SHA1

    09e738c02dfe2e8664d7072ee2d9df3fea7e2079

  • SHA256

    76a429a6968d22df6339119f21f83ad0337ad9d60be818b328dbdc8cacfbcaeb

  • SHA512

    8a8c01bb1c4aa8db4346d693c2650862f8965b897ffbabc19e04a091964b20b093e27be5fd19d7e37eb81816275b2e8da40d289c3fa3485f047d9e527a00ce11

  • SSDEEP

    24576:OCUG////SMrrr8SSCrirMSpSc9CLtrDrHO37kw8m657w6ZBLmkitKqBCjC0PDgMW:OCUd37bVV1BCjB

Score
10/10
asyncratneshtastormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7044437613:AAEXeS1SKGTrEjQ8F-7vSegWo8OLABeJY5k/sendMessage?chat_id=6052812018
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect Neshta payload 5 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 3 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 7 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dehasher.exe
    "C:\Users\Admin\AppData\Local\Temp\Dehasher.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Users\Admin\AppData\Local\Temp\LET.EXE
      "C:\Users\Admin\AppData\Local\Temp\LET.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE
        "C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE"
        3⤵
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          • Suspicious use of WriteProcessMemory
          PID:1792
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1088
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:628
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2492
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3016
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2040
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show networks mode=bssid
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2332
        • C:\Windows\svchost.com
          "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1700
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\System32\schtasks.exe /create /f /sc ONLOGON /RL HIGHEST /tn Chrome Update /tr C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2660
    • C:\Users\Admin\AppData\Local\Temp\VIPERDEHASHER.EXE
      "C:\Users\Admin\AppData\Local\Temp\VIPERDEHASHER.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\3c40e6ca581f3e4961b899f6f6971c60\msgid.dat
    Filesize

    1B

    MD5

    cfcd208495d565ef66e7dff9f98764da

    SHA1

    b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

    SHA256

    5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

    SHA512

    31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE
    Filesize

    175KB

    MD5

    c7235b3be7873e0743aba6235cd3d677

    SHA1

    2481321813caff4ded19135c86301f899fb19f66

    SHA256

    4902c56dfa5b513df7c00f8fe5df90dcc46a03f194dca424ebbf6f03e7904486

    SHA512

    7310beb111ca489fd6348d40cea921d8854d99858cb2b9dc7d8211009a8c958374832f585f2cb25962e7ed3a453ca11102b7fb47be0eff8d2a7bc2b564928860

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
    Filesize

    8B

    MD5

    95513cfed79e9ace3e6fa322d940edaa

    SHA1

    e2beafef0dd7d3c3190e17d4a4402d0c3811b3ca

    SHA256

    66840cc056c60d82ab4955fe2ba32fa85c724aea8dd6d56f1b7974bfeaded159

    SHA512

    b0d9de6ae19339184a527015167df56731863c8ba2563d90ef257a49bc1cc54bd968bbfbe4b5e8367aa798d7d55318ad05a9e6cc4b35bae4e16941600c930b29

    Download Submit

  • C:\Windows\svchost.com
    Filesize

    40KB

    MD5

    36fd5e09c417c767a952b4609d73a54b

    SHA1

    299399c5a2403080a5bf67fb46faec210025b36d

    SHA256

    980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

    SHA512

    1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

    Download Submit

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit

  • \Users\Admin\AppData\Local\Temp\LET.EXE
    Filesize

    216KB

    MD5

    cb66ae727ba5ed3a3c1b1fc60dadb152

    SHA1

    6def0bea71e985e041c5796b959814b36d75e551

    SHA256

    51c82632119b14af345b42ec4bce4c780d81502b8ec67b63b631c6830fb845d6

    SHA512

    84b9219eac6fc235f74a063cad74625350132b4481c5653fa47ba8dbb0319798a5c1d5aa07701e4b542bd7fc8330dcfc3ce4037baa4af86a0bbea1d6e9b2c901

    Download Submit

  • \Users\Admin\AppData\Local\Temp\VIPERDEHASHER.EXE
    Filesize

    892KB

    MD5

    5a6ac9ed6969b3be67d1d45813ee0662

    SHA1

    2b7a10d8f9c062905b2aff6c6d3a31a85c4f74fb

    SHA256

    93f31fdee5f1701424d12d3445d2c8afdf8073f79ebccf0c61e173b9b20b90a9

    SHA512

    37380b1c355dff936b46177d5315d82e74ede89fc986b12771be9300a0a041142de8cdb32e582e72c92c287b55b07a02be46172ba47a7be97a65879daf04a883

    Download Submit

  • memory/1700-194-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2612-178-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2612-180-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2668-30-0x0000000000F40000-0x0000000001024000-memory.dmp

    Filesize

    912KB

    Download

  • memory/2720-29-0x0000000000180000-0x00000000001B2000-memory.dmp

    Filesize

    200KB

    Download