Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2024, 10:31
Static task
static1
Behavioral task
behavioral1
Sample
1E45D6ABB8FA749D0FDE3EADD586E637.exe
Resource
win7-20240903-en
General
-
Target
1E45D6ABB8FA749D0FDE3EADD586E637.exe
-
Size
258KB
-
MD5
1e45d6abb8fa749d0fde3eadd586e637
-
SHA1
4a961b4a92fa3fb1265f729d18f2f0638cba018a
-
SHA256
d21a63a1bcc5afdc0eb4b00e6b82af4bdf1f634e50d0d51001a4c27ac7f84379
-
SHA512
58f30c478856230c16ae7bb8425e32e0dce23d927de1d7d4697400617609a3f5dfd9ceca98426b05e240ae515ba5408af569714c9d95e17652c0e83406762900
-
SSDEEP
3072:Xxjla5113NyCzPWYykCbXCfe8jtgszyAVibmbJ30U11xjZjsDQBxQh68:XZla513yAykOyG2gszyjm1EUTEDO
Malware Config
Extracted
asyncrat
0.5.7B
Default
2.56.179.212:4445
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
THK.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 1E45D6ABB8FA749D0FDE3EADD586E637.exe -
Executes dropped EXE 2 IoCs
pid Process 1760 THK.exe 1180 THK.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3016 set thread context of 560 3016 1E45D6ABB8FA749D0FDE3EADD586E637.exe 83 PID 1760 set thread context of 1180 1760 THK.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language THK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language THK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1E45D6ABB8FA749D0FDE3EADD586E637.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1E45D6ABB8FA749D0FDE3EADD586E637.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4000 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2124 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe Token: SeDebugPrivilege 1180 THK.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 3016 wrote to memory of 560 3016 1E45D6ABB8FA749D0FDE3EADD586E637.exe 83 PID 3016 wrote to memory of 560 3016 1E45D6ABB8FA749D0FDE3EADD586E637.exe 83 PID 3016 wrote to memory of 560 3016 1E45D6ABB8FA749D0FDE3EADD586E637.exe 83 PID 3016 wrote to memory of 560 3016 1E45D6ABB8FA749D0FDE3EADD586E637.exe 83 PID 3016 wrote to memory of 560 3016 1E45D6ABB8FA749D0FDE3EADD586E637.exe 83 PID 3016 wrote to memory of 560 3016 1E45D6ABB8FA749D0FDE3EADD586E637.exe 83 PID 3016 wrote to memory of 560 3016 1E45D6ABB8FA749D0FDE3EADD586E637.exe 83 PID 3016 wrote to memory of 560 3016 1E45D6ABB8FA749D0FDE3EADD586E637.exe 83 PID 560 wrote to memory of 4944 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 85 PID 560 wrote to memory of 4944 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 85 PID 560 wrote to memory of 4944 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 85 PID 560 wrote to memory of 3784 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 87 PID 560 wrote to memory of 3784 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 87 PID 560 wrote to memory of 3784 560 1E45D6ABB8FA749D0FDE3EADD586E637.exe 87 PID 3784 wrote to memory of 4000 3784 cmd.exe 89 PID 3784 wrote to memory of 4000 3784 cmd.exe 89 PID 3784 wrote to memory of 4000 3784 cmd.exe 89 PID 4944 wrote to memory of 2124 4944 cmd.exe 90 PID 4944 wrote to memory of 2124 4944 cmd.exe 90 PID 4944 wrote to memory of 2124 4944 cmd.exe 90 PID 3784 wrote to memory of 1760 3784 cmd.exe 91 PID 3784 wrote to memory of 1760 3784 cmd.exe 91 PID 3784 wrote to memory of 1760 3784 cmd.exe 91 PID 1760 wrote to memory of 1180 1760 THK.exe 92 PID 1760 wrote to memory of 1180 1760 THK.exe 92 PID 1760 wrote to memory of 1180 1760 THK.exe 92 PID 1760 wrote to memory of 1180 1760 THK.exe 92 PID 1760 wrote to memory of 1180 1760 THK.exe 92 PID 1760 wrote to memory of 1180 1760 THK.exe 92 PID 1760 wrote to memory of 1180 1760 THK.exe 92 PID 1760 wrote to memory of 1180 1760 THK.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\1E45D6ABB8FA749D0FDE3EADD586E637.exe"C:\Users\Admin\AppData\Local\Temp\1E45D6ABB8FA749D0FDE3EADD586E637.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\1E45D6ABB8FA749D0FDE3EADD586E637.exe"C:\Users\Admin\AppData\Local\Temp\1E45D6ABB8FA749D0FDE3EADD586E637.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "THK" /tr '"C:\Users\Admin\AppData\Roaming\THK.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "THK" /tr '"C:\Users\Admin\AppData\Roaming\THK.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC841.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4000
-
-
C:\Users\Admin\AppData\Roaming\THK.exe"C:\Users\Admin\AppData\Roaming\THK.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Roaming\THK.exe"C:\Users\Admin\AppData\Roaming\THK.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1E45D6ABB8FA749D0FDE3EADD586E637.exe.log
Filesize1KB
MD57ebe314bf617dc3e48b995a6c352740c
SHA1538f643b7b30f9231a3035c448607f767527a870
SHA25648178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8
SHA5120ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e
-
Filesize
147B
MD5f3ba296af830b40c56fcc572a6e17661
SHA19ecba17c94cfb982ce9d5ed72772f66185255064
SHA256c57c60f387666665896bfb305e1d3fd37b28ee6cfddec3402e5602594f28d3a7
SHA5120da4ef2df419823ec5efcd46bb38e8d15447549194595183993cfc937d7ce7d03284dbc16dfd098f99273848f3e44765f619ca942ba9e7829b4555b828175a1f
-
Filesize
258KB
MD51e45d6abb8fa749d0fde3eadd586e637
SHA14a961b4a92fa3fb1265f729d18f2f0638cba018a
SHA256d21a63a1bcc5afdc0eb4b00e6b82af4bdf1f634e50d0d51001a4c27ac7f84379
SHA51258f30c478856230c16ae7bb8425e32e0dce23d927de1d7d4697400617609a3f5dfd9ceca98426b05e240ae515ba5408af569714c9d95e17652c0e83406762900