Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

资料_ins...1).exe

windows7-x64

7

资料_ins...1).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2024, 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    资料_install (1).exe

  • Size

    1.5MB

  • MD5

    85df64b647baf466f4621d1be7d005e1

  • SHA1

    c090110069d644c54c8508e8e65ddcfae25949fc

  • SHA256

    5ffe8edc15b6cb41122f6cc2550621e81776bc6914ea6388aecd17eec073aea4

  • SHA512

    52f7676cd7cfd91eda286dabc13139272ac8e809c70ac80c11139193659b5f28ae75876b12845a9cc60215529d780d466c36d4e2722344b7fce870454fd15b26

  • SSDEEP

    49152:tEBdH3KQaSIE1vlbkOAZOEzRT9IynYMHK3zT27yEbYp:mBpPZIUvlkpRCyd2zwylp

Score
10/10
asyncratdefaultdiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

v1.2.0

Botnet

Default

C2

27.124.46.187:7415

Mutex

dljruvfxlegfirzzjpo

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
    "C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3224
    • C:\Users\Admin\AppData\Local\Temp\is-3G3UJ.tmp\资料_install (1).tmp
      "C:\Users\Admin\AppData\Local\Temp\is-3G3UJ.tmp\资料_install (1).tmp" /SL5="$70244,1145727,235520,C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4416
        • C:\Windows\SysWOW64\timeout.exe
          timeout /T 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2844
        • C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
          "C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2536
          • C:\Users\Admin\AppData\Local\Temp\is-GH0V3.tmp\资料_install (1).tmp
            "C:\Users\Admin\AppData\Local\Temp\is-GH0V3.tmp\资料_install (1).tmp" /SL5="$70284,1145727,235520,C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:216
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\lPix.exe
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3384
              • C:\Users\Public\Documents\lPix.exe
                C:\Users\Public\Documents\lPix.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:208
                • C:\Users\Admin\AppData\Local\Temp\is-J9SL2.tmp\lPix.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-J9SL2.tmp\lPix.tmp" /SL5="$80222,544961,235520,C:\Users\Public\Documents\lPix.exe"
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:3332
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /C timeout /T 3 & "C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1856
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout /T 3
                      10⤵
                      • System Location Discovery: System Language Discovery
                      • Delays execution with timeout.exe
                      PID:2572
                    • C:\Users\Public\Documents\lPix.exe
                      "C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:4060
                      • C:\Users\Admin\AppData\Local\Temp\is-3D78M.tmp\lPix.tmp
                        "C:\Users\Admin\AppData\Local\Temp\is-3D78M.tmp\lPix.tmp" /SL5="$20228,544961,235520,C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of WriteProcessMemory
                        PID:4632
                        • C:\Windows\SysWOW64\regsvr32.exe
                          "regsvr32.exe" /s /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
                          12⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:2752
                          • C:\Windows\system32\regsvr32.exe
                            /s /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
                            13⤵
                            • Loads dropped DLL
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of SetWindowsHookEx
                            • Suspicious use of WriteProcessMemory
                            PID:4484
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll' }) { exit 0 } else { exit 1 }"
                              14⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2348
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{CC9C5E29-323D-43A9-FC95-AD7085FE017F}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"
                              14⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4820
                            • C:\Windows\system32\regsvr32.exe
                              "regsvr32" /i:INSTALL /s C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
                              14⤵
                              • Loads dropped DLL
                              PID:4840
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\LDcA.xls
              6⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2016
              • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
                "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Public\Documents\LDcA.xls"
                7⤵
                • Checks processor information in registry
                • Enumerates system info in registry
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:636
  • C:\Windows\system32\regsvr32.EXE
    C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
    1⤵
    • Loads dropped DLL
    PID:3976
  • C:\Windows\system32\regsvr32.EXE
    C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
    1⤵
    • Loads dropped DLL
    PID:996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    538c92b84565f96e05cbefff402cfb93

    SHA1

    d1b5e9916254d5622fa28eb21c95db397b047dd1

    SHA256

    ace278e73163a653ae50e83f2c479b28e7c4ac29caed79e7de39212799a26548

    SHA512

    6ee2183d2f60175f2b4f2bcd50401e3a1341c35f94747a684d6dd66a712baa8b0d7091a27c81dd558971a2fd4bf2a4358f616a86c4531dc5d812446b1aa842bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h01j5l1x.exo.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-3G3UJ.tmp\资料_install (1).tmp
    Filesize

    1.2MB

    MD5

    cf45d17c6928f460e9c66d8efd61d15f

    SHA1

    04f45e51c5ee587ac54084e051837cc4688f3fea

    SHA256

    a87c544e201116ebe9e5aa748f1a4d91d4aadb18d7a2c24c27a9cf5c881b400b

    SHA512

    178d1f8df6f98246fa579d49af62a526a7b3ba34532ed0e160b82148bb5869192408562c2a7b4d5602cf7b907acea1f2b716c77b8eff912a930619f6cf70a596

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-BVF1J.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-J9SL2.tmp\lPix.tmp
    Filesize

    1.2MB

    MD5

    bef5bad133138ce27f0c6e73d5a2e5f9

    SHA1

    1cfc9e170e100fc23073cdfcf590594e18598314

    SHA256

    55adc6677700e166913c9f26a213d93244242b17331b4f9a606760117b698b65

    SHA512

    f8d3d971a58fdc2d7585c61c70c41d0625b2cbda9698f7a26ed009374d9f4986effc9d69dd1579f38f22bd7e7700d714702df663dfcc195c11b6fc2d0b315f2d

    Download Submit

  • C:\Users\Admin\AppData\Local\unins000.dat
    Filesize

    3KB

    MD5

    609d7f53a1c15ae66835e8037d5c69b9

    SHA1

    48f84115c7bcd2f5cbf80d4ae4cef90af0a8c2d8

    SHA256

    56d8e6e9ac7a78cacd368f36d90a7797876cd609d2f58ca81adc4eaf5a8b08da

    SHA512

    8d47d40816111905b0110b2451aec89f1216165058ed6e31b26d6b74bdfa0015c02249ec399e036a3977404f6d015f3f60d443ca34e733faaeff1d43dfed6280

    Download Submit

  • C:\Users\Admin\AppData\Local\unins000.exe
    Filesize

    1.2MB

    MD5

    7d32e1d324403f5baf3443502f6732b9

    SHA1

    583a56865861c01413abda1daa132b577920504c

    SHA256

    4b6b8555cca21071bf3c90dc7d8a74e2fa2d1bf5bf85aab0b88a7a19962cb313

    SHA512

    8880c8f087a848964a777430c72d5ae52c9ff2d82a59b79e9df3084a26889ee5526de02b2b13fd43074510129f0898b093d397e23127cc7330896f10fc6d3e0b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
    Filesize

    722KB

    MD5

    385e36fd28d88b4fe7051de59bcd616c

    SHA1

    0c6bac3bda42f8dedfba7559d092da5baaac81b4

    SHA256

    f13c09688c8f5e11c57680a446d2ab52918a53782cf2827ca768652e1013b2f0

    SHA512

    5ea5505dceb529ef4aa40fd13c23646fc36c74e3a0d86047ae66e1d1b70865f24279b3ea1d5a28f456e44a258a7c75516171ee201049e53420a34e69186ba86f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    361B

    MD5

    acc949e4f0439c3205f4b233e391fafc

    SHA1

    3ee1a67e2675a5364420469159e5b4e05d1b67e6

    SHA256

    7a1570a50ad5211d0769f1b4c946322710ff33a4b226c9ed2ed53dee323f3255

    SHA512

    3e3d5636988425f7302dff76ef0b028a4a23595482c5f3baa199a5518d1ec7909ca1fa64cf50a61fac6002de40adada2dd47acbbaac9800b483129a6ec8ca2c9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    1KB

    MD5

    f56a4b83bdcddd92c863871b408ed8b9

    SHA1

    e8e944998ac610478a766ca74611b6221c6601ec

    SHA256

    bb8020e6d8be17bc7c548aa2a77aaab14754577be3394a08530d621707cd173a

    SHA512

    7bcfa92a6008f95f3cf2ad1b5ba47aa90d976cded792b32cf3645991510b7b220db6a1b43efe65d5b9bafcef3490ef787e93a7b55445219677670d4ca222721a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    2KB

    MD5

    413087ca5779944de2b42a8c637f5df1

    SHA1

    248dcee57cbe6d4965b1d69623090940661d2d69

    SHA256

    7660ba4681a9b8fe805b771e4224d20ba47af0788ac66b4b2691ada164b7bbe4

    SHA512

    ebb4cf88483b1d7cc21af9761f999c33d7fdecddc2c8763edf9f3c8dc2622d9e86499d3011c22a9fd6f667776449c592f90ee9dd11a81064c18a7dee3b249b0e

    Download Submit

  • C:\Users\Public\Documents\LDcA.xls
    Filesize

    18KB

    MD5

    d1ff725260128c439f9bce6f7a26f5ec

    SHA1

    a22f5c06fd34b59daa1475789f659e324368a76f

    SHA256

    dfa1e555ec717a30d1ccccc87e64cc143f0f2d436c8aa07221143482045df00d

    SHA512

    41e4876cea614c602953f40f835172fb80db5b8b241b0bb522eb9535a97c4e2365cfd335395bdbc87245290f7b8331539d43aec2c1be4de2bb3e7e925ea0696c

    Download Submit

  • C:\Users\Public\Documents\lPix.exe
    Filesize

    985KB

    MD5

    8cb4b8edf79a9edaf533920c9a4d2757

    SHA1

    8d5b6701db176148d9bbe8cc97338798c518201c

    SHA256

    c09f6cc092879d5b34f8668114453cdace4d3a6f303214baeca9a32d62bde1c2

    SHA512

    82478f5c7592a2555f67608d9564d7b31bdde10443ea6a480d991712c6e2eaafefbb2401746f862960deb8796cf31aff0f3410caeb05fa933d8ecb402581d2e0

    Download Submit

  • memory/208-95-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/208-38-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/216-32-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/636-50-0x00007FFE8DD90000-0x00007FFE8DDA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/636-49-0x00007FFE8DD90000-0x00007FFE8DDA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/636-52-0x00007FFE8DD90000-0x00007FFE8DDA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/636-53-0x00007FFE8DD90000-0x00007FFE8DDA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/636-58-0x00007FFE8B760000-0x00007FFE8B770000-memory.dmp

    Filesize

    64KB

    Download

  • memory/636-59-0x00007FFE8B760000-0x00007FFE8B770000-memory.dmp

    Filesize

    64KB

    Download

  • memory/636-51-0x00007FFE8DD90000-0x00007FFE8DDA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2348-101-0x0000025E0E280000-0x0000025E0E2A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2536-12-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2536-14-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2536-35-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3224-2-0x0000000000401000-0x0000000000417000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3224-1-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3224-48-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3332-94-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3636-7-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3636-46-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4060-70-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4060-92-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4484-125-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4484-153-0x00007FFEAA920000-0x00007FFEAA9BD000-memory.dmp

    Filesize

    628KB

    Download

  • memory/4484-171-0x0000000002CF0000-0x0000000002CFE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4632-91-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download