Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Dehasher.exe

windows7-x64

10

Dehasher.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    7s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 22:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dehasher.exe

  • Size

    1.1MB

  • MD5

    be43176a494e84f0beb04cdd86efd67d

  • SHA1

    09e738c02dfe2e8664d7072ee2d9df3fea7e2079

  • SHA256

    76a429a6968d22df6339119f21f83ad0337ad9d60be818b328dbdc8cacfbcaeb

  • SHA512

    8a8c01bb1c4aa8db4346d693c2650862f8965b897ffbabc19e04a091964b20b093e27be5fd19d7e37eb81816275b2e8da40d289c3fa3485f047d9e527a00ce11

  • SSDEEP

    24576:OCUG////SMrrr8SSCrirMSpSc9CLtrDrHO37kw8m657w6ZBLmkitKqBCjC0PDgMW:OCUd37bVV1BCjB

Score
10/10
asyncratneshtastormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7044437613:AAEXeS1SKGTrEjQ8F-7vSegWo8OLABeJY5k/sendMessage?chat_id=6052812018
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect Neshta payload 2 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 3 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 7 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dehasher.exe
    "C:\Users\Admin\AppData\Local\Temp\Dehasher.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Users\Admin\AppData\Local\Temp\LET.EXE
      "C:\Users\Admin\AppData\Local\Temp\LET.EXE"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE
        "C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE"
        3⤵
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1040
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:4688
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1700
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:5004
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4780
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:432
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2344
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show networks mode=bssid
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2824
    • C:\Users\Admin\AppData\Local\Temp\VIPERDEHASHER.EXE
      "C:\Users\Admin\AppData\Local\Temp\VIPERDEHASHER.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\7118e685d4aa6b91f43797eecc33b54b\Admin@OARDHGDN_en-US\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\Users\Admin\AppData\Local\7118e685d4aa6b91f43797eecc33b54b\Admin@OARDHGDN_en-US\System\Process.txt
    Filesize

    4KB

    MD5

    841e8053ae04c42b0b7a3a8bddb7f4c9

    SHA1

    6c8e09c9162dd88474fdb9282002256930b37d3f

    SHA256

    cfe8a4df99784bcc6f2d0778a286424cda5750c5c0f8f3c28f3d5d85108e6124

    SHA512

    9550b30a92d7a1623557733550779a3da063fa4ecfedcf16e230838e8e518ba25a8ad3cd90ab08fb12bd934d7778bd40287b1e44c2fe81b9272d44e3235e7a5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE
    Filesize

    175KB

    MD5

    c7235b3be7873e0743aba6235cd3d677

    SHA1

    2481321813caff4ded19135c86301f899fb19f66

    SHA256

    4902c56dfa5b513df7c00f8fe5df90dcc46a03f194dca424ebbf6f03e7904486

    SHA512

    7310beb111ca489fd6348d40cea921d8854d99858cb2b9dc7d8211009a8c958374832f585f2cb25962e7ed3a453ca11102b7fb47be0eff8d2a7bc2b564928860

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LET.EXE
    Filesize

    216KB

    MD5

    cb66ae727ba5ed3a3c1b1fc60dadb152

    SHA1

    6def0bea71e985e041c5796b959814b36d75e551

    SHA256

    51c82632119b14af345b42ec4bce4c780d81502b8ec67b63b631c6830fb845d6

    SHA512

    84b9219eac6fc235f74a063cad74625350132b4481c5653fa47ba8dbb0319798a5c1d5aa07701e4b542bd7fc8330dcfc3ce4037baa4af86a0bbea1d6e9b2c901

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\VIPERDEHASHER.EXE
    Filesize

    892KB

    MD5

    5a6ac9ed6969b3be67d1d45813ee0662

    SHA1

    2b7a10d8f9c062905b2aff6c6d3a31a85c4f74fb

    SHA256

    93f31fdee5f1701424d12d3445d2c8afdf8073f79ebccf0c61e173b9b20b90a9

    SHA512

    37380b1c355dff936b46177d5315d82e74ede89fc986b12771be9300a0a041142de8cdb32e582e72c92c287b55b07a02be46172ba47a7be97a65879daf04a883

    Download Submit

  • memory/1040-235-0x0000000073C10000-0x00000000743C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1040-33-0x0000000000EA0000-0x0000000000ED2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1040-276-0x0000000006490000-0x000000000649A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1040-35-0x0000000005730000-0x0000000005796000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1040-34-0x0000000073C10000-0x00000000743C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1040-38-0x0000000073C10000-0x00000000743C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1040-256-0x0000000073C10000-0x00000000743C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1708-272-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4336-37-0x0000000005880000-0x0000000005912000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4336-234-0x0000000073C1E000-0x0000000073C1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4336-32-0x0000000000E40000-0x0000000000F24000-memory.dmp

    Filesize

    912KB

    Download

  • memory/4336-31-0x0000000073C1E000-0x0000000073C1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4336-40-0x0000000005810000-0x000000000581A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4336-39-0x0000000073C10000-0x00000000743C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4336-273-0x0000000073C10000-0x00000000743C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4336-36-0x0000000005D90000-0x0000000006334000-memory.dmp

    Filesize

    5.6MB

    Download