Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2024, 10:31

General

  • Target

    1E45D6ABB8FA749D0FDE3EADD586E637.exe

  • Size

    258KB

  • MD5

    1e45d6abb8fa749d0fde3eadd586e637

  • SHA1

    4a961b4a92fa3fb1265f729d18f2f0638cba018a

  • SHA256

    d21a63a1bcc5afdc0eb4b00e6b82af4bdf1f634e50d0d51001a4c27ac7f84379

  • SHA512

    58f30c478856230c16ae7bb8425e32e0dce23d927de1d7d4697400617609a3f5dfd9ceca98426b05e240ae515ba5408af569714c9d95e17652c0e83406762900

  • SSDEEP

    3072:Xxjla5113NyCzPWYykCbXCfe8jtgszyAVibmbJ30U11xjZjsDQBxQh68:XZla513yAykOyG2gszyjm1EUTEDO

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

2.56.179.212:4445

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    THK.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1E45D6ABB8FA749D0FDE3EADD586E637.exe
    "C:\Users\Admin\AppData\Local\Temp\1E45D6ABB8FA749D0FDE3EADD586E637.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Local\Temp\1E45D6ABB8FA749D0FDE3EADD586E637.exe
      "C:\Users\Admin\AppData\Local\Temp\1E45D6ABB8FA749D0FDE3EADD586E637.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:560
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "THK" /tr '"C:\Users\Admin\AppData\Roaming\THK.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4944
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "THK" /tr '"C:\Users\Admin\AppData\Roaming\THK.exe"'
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2124
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC841.tmp.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3784
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:4000
        • C:\Users\Admin\AppData\Roaming\THK.exe
          "C:\Users\Admin\AppData\Roaming\THK.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1760
          • C:\Users\Admin\AppData\Roaming\THK.exe
            "C:\Users\Admin\AppData\Roaming\THK.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1E45D6ABB8FA749D0FDE3EADD586E637.exe.log

    Filesize

    1KB

    MD5

    7ebe314bf617dc3e48b995a6c352740c

    SHA1

    538f643b7b30f9231a3035c448607f767527a870

    SHA256

    48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

    SHA512

    0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

  • C:\Users\Admin\AppData\Local\Temp\tmpC841.tmp.bat

    Filesize

    147B

    MD5

    f3ba296af830b40c56fcc572a6e17661

    SHA1

    9ecba17c94cfb982ce9d5ed72772f66185255064

    SHA256

    c57c60f387666665896bfb305e1d3fd37b28ee6cfddec3402e5602594f28d3a7

    SHA512

    0da4ef2df419823ec5efcd46bb38e8d15447549194595183993cfc937d7ce7d03284dbc16dfd098f99273848f3e44765f619ca942ba9e7829b4555b828175a1f

  • C:\Users\Admin\AppData\Roaming\THK.exe

    Filesize

    258KB

    MD5

    1e45d6abb8fa749d0fde3eadd586e637

    SHA1

    4a961b4a92fa3fb1265f729d18f2f0638cba018a

    SHA256

    d21a63a1bcc5afdc0eb4b00e6b82af4bdf1f634e50d0d51001a4c27ac7f84379

    SHA512

    58f30c478856230c16ae7bb8425e32e0dce23d927de1d7d4697400617609a3f5dfd9ceca98426b05e240ae515ba5408af569714c9d95e17652c0e83406762900

  • memory/560-8-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

  • memory/560-11-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

  • memory/560-17-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

  • memory/560-12-0x0000000005210000-0x00000000052AC000-memory.dmp

    Filesize

    624KB

  • memory/560-7-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/1180-27-0x00000000062B0000-0x0000000006316000-memory.dmp

    Filesize

    408KB

  • memory/3016-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

    Filesize

    4KB

  • memory/3016-10-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

  • memory/3016-4-0x0000000004D40000-0x0000000004D4A000-memory.dmp

    Filesize

    40KB

  • memory/3016-6-0x0000000004D50000-0x0000000004D68000-memory.dmp

    Filesize

    96KB

  • memory/3016-3-0x0000000004C60000-0x0000000004CF2000-memory.dmp

    Filesize

    584KB

  • memory/3016-5-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

  • memory/3016-2-0x0000000005210000-0x00000000057B4000-memory.dmp

    Filesize

    5.6MB

  • memory/3016-1-0x00000000001D0000-0x0000000000216000-memory.dmp

    Filesize

    280KB