Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2024, 18:21

General

  • Target

    SantoWare.exe

  • Size

    8.1MB

  • MD5

    9146e533d8cdfdfd620e221d6b0c8fb0

  • SHA1

    0e2e6ae26b93d62bc6e439b98ab278fd9f877c22

  • SHA256

    164cf475b4a37a4c142125bdc1808f4bc5f0f8f1efa555c65609b83b1704a7b9

  • SHA512

    a73bd811f10dee9035eb075ef4487c21c5de231e725311d3638655cc723681cf419f5d0bbcc4e0557bd6e2d3e71c52fedfe5bbde8ca09a62728249132fa23d59

  • SSDEEP

    196608:S8HXVmgfjPEbX2bVj180+qWc67W21Jn2khSs50CG11:S8HXY+zEz2JZ80jv6b1JjEAGv

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

147.185.221.24:18891

Mutex

ojozazfbghcdrrcaa

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

C2

ma-compile.gl.at.ply.gg:18894

Mutex

RJpwA4Zvno655gyq

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

arrowrat

Botnet

DiscordCClient

C2

know-england.gl.at.ply.gg:18903

Mutex

vlCHETDFA

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

  • Arrowrat family
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Detect Xworm Payload 2 IoCs
  • VenomRAT 2 IoCs

    Detects VenomRAT.

  • Venomrat family
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Async RAT payload 1 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 8 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\SantoWare.exe
    "C:\Users\Admin\AppData\Local\Temp\SantoWare.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\DiscordVcClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2396
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "DiscordVcClient" /SC ONLOGON /TR "C:\Windows\System32\DiscordVcClient.exe" /RL HIGHEST
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2860
    • C:\Windows\System32\DiscordVcClient.exe
      "C:\Windows\System32\DiscordVcClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\DiscordXClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "DiscordXClient" /SC ONLOGON /TR "C:\Windows\System32\DiscordXClient.exe" /RL HIGHEST
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2892
    • C:\Windows\System32\DiscordXClient.exe
      "C:\Windows\System32\DiscordXClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2644
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\DiscordXClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:328
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DiscordXClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1312
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Client.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "Client" /SC ONLOGON /TR "C:\Windows\System32\Client.exe" /RL HIGHEST
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3028
    • C:\Windows\System32\Client.exe
      "C:\Windows\System32\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2980
        • C:\Windows\system32\ctfmon.exe
          ctfmon.exe
          4⤵
            PID:2080
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
          3⤵
            PID:2968
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
            3⤵
              PID:3020
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
              3⤵
                PID:1676
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
                3⤵
                  PID:1864
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
                  3⤵
                    PID:2700
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
                    3⤵
                      PID:1736
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
                      3⤵
                        PID:1056
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
                        3⤵
                          PID:1600
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
                          3⤵
                            PID:1656
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
                            3⤵
                              PID:844
                            • C:\Windows\system32\WerFault.exe
                              C:\Windows\system32\WerFault.exe -u -p 2444 -s 664
                              3⤵
                                PID:2328
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'
                              2⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2796
                            • C:\Windows\System32\schtasks.exe
                              "C:\Windows\System32\schtasks.exe" /Create /F /TN "Built" /SC ONLOGON /TR "C:\Windows\System32\Built.exe" /RL HIGHEST
                              2⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:2564
                            • C:\Windows\System32\Built.exe
                              "C:\Windows\System32\Built.exe"
                              2⤵
                              • Executes dropped EXE
                              PID:3068
                              • C:\Windows\System32\Built.exe
                                "C:\Windows\System32\Built.exe"
                                3⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                PID:2588

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-file-l1-2-0.dll

                            Filesize

                            21KB

                            MD5

                            1c58526d681efe507deb8f1935c75487

                            SHA1

                            0e6d328faf3563f2aae029bc5f2272fb7a742672

                            SHA256

                            ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

                            SHA512

                            8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

                          • C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-file-l2-1-0.dll

                            Filesize

                            18KB

                            MD5

                            bfffa7117fd9b1622c66d949bac3f1d7

                            SHA1

                            402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

                            SHA256

                            1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

                            SHA512

                            b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

                          • C:\Users\Admin\AppData\Local\Temp\_MEI30682\python311.dll

                            Filesize

                            1.6MB

                            MD5

                            76eb1ad615ba6600ce747bf1acde6679

                            SHA1

                            d3e1318077217372653be3947635b93df68156a4

                            SHA256

                            30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1

                            SHA512

                            2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

                          • C:\Users\Admin\AppData\Local\Temp\_MEI30682\ucrtbase.dll

                            Filesize

                            992KB

                            MD5

                            0e0bac3d1dcc1833eae4e3e4cf83c4ef

                            SHA1

                            4189f4459c54e69c6d3155a82524bda7549a75a6

                            SHA256

                            8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

                            SHA512

                            a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                            Filesize

                            7KB

                            MD5

                            b1efc2c5878fb1229878ad5369c28b17

                            SHA1

                            0625070b13ca7c197f07b586f20dda99e8b3e5a0

                            SHA256

                            51c00a3dec3765e2bef4bddbab0825c2b21fb1c985b114a3a697482fb6d2c2f8

                            SHA512

                            d95b17d362e3d9b37b27d9574293066a7ae92547a5bf54598189f695589ef7436c078be26205929dd9fcdefe512afef4990e743bbe45e083756b33de66413b0d

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                            Filesize

                            7KB

                            MD5

                            fca1fadff469090f8771e17fff94d6b9

                            SHA1

                            bc4191236f2b1b06da03222c0756f11c93148525

                            SHA256

                            3d8c90d1e3a0748eae7989ea3424e457c24fe37b06a9ea45615d41b19f6e9875

                            SHA512

                            91e2a79569dc981b95c93eeafb1427df3828ea8457ac73bebf519718e2e19ea099aa2e74e0892d377d193f7c93ac24d193523204f3b61655a9bfd1bd4fb9cea0

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9JY41S7LYTYBT12FSL6O.temp

                            Filesize

                            7KB

                            MD5

                            8eda4477a7925a1c5fd519ecc0657e2a

                            SHA1

                            8b41b9ed506017b08ecc642f36c2bedb3941cba7

                            SHA256

                            56f659f4340849d2ccfd121217ff20ace0abdaea2f152fcd069932db2f5d7e5e

                            SHA512

                            4239be7faad4167a3a35afe08fca0554f88fb6b0d22d9948beca198bcc973eb6387f43b6e88cb35c29cf0857938fc61b4f3f4e1b2dc1ef4475fcf30f83e47c0c

                          • C:\Windows\System32\Client.exe

                            Filesize

                            158KB

                            MD5

                            99824baab1676a2ed1e898090cb0fcc1

                            SHA1

                            951617c54e68a221da776add3264450f8a2255cb

                            SHA256

                            a88efa6dea3c898d55f882ce0143518b9da2883496e5fc448c791f328d13e82d

                            SHA512

                            218c5a899b063ccae1ac02d3e8abe9b6e3d307573c0363d01e1bb3626ce090aaa08a2a7cec33cfce6abd115dc39964048d1dc8320fd143af9ef651d92edc072a

                          • C:\Windows\System32\DiscordVcClient.exe

                            Filesize

                            74KB

                            MD5

                            d6adfa25699c74bc456c1b255fea81df

                            SHA1

                            fc9e822263308909409a8429004ad4a2249124ff

                            SHA256

                            a34d9f25edb98b2cf95879380b52c59d857c22929b327f2b1cac64ab86beb2c5

                            SHA512

                            ae987008e8f39bc489373d602a79e91321603c400fa3ba982fc99af1baf2461bfeab5bed5c1b26f06f5bf328a565a89187c0b310d5bc69228d5191d36313bcfd

                          • C:\Windows\System32\DiscordXClient.exe

                            Filesize

                            37KB

                            MD5

                            582bba7b8005d6c324b945a19e6d6c16

                            SHA1

                            9a8f6c7fa7bb46689e6d146e1b070c70ec14c36f

                            SHA256

                            671866f3a944ee4f0419d188539a85e43742e04fbde5131b51848fad44e2719c

                            SHA512

                            0616d371f8d4ed2ff64077fcd8f49c7abec432fe3e3d8bbf84cba82c631a009a9acdba69a54135bb0b672c1fa9afcec165b1caab23c1fdd79a555acc893e04d3

                          • \Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-localization-l1-2-0.dll

                            Filesize

                            21KB

                            MD5

                            724223109e49cb01d61d63a8be926b8f

                            SHA1

                            072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

                            SHA256

                            4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

                            SHA512

                            19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

                          • \Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-processthreads-l1-1-1.dll

                            Filesize

                            21KB

                            MD5

                            517eb9e2cb671ae49f99173d7f7ce43f

                            SHA1

                            4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

                            SHA256

                            57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

                            SHA512

                            492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

                          • \Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-timezone-l1-1-0.dll

                            Filesize

                            21KB

                            MD5

                            d12403ee11359259ba2b0706e5e5111c

                            SHA1

                            03cc7827a30fd1dee38665c0cc993b4b533ac138

                            SHA256

                            f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

                            SHA512

                            9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

                          • \Windows\System32\Built.exe

                            Filesize

                            8.1MB

                            MD5

                            89dd023a703e12d4e2a4686d02abe286

                            SHA1

                            9681f55084c7c292acfe26a979f8e04d80efc1ff

                            SHA256

                            d008401e82c6dba813720416672a6dde33dd214438ed389fc08fdbead3540ed4

                            SHA512

                            a8f20e05603d0aaba36c5cb856c4ffc0f93ffc9685919638961ae0305f097bfe7d913bc7b283378e93cc9ae7a3edb678b98d0a6645638f7e858984d26a3c6197

                          • memory/2396-8-0x00000000022C0000-0x00000000022C8000-memory.dmp

                            Filesize

                            32KB

                          • memory/2396-6-0x0000000002AE0000-0x0000000002B60000-memory.dmp

                            Filesize

                            512KB

                          • memory/2396-7-0x000000001B580000-0x000000001B862000-memory.dmp

                            Filesize

                            2.9MB

                          • memory/2408-1-0x0000000000A60000-0x000000000128C000-memory.dmp

                            Filesize

                            8.2MB

                          • memory/2408-0-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp

                            Filesize

                            4KB

                          • memory/2444-42-0x0000000000B80000-0x0000000000BAE000-memory.dmp

                            Filesize

                            184KB

                          • memory/2588-131-0x000007FEF2120000-0x000007FEF270E000-memory.dmp

                            Filesize

                            5.9MB

                          • memory/2644-30-0x0000000000930000-0x0000000000940000-memory.dmp

                            Filesize

                            64KB

                          • memory/2764-22-0x000000001B580000-0x000000001B862000-memory.dmp

                            Filesize

                            2.9MB

                          • memory/2764-23-0x0000000001E50000-0x0000000001E58000-memory.dmp

                            Filesize

                            32KB

                          • memory/2912-15-0x0000000000150000-0x0000000000168000-memory.dmp

                            Filesize

                            96KB

                          • memory/2980-201-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

                            Filesize

                            64KB