Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04/12/2024, 23:00 UTC
Static task
static1
Behavioral task
behavioral1
Sample
KWAo.exe
Resource
win7-20241010-en
General
-
Target
KWAo.exe
-
Size
1.3MB
-
MD5
7f951c4f31319daee4a1f1ece60e5e6b
-
SHA1
044d20440b4931fd9d357ea8a43f8ff047ebab5d
-
SHA256
c7a46fb4e1691e3b8712cb595bc25672dfb77570166cc2d2cba02cf2f9e7b728
-
SHA512
a87acb49cd46ae47ee1bfa6a2dc554240cdc3e55ec625f3b37df3569740565573f433dd8bdd63c578ddfe6563ee44b4f0b71c8524ac628313e733c147e86c5e0
-
SSDEEP
24576:Yj5zD+Z0RKwDkheamIcjLwRqFazNBJvGKb6NUzP3olmc/nthbgRKlO:Yj5PrRZRsRqMPJvGKb6NUzvsfbjA
Malware Config
Extracted
asyncrat
1.0.7
segundo
formationslistcomplet2.sexidude.com:3056
ibsdlcboijedubuheubueyd
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2700 set thread context of 2812 2700 KWAo.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KWAo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2812 2700 KWAo.exe 30 PID 2700 wrote to memory of 2812 2700 KWAo.exe 30 PID 2700 wrote to memory of 2812 2700 KWAo.exe 30 PID 2700 wrote to memory of 2812 2700 KWAo.exe 30 PID 2700 wrote to memory of 2812 2700 KWAo.exe 30 PID 2700 wrote to memory of 2812 2700 KWAo.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\KWAo.exe"C:\Users\Admin\AppData\Local\Temp\KWAo.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2812
-
Network
-
Remote address:8.8.8.8:53Requestformationslistcomplet2.sexidude.comIN AResponseformationslistcomplet2.sexidude.comIN A181.131.217.244
-
Remote address:8.8.8.8:53Requestformationslistcomplet2.sexidude.comIN AResponseformationslistcomplet2.sexidude.comIN A181.131.217.244
-
Remote address:8.8.8.8:53Requestformationslistcomplet2.sexidude.comIN AResponseformationslistcomplet2.sexidude.comIN A181.131.217.244
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
104 B 2
-
81 B 97 B 1 1
DNS Request
formationslistcomplet2.sexidude.com
DNS Response
181.131.217.244
-
81 B 97 B 1 1
DNS Request
formationslistcomplet2.sexidude.com
DNS Response
181.131.217.244
-
81 B 97 B 1 1
DNS Request
formationslistcomplet2.sexidude.com
DNS Response
181.131.217.244